The spear-phishing based campaign is low volume and so far targeted the pharmaceutical, legal, financial, business service, retail, and healthcare sectors. Low-volume style campaigns, sometimes called snowshoe spam attacks, use multiple domains to send relatively small blasts of bogus emails to circumvent reputation- or volume-based spam filtering.
“The largest volume of messages we observed were sent to the information technology, manufacturing, insurance, and technology verticals,” wrote Proofpoint researchers in a Monday analysis.
They observed, “the majority of roles targeted in the Hakbit campaigns are customer-facing with individuals’ business contact information revealed publicly on company websites, and/or advertisements. These roles include attorneys, client advisors, directors, insurance advisors, managing directors and project managers.”
The initial spear-phishing emails uses financial lures, with subject lines like “Fwd: Steuerrückzahlung” (Translated: Tax Repayment)” and “Ihre Rechnung (Translated: Your Bill).” The emails are delivered from a free email provider (GMX) that primarily serves a European client base.
The attachments on the emails purport to be false billing and tax repayment subjects. One email impersonated 1&1, a German telecommunications and web hosting company, and told the victim that the attachment on the email is an invoice, for instance.
Once opened, the Microsoft Excel attachments then prompts victims to enable macros. That in turn downloads and executes GuLoader. GuLoader is a widespread dropper that compromises targets and delivers second-stage malware. It’s been constantly updated over the course of 2020, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.