Hacking techniques have become more sophisticated. In mid-May, the privately held cybersecurity company Trellix uncovered a new spear phishing campaign using legitimate tools that target finance executives and CFOs at banks, insurance firms, utilities and investment companies worldwide.
The meticulous operation discovered by the Trellix Advanced Research Center’s email security system is sophisticated and an evolutionary tactic among cybercriminals — a warning that nobody is safe from masquerading hackers.
What is spear phishing?
Hackers use phishing emails to deceive you into divulging personal information, like credit card numbers and passwords, by installing malware onto your computer or smartphone. Spear phishing is more targeted and cultivated. Cybercriminals spend time and effort finding spear phishing victims using the personal information they gather, often over months, to build a “relationship.”
Attackers disguise spear phishing emails as coming from a close friend or business acquaintance. These emails are challenging to identify as fake, as they contain information of a directly personal nature, commonly appearing as trustworthy. Spear phishing attempts target specific organizational victims — usually those with access to essential financial information — aiming to use business knowledge to gain access to entire networks.
Targeting high-end finance through legitimate tools
In the recent cybercriminal campaign, the hackers abandoned phishing techniques using traditional malware. Instead, they utilize the WireGuard-based remotely accessible NetBird tool and OpenSSH, the open-source version of the Secure Shell (SSH) networking protocol. They use these to establish covert access to presumed secure networks.
The attackers are bold, targeting higher-end financial executives in Africa, Canada, Europe, the Middle East and South Asia. They may be serving as test subjects before hackers target large corporations within the United States. To date, targets exclude U.S.-based companies. However, American organizations could be in the firing line based on the hackers’ prior modus operandi of testing the spear phishing email’s success in single regions before moving elsewhere.
How the spear phishing email works
Cybercriminals pose as recruiters from the acclaimed Rothschild & Co. financial institution and use high-level social engineering techniques to email unwitting finance executives. Using a confidential “Rothschild & Co. leadership opportunity” that appears to come from a legitimate source, emails promise strategic executive opportunities and encourage recipients to open a “Rothschild_&_Co-6745763.PDF” attachment.
Once opened, this phishing link redirects to an application hosted by Firebase, with the lead page executing a CAPTCHA tool. The victim must solve a question — “What is the result of 9 + 10?” — allowing the scammer to bypass security scanner automation by creating a false appearance of legitimacy.
After you complete the CAPTCHA, JavaScript decrypts a hardcoded redirect URL, taking you to a download portal that appears as a secure document delivery process. The infection starts after downloading and opening a ZIP file containing a Visual Basic Script (VBScript). The VBScript, only available on Microsoft Windows terminals, creates a directory and imports a payload from a command-and-control server while installing NetBird and OpenSSH and configuring the former for remote access.
Thereafter, it sets up a hidden administrator account and creates firewall-bypassing remote desktop access. To avoid identification, the VBScript removes the NetBird desktop shortcut while also scheduling automatic starts on reboots. The hidden backdoor’s persistence mechanisms now include a secret account, RDP access and scheduled tasks that are ready for unauthorized use.
How to avoid the scam
While Trellix's resourcefulness has identified how the spear-phishing campaign works, the company has not identified the attackers. This particular group of hackers has revolutionized spear phishing techniques by utilizing established and recognized NetBird and SSH protocols, meaning the potential to exploit further legitimate tools and mechanisms remains. Even without these, many cybersecurity concerns may struggle to identify the current campaign, making safeguarding high-end systems and networks challenging.
Trellix advises that CFOs and financial executives treat all unsolicited emails, especially those with attachments, with cautious skepticism. All global banks, energy utilities, investment firms and insurance companies should make their teams aware of the current spear phishing campaign. They should heed associated security warnings to minimize the threat of these multistage attacks that disrupt businesses through data theft and financial fraud.
Organizations should immediately advance their protective measures by:
- Conducting awareness training on advanced spear phishing techniques for all financial executives.
- Enhancing email security to include improved behavioral analysis for earlier detection of phishing techniques.
- Applying strict access controls on remote access software installation and usage and monitoring company networks for unauthorized installations.
- Employing EDR technologies with capabilities to identify legitimate tool abuse.
- Establishing upgraded procedures for reporting suspicious emails and unusual system behaviors.
Improving technologies will encourage enhanced spear phishing attempts
AI and machine learning’s greater incorporation in improving business, internet technology and cybersecurity processes means hackers’ research and development will continually transform cybercrime, as demonstrated by the most recent spear phishing campaign.
Education on the early identification of these vulnerabilities and incorporating updated and more effective precautions will reduce the chances that these advanced attacks will succeed.
Author Bio: Oscar Collins is a tech writer with bylines at Gizmodo and United States Cybersecurity Magazine. Check out Modded for more of his work, or follow him on X @TModded for frequent updates.
Your email address will not be published. Required fields are markedmarked