14 DAY TRIAL // Trend Micro spotted recent malicious activity conducted by cybercriminal group Confucius. The hackers launched a spear-phishing campaign using Pegasus lures to trick users into clicking on a malicious document that downloads a data theft code.
The attack begins with a clean email that contains a text copied from a legitimate Pakistani newspaper article.Two days later, the victim receives a new email with a warning from a Pakistani military official about the Pegasus spyware that includes a cutt.ly link to encrypted Word document and a decryption password.
Regardless of the action taken by the victim, clicking on either of the links leads to downloading the Word document. If the target makes the mistake of entering the emailed password, a document with macros appears on the computer screen. In case the macros are enabled on that particular machine, the next step is simply loading the malicious code.
Users should remember to follow basic security standards
Once the code is inside, a .NET DLL file named skfk.txt is created in the temporary directory that contains material from the document's comment field. PowerShell is used to load the file into memory and used to steal data. Simply put, when the MD5 hash of the listed extension match, the file is retrieved via the C&C server. Files that are not listed are saved to a different folder in the same C&C server using a machine name-username string.
The Confucius cybercrime gang used several file stealers in the past for cyberespionage attacks on the Pakistani military. Even though the file stealers code is not top-notch, malware developers still use innovative techniques when creating malicious documents. Some of these techniques include using encrypted documents to prevent automated analysis or hiding the harmful code in the comments section.
Trend Micro suggests users adhere to standard security practices because they are still applicable in most attacks. To put it simply, users should inspect links carefully before accessing and refrain from clicking or downloading anything questionable.