Microsoft says that an ongoing Evil Corp phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, this being the first time the threat actors have been seen adopting this technique.
The new campaign is detailed in a series of tweets from the Microsoft Security Intelligence account, with the researchers saying that the final payload is being dropped using an Excel document that bundles a malicious macro.
"The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload," Microsoft Security Intelligence's researchers explain. "In contrast, past Dudear email campaigns carried the malware as an attachment or used malicious URLs."Dudear (aka TA505/SectorJ04/Evil Corp), used in some of the biggest malware campaigns today, is back in operations this month after a short hiatus. While we saw some changes in tactics, the revived Dudear still attempts to deploy the info-stealing Trojan GraceWire.
— Microsoft Security Intelligence (@MsftSecIntel) January 30, 2020