Sophos Uncovers Sophisticated New Compromise and Social Engineering Techniques
Combining phone and email lures, this complex attack chain foreshadows new tactics deployed by cybercriminals to deliver their malware
Posted: Thursday, Aug 17
  • KBI.Media
  • $
  • Sophos Uncovers Sophisticated New Compromise and Social Engineering Techniques
Sophos Uncovers Sophisticated New Compromise and Social Engineering Techniques

Sydney, Australia, 17 August 2023ย –ย Sophos, a global leader in innovating and delivering cybersecurity as a service, reveals information aboutย a complex new attack tacticย that combines credible phone and email communications in an attempt to take control of corporate networks and exfiltrate data. The malware itself was delivered in a most unusual fashionโ€”a caller convinced the target of the attack to open an email message, which contained no text but was a graphic designed to look like an Outlook email message and prompted the target to trigger a download of a malicious Electron app linked from the “image spam” email. This type of highly targeted attack demonstrates a growing sophistication of social engineering techniques and the tendency of attackers to implement complex strategies that combine numerous tools and techniques in the hope that the complexity helps the payload evade detection.

During an investigation at a Swiss company, Sophos X-Ops discovered that the attack had begun with a telephone call that may have seemed harmless. The targeted employee was contacted directly by a man who told the employee he had an urgent delivery to make to one of the company’s sites and asked if the employee would accept the delivery. To validate the new deliveryโ€”allegedly for security reasonsโ€”the employee had to read out a code sent by e-mail during the call.

This e-mail, written in perfect French, contained no text in the body of the message and featured only a static image that appeared to be a PDF attachment. Directed by the scammer on the phone, the employee clicked on the image which led to the malware download. After verbally prompting the employee to open the file, the attackers began taking over the network.

โ€œThis attack was highly, highly targeted. There was only one person in the office that Friday, and the attackers likely knew who it was. The use of an image masquerading as an email is also something we havenโ€™t seen before. However, itโ€™s smart. Attaching an actual PDF often triggers alarm on systems, since they are so frequently used to deliver malware, and e-mails with PDFs often end up in spam filters,โ€ said Andrew Brandt, principal researcher at Sophos.

Once within the network, the criminals used malware to search for a wide range of information, including accounting software data, cookies, browsing history, and password and cryptocurrency wallets. To hide their data exfiltration, the attackers connected the targeted system to Tor (the dark web). However, in this particular case, certain elements aroused the employee’s suspicions, and he manually disconnected the Ethernet cable from his workstation, limiting the damage to the company.

โ€œThis type of highly sophisticated attack demonstrates the lengths cybercriminals will go to, to bypass usual defense tools and garner the trust of employees. Phishing attacks are incredibly effective, and weโ€™ve seen attackers evolve their social engineering tactics with new technology. While attackers more frequently use text messages rather than email, that doesnโ€™t mean phone calls are obsolete. We teach employees a lot about email safety, but we donโ€™t necessarily teach them how to handle unusual phone calls. In this case, the employee reacted quickly and showed great presence of mind; this attack could have had much more serious consequences for the company. Itโ€™s important to be wary of unknown callers and check with a business directly if you are unsure about something they are asking you to do,โ€ย Brandt said.

Following the attack on the Swiss company, Sophos X-Ops uncovered another attack using the same playbook against a company in Australia. Whichever group is behind these attacks is likely still active, and Sophos will be monitoring the situation.

Share This