A ransomware campaign, dubbed Hakbit, is targeting mid-level employees across Austria, Switzerland and Germany with malicious Excel attachments delivered via the popular email provider GMX.
The spear-phishing based campaign is low volume and so far targeted the pharmaceutical, legal, financial, business service, retail, and healthcare sectors. Low-volume style campaigns, sometimes called snowshoe spam attacks, use multiple domains to send relatively small blasts of bogus emails to circumvent reputation- or volume-based spam filtering.
“The largest volume of messages we observed were sent to the information technology, manufacturing, insurance, and technology verticals,” wrote Proofpoint researchers in a Monday analysis. They observed, “the majority of roles targeted in the Hakbit campaigns are customer-facing with individuals’ business contact information revealed publicly on company websites, and/or advertisements. These roles include attorneys, client advisors, directors, insurance advisors, managing directors and project managers.”
The initial spear-phishing emails uses financial lures, with subject lines like “Fwd: Steuerrückzahlung” (Translated: Tax Repayment)” and “Ihre Rechnung (Translated: Your Bill).” The emails are delivered from a free email provider (GMX) that primarily serves a European client base.
“This was a low volume campaign. GMX is widely used and known in German-speaking Europe, so it has trust associated with name recognition,” Sherrod DeGrippo, senior director of threat research at Proofpoint, told Threatpost. “It’s a free email service, so it’s hard to trace and threat actors can potentially generate multiple accounts.”
The attachments on the emails purport to be false billing and tax repayment subjects. One email impersonated 1&1, a German telecommunications and web hosting company, and told the victim that the attachment on the email is an invoice, for instance.
Once opened, the Microsoft Excel attachments then prompts victims to enable macros. That in turn downloads and executes GuLoader. GuLoader is a widespread dropper that compromises targets and delivers second-stage malware. It’s been constantly updated over the course of 2020, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.
Most recently, the loader came into the spotlight earlier in June after researchers alleged that an Italian company was selling what it describes as a legitimate encryption utility – but it was actually being used as malware packer for GuLoader.
In this campaign, when GuLoader runs, it then downloads and executes Hakbit, a known ransomware that encrypts files using AES-256 encryption. Hakbit has been around since at least 2019, and has had multiple confirmed victims, including home users and businesses in the United States and Europe, according to Emsisoft. Hakbit is believed to be linked to the Thanos ransomware – In a recent analysis of the Thanos ransomware, Recorded Future researchers assessed “with high confidence” that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros (based on code similarity, string reuse, the ransomware extension and the format of the ransom notes).
After Hakbit encrypts the victims’ files, it deploys a note demanding a payment of 250 Euros in bitcoin to unlock the encrypted files and provides instructions on how to pay the ransom.
As of June 16, 2020, researchers said they have found no transactions showing payment of the ransom to the bitcoin wallet. Threatpost has reached out to Proofpoint regarding how many companies were targeted by Hakbit – and how many of those targets were compromised.
Regardless, researchers say that the campaign is indivitive of several “consistent” low-volume and often boutique ransomware campaigns that have hit victims since January 2020.
“Proofpoint researchers recently identified a shift in the threat landscape with a large-scale Avaddon ransomware campaign consistent with recent open source vendor reporting,” they said. “Hakbit exemplifies a people-centric ransomware campaign tailored to a specific audience, role, organization, and in the user’s native language.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.