A new phishing scam was discovered targeting several universities and government organizations and steals private data from victim’s PC.
Researchers from Comodo security firm discovered that the malware uses trusted brand names like FedEx and google drive to lure victims.
Five universities, 23 private companies, and several government organizations has already been hit by the phishing scam.
The malware begins the attack by sending a phishing email disguised as a message from FedEx saying that the package could not be delivered and instructs users to take print out of the label by clicking on the link provided and visit the nearby outlet.
When the user clicks the link, it redirects to a google drive account containing a file named “Lebal copy.exe” to download. Another thing to be noted is the presence of ‘HTTPS’ and word secure in the link.
“Actually, how can anyone know not to trust something with “google.com” in the address bar? But… the reality stings. For many, it’s hard to believe, but skilled cybercriminals use drive.google.com for placing their phishing malware. And this case is not an isolated incident, so Google –as well as many other cloud storage services – definitely should take urgent steps to solve this problem. At minimum, they should provide constant real-time checks for malware. This would help to cut back malicious activity this type.”
The malicious file disguise as an adobe acrobat document and It has icons similar to PDF documents.
After downloading, the malware finds out the OS and applications running on your device. The malware then steals private data from browsers such as cookies and credentials and looks out for information about the instant messenger and email clients.
The malware also tried to steal credentials from FTP clients like FileZilla or WinSCP and tries to locate and access cryptocurrency wallets like Bitcoin or Electrum.
After that, it makes connection with the command and control server and sends all the gathered details to the server.
Malware detected by researchers from Comodo security firm goes by the name ‘TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI’
Indicators of compromise
– the presence of .exe file in %temp% folder
– the presence of tmp.exe file in %temp% folder
– the presence of WinNtBackend-2955724792077800.tmp.exe file in %temp% folder