Hackers are pretending to poach bank staff in a wave of attacks against the African financial sector.
In recent weeks, the threat actors have been spotted using recruitment emails and messages to entice individuals considering moving from their current employment to rival financial companies.
However, the emails don’t contain genuine job offers: instead, they contain malicious surprises.
On Tuesday, the threat research team at HP Wolf Security said the campaign specifically targets individuals already working in the African banking sector. Phishing emails are disguised under the names of rival banks through typosquatting and ask the potential victim if they are interested in new job opportunities.
The ‘recruiter’ also uses a reply-to typosquatted address to appear more legitimate. If an individual is reeled in, the attacker sends an HTML attachment, Fiche de dossiers.htm (translation: file sheet/card), a Base64 encoded ISO file.
If the victim tries to open the file, the content is decoded and shown as a web downloader prompt, in a technique known as HTML Smuggling.
“When the user opens the HTML attachment using a web browser, they are prompted to download the file, which is already stored on the local system,” the researchers said. “This way HTML smuggling bypasses security controls that block malicious website traffic, such as web proxies.”
The ISO contains a VBS script, which, when double-clicked, triggers the creation of a registry key on the impacted system for persistence, the execution of PowerShell scripts, and the deployment of GuLoader.
GuLoader is a loader for serving victims RemcosRAT malware. RemcosRAT is a commercially-available Remote Access Trojan (RAT) available on a cheap subscription basis to cybercriminals.
The Windows malware can perform keylogging, take screenshots, conduct surveillance through PC cameras and microphones, steal operating system data and personal files, harvest browser activity, and download further malicious payloads.
By targeting individuals already in the banking sector, it is possible that the cyberattackers are trying to obtain access to commercial bank networks, whether through corporate machines or personal devices when employees are working remotely.
“The attacker might take advantage of the employee’s position in the bank since they would have access to their corporate email account,” the researchers noted. “[They might] move laterally with the goal of compromising domain controllers to deploy ransomware. They might also steal sensitive/protected data that could be used to extort the target.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0