Trojan Attack Masked as Payment Confirmation
A sophisticated attack is leveraging the ability to evade detection with the use of a rapidly changing Trojan attack pattern, according to researchers at GreatHorn.
The research team identified what it called a widespread Trojan pattern that uses multiple different subject lines, email content, email addresses, display name spoofs and destination URLs to disguise itself as a confirmation on a paid invoice.
The lack of consistency found in a typical volumetric attack makes this particular threat sophisticated because it is more difficult for email security tools to identify and block, researchers said.
The researchers have not been able to identify any patterns to the targets in terms of specific departments or functions within an organization. In addition, the Trojan appears to be using email addresses from compromised accounts in some cases, while in others the threat spoofs the name of an employee in the target company or uses an unrelated name combined with the email address of a compromised account.
Buried in a link that automatically downloads a Word template using a .doc extension, the Trojan attack has three distinct waves that have been observed since the researchers first identified the attack earlier this week.
What is thus far understood about the Trojan is that the initial point of infection is via a phishing email sent to employees, often with a display name of a fellow employee, but using an external email address from what appears to be one of several compromised accounts, according to the research team.
Also notable is that while the subject lines vary, each variation references “receipt” or “invoice.” Some examples of subject lines that have been seen include: “Transaction for Your Invoice 4676,” “Payment receipt bill 483477,” “Receipt for Invoice 23649” and “[Internal name spoof] Payment receipt 02094924.”
Interestingly, the emails from which the threat is distributed appear to be legitimate, compromised accounts, primarily from South American companies, though the sender display name is typically an arbitrary one.
In a small handful of attacks, it appeared that they were from another employee within the recipient’s organization, thus researchers described them as highly targeted with customized subject and display names.