14 DAY TRIAL // Holiday season suppliers are already under attack by a fileless malware campaign that spreads via emails bundling a maliciously crafted attachment which drops the NetwiredRC backdoor onto targeted machines as discovered by Cyren's Kervin Alintanahin and Maharlito Aquino.
Even though the Yuletide season is still far away, Cyren already spotted a malware campaign during late October targetting Christmas goods suppliers by emails which use the "Christmas Order" subject and induce a sense of urgency asking for delivery until November 20.
Although it might seem that bad actors would have the common sense to at least start their campaigns during the season they are actually targetting, the fact that the holiday season amounts for roughly 30% of annual sales for some retailers, adds to the sense of urgency induced by the malicious emails and might make them even more dangerous.
When the targets open the malicious .doc attachments they receive a Windows alert warning them about running unverified software and, if they ignore, an AutoIt Script Loader Module which decodes and starts the second payload.
The malware loaded during the second stage of the infection is the NetwiredRC backdoor which "has many capabilities, including but not limited to logging key strokes, stealing login credentials stored in multiple browsers, and stealing email login credentials," according to Cyren's research team.
This campaign might be targeting large-sized suppliers using stolen credentials from third-party vendors
The NetwiredRC backdoor payload used in this campaign matches the cipher algorithm and the encryption key used in a previous malware attack detected by Cyren in May 2018 which points to the same actor using similar tools and methods to go for different targets.
"Since the entire installation sequence is injected to a target process and is not saved to disk, it can be classified as a fileless malware," also states Cyren's report.
Even though this malware campaign targets smaller sized suppliers according to Cyren, according to a Ponemon Institute study from 2017, "56% of large breaches were the result of an initial breach into a third-party vendor, possible because many smaller suppliers are often granted access to their customer’s corporate data and even network login credentials."
As a result, despite seemingly being a campaign planning to steal credentials from small-sized companies, the hidden end goal could be reached using a couple of spear phishing attacks that compromise the right third-party vendors.
Indicators of compromise and a detailed walkthrough on how this fileless two-stage malware campaign manages to infect the target machines are available on Cyren's security blog.
