Sydney, Australia, 17 August 2023 – Sophos, a global leader in innovating and delivering cybersecurity as a service, reveals information about a complex new attack tactic that combines credible phone and email communications in an attempt to take control of corporate networks and exfiltrate data. The malware itself was delivered in a most unusual fashion—a caller convinced the target of the attack to open an email message, which contained no text but was a graphic designed to look like an Outlook email message and prompted the target to trigger a download of a malicious Electron app linked from the “image spam” email. This type of highly targeted attack demonstrates a growing sophistication of social engineering techniques and the tendency of attackers to implement complex strategies that combine numerous tools and techniques in the hope that the complexity helps the payload evade detection.

During an investigation at a Swiss company, Sophos X-Ops discovered that the attack had begun with a telephone call that may have seemed harmless. The targeted employee was contacted directly by a man who told the employee he had an urgent delivery to make to one of the company’s sites and asked if the employee would accept the delivery. To validate the new delivery—allegedly for security reasons—the employee had to read out a code sent by e-mail during the call.

This e-mail, written in perfect French, contained no text in the body of the message and featured only a static image that appeared to be a PDF attachment. Directed by the scammer on the phone, the employee clicked on the image which led to the malware download. After verbally prompting the employee to open the file, the attackers began taking over the network.

“This attack was highly, highly targeted. There was only one person in the office that Friday, and the attackers likely knew who it was. The use of an image masquerading as an email is also something we haven’t seen before. However, it’s smart. Attaching an actual PDF often triggers alarm on systems, since they are so frequently used to deliver malware, and e-mails with PDFs often end up in spam filters,” said Andrew Brandt, principal researcher at Sophos.

Once within the network, the criminals used malware to search for a wide range of information, including accounting software data, cookies, browsing history, and password and cryptocurrency wallets. To hide their data exfiltration, the attackers connected the targeted system to Tor (the dark web). However, in this particular case, certain elements aroused the employee’s suspicions, and he manually disconnected the Ethernet cable from his workstation, limiting the damage to the company.

“This type of highly sophisticated attack demonstrates the lengths cybercriminals will go to, to bypass usual defense tools and garner the trust of employees. Phishing attacks are incredibly effective, and we’ve seen attackers evolve their social engineering tactics with new technology. While attackers more frequently use text messages rather than email, that doesn’t mean phone calls are obsolete. We teach employees a lot about email safety, but we don’t necessarily teach them how to handle unusual phone calls. In this case, the employee reacted quickly and showed great presence of mind; this attack could have had much more serious consequences for the company. It’s important to be wary of unknown callers and check with a business directly if you are unsure about something they are asking you to do,” Brandt said.

Following the attack on the Swiss company, Sophos X-Ops uncovered another attack using the same playbook against a company in Australia. Whichever group is behind these attacks is likely still active, and Sophos will be monitoring the situation.