You’ve Been Served…with Subpoena-Themed Phishing Emails

subpoena-themed phish

A targeted campaign is delivering an information-stealing malware called Predator the Thief.

A phishing campaign claiming to deliver emailed subpoenas is targeting insurance and retail companies.

According to researchers, the phishing emails are spoofing the UK Ministry of Justice, aiming to capitalize on scare tactics to convince targets to click on an embedded link to “learn more about the case” by saying that the recipient has 14 days to comply with the subpoena notice. If the target clicks on the link, he or she will find themselves infected with Predator the Thief, a publicly available information-stealing malware that’s not often seen in phishing campaigns.

“The emails can appear quite convincing upon initial inspection, but a closer look reveals obvious irregularities,” Mollie MacDougall, researcher with the Cofense Intelligence, told Threatpost. “Masquerading as UK Ministry of Justice correspondence produces an increased potential for users to fall for the phish, even though some portions of the email contain misnomers such as ‘Department of Justice’ rather than Ministry of Justice. Recipients that are not educated about the UK judicial system are likely to fear a potential consequence from this daunting email, thus falling victim for the threat actor’s trap.”

As for the reach of this campaign, all identified targets (there are 10 so far in Cofense’s telemetry) are in the EMEA region, she added. And, the threat actor is likely not that sophisticated.

“Threat actors are capitalizing on publicly available tools, as is most common throughout the phishing threat landscape,” MacDougall told Threatpost. “We are not certain about the person or group behind this campaign, but it is plausible to assess that the actor is not overly familiar with the UK judicial system and lacks some attention to detail, thus likely not being of an advanced or nation-state level origin.”

To lend an air of legitimacy, the enclosed link uses Google Docs and Microsoft OneDrive for the infection chain; thus, the link within the email is actually benign and leads to a Google Docs page, themed to fool a user into thinking the service is conducting security checks. In turn, the Google Docs page has a redirection link pointing to a direct Microsoft OneDrive download. A macro-laden document is retrieved and used as a first stage downloader to execute a sample of Predator the Thief.

phishing subpoena

“The initial Google Docs link contains a redirect chain that eventually leads to a malicious macro-laden Microsoft Word file,” explained Aaron Riley, security researcher at Cofense, in a blog post on Wednesday. “The macro, upon execution, downloads the malware via PowerShell, which is a sample of the Predator the Thief information-stealer.”

According to Cofense, Predator the Thief then infects the endpoint and attempts to exfiltrate sensitive data; it targets cryptocurrency wallets, network configurations, browser information, VPN and FTP credentials, email data and even gaming logins. It can also take screenshots of an infected machine. The information is gathered and stored in a file named “information.log” before being shipped off to the command-and-control (C2) server via an HTTP POST to a network endpoint “gate.get” by default – once the data is successfully exfiltrated to the C2, the binary then cleans up parts of the infection and self-terminates.

“This infection clean-up process makes it much harder for endpoint forensic investigations that do not leverage verbose event logs and an endpoint detection system,” Riley wrote.

According to MacDougall, the exfiltrated information, however, can be used for a number of purposes, with gaining profit through stolen credentials being the most likely.”

The use of benign-seeming links to get past email defenses is a technique that’s cropping up of late in the phishing world; in this case, since the Google Docs URL is legitimate, the email may pass inspection by secure email gateways. Disabling Microsoft macros by default and monitoring PowerShell execution alongside educating users on the dangers of enabling macros is a safeguard against this threat.

“Information would only be stolen should the infection chain be successful, which would require the targets to click on the link and then download from OneDrive the document laden with malicious macros,” MacDougall told Threatpost. “If those macros are enabled, the macro would download the Predator the Thief malware.”

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles