Cybersecurity researchers have uncovered a new targeted spam manipulation that deploys password-stealing malware.
Sophos X-Ops discovered the campaign and described it in a published report.
According to the report, the attackers employ social engineering tactics that use emails to complain about service issues or request information to build trust with the target before sending a malicious link.
This approach mirrors a previously discovered activity that took place ahead of the April 2023 deadline for U.S. federal tax returns.
Andrew Brandt and Sean Gallagher, researchers at Sophos, explain, "The attacker's social engineering tactics range from complaining about violence or theft that occurred during a guest's stay, to asking for information about a guest's stay with special needs. ”
Once the hotel responds to the initial inquiry, the threat actors send follow-up messages with alleged documentation or evidence containing the malware payload hidden in a password-protected archive file.
Using 123456 such a password, the attackers shared files from public cloud storage services such as Google Drive, enabling the victim to open the archives.
Notably, the malware's payload is designed to evade detection. They are large files with a size of more than 600 MB, and most of the content is filled with spaces with zeros.
In addition, the malware uses verification certificate signatures, some of which are new certificates obtained during the event, while others are fake.
The malware, identified as a Redline Stealer or Vidar Stealer variant, is connected to a Telegram channel and is used for command and control purposes. It leaks data, including desktop screenshots and browser information, without establishing persistence on the host.
Sophos X-Ops says they have retrieved more than 50 unique samples from cloud storage associated with this campaign and have published a compromise metric in their GitHub repository.
"We have also reported malicious links from various cloud storage providers hosting malware," the report reads. Most samples have little to no virus detected in VirusTotal. “