Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.
Introduction
During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.
Figure1: Email vector example
Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.
Technical Analysis
The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:
Figure 2: Infection Chain
The malicious email wave contained a .doc attachment. Following, the static information of this file:
Name
Covid-19-PESANTATION.doc
Hash
97FA1F66BD2B2F8A34AAFE5A374996F8
Threat
Himera Loader dropper
Size
95,4 KB (97.745 byte)
Filetype
Microsoft Word document
Ssdeep
1536:7fVmPSiRO8cOV8xCcoHrZvIdTZ2DSXMqcI3iL5PEs8VlbeH0btGDYLlNq2l+SEg:7fVz8zyUHlvId7H3iL5MVlbeHGkQvqTU
Table 1: Static information about the Malicious document
The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, b ..
Support the originator by clicking the read the rest link below.
