Level 63
Content Creator
Malware Hunter
Attackers are purporting to send victims HIV test results – but in reality are convincing them to download the Koadic RAT.

Recently discovered spear-phishing emails are using a unique “scare-factor” lure to convince victims to open attached malicious Microsoft Excel documents: Their HIV test results.

Researchers are warning of a recent campaign involving emails claiming to come from Vanderbilt University Medical Center, a legitimate medical complex in Nashville, Tenn. The emails were sent to a slew of unnamed companies in various industries, including global insurance, healthcare, and pharmaceutical firms. If victims clicked on the embedded attachment in the emails, they were infected with the Koadic RAT, which allows attackers to run programs and access victims’ data, including sensitive personal and financial information.

“Healthcare concerns drive us to do a lot of things like change our diet, work out more, and take medication,” said researchers with Proofpoint on Tuesday. “But they should never lead us to fall victim to phishing campaign. Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links.”

Victims received an email purporting to come from “Vanderbit [SIC] Medical,” with the subject line “Test result of medical analysis.” The body of the email encourages victims to open a malicious Microsoft Excel attachment titled “TestResults.xlsb,” claiming that the recipient’s HIV results are contained within it.
Once the victim opens the attachment, the Excel document opens and prompts the user to enable macros – and once they do that, the document then downloads the Koadic RAT. [....]