Threat Actor Impersonates USPS to Deliver Backdoor Malware

The campaign is consistent with emerging tactics from bad actors to use increasingly sophisticated social engineering and spoofing to deliver malware.

A new threat actor has been found  impersonating the U.S. Postal Service (USPS) and other government agencies to deliver and install backdoor malware to various organizations in Germany, Italy and the United States, according to new research.

The campaigns, which researchers from cybersecurity firm Proofpoint observed between Oct. 16 and Nov. 12, are consistent with emerging tactics from bad actors to use increasingly sophisticated social engineering and spoofing to deliver malware, researchers said. 

The threat actor sent malicious email messages “targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing and healthcare,” according to a blog Thursday unveiling the research, posted by the Proofpoint Threat Insight Team.

The actors used different tools to deliver each of the country-specific campaigns, impersonating organizations that would be familiar to users in those countries to try to get victims to take the bait. 

Various lures included emails informing recipients of the urgent need to open documents to avoid tax penalties, or to view tax refunds with a deadline for processing, among others, researchers noted.

The first email campaigns turned up in Germany, where the actors impersonated the Bundeszentralamt fur Steuern (the German Federal Ministry of Finance), using  “lookalike domains, verbiage and stolen branding in the emails,” according to the post.

Another campaign impersonated a German internet service provider to try to lure German organizations to click on malicious attachments. 

For its German campaigns, the actor used commercial software, Cobalt Strike, in its attacks. The tool is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool, researchers said. 

Although this software is legitimately used, this is not the first time bad actors have used it for malicious purposes. Other threat actors, including Cobalt Group, APT32 and APT19, also have deployed and executed campaigns using it as malware. 

Attacks in Italy and the United States showed the threat actor using slightly different types of malware but still employing the impersonation tactic.

In its most recent campaign, observed on Tuesday, Nov. 12, the actor targeted organizations in the United States by attempting to deliver malicious Microsoft Word attachments to victims that deployed the IcedID banking trojan.

This campaign was noticeably different than previous European campaigns in that the actor chose a .com lookalike ( instead of an .icu domain, which the other campaigns used. 

However, the campaign did show a hallmark of previous emails in that it delivered a malicious Microsoft Word attachment with a purported RSA SecurID key, similarly formatted to the one used in the European campaigns, researchers said.

Researchers also observed the actor distributing Maze ransomware, employing similar social-engineering techniques that it uses for Cobalt Strike, while targeting organizations in Italy by impersonating the Agenzia Delle Entrate, the Italian Revenue Agency.  

Overall, the newly observed activity is evidence of a growing trend that Proofpoint and other security teams already have seen, in which email-based attacks are becoming more socially savvy, researchers said.

“The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape,” Proofpoint researchers wrote.


Suggested articles