Malicious Actor is Impersonating Government Organizations to Deliver Malware

• A new actor given the identifier TA2101 is showcasing highly sophisticated social engineering practices.
• The actor has recently targeted companies in Italy, Germany, and the United States.
• The payloads used were mostly ransomware that was fetched via document macros.

Proofpoint is highlighting the sophistication of new social engineering practices used by threat actors for the purpose of malware distribution. Proofpoint’s researchers observed these activities between October 16 and November 12, 2019, and report that they mainly targeted IT, healthcare, and manufacturing firms in the United States, Germany, and Italy.

Starting with Germany, the actors tried to impersonate the Bundeszentralamt fur Steuern (German Federal Ministry of Finance), sending tax refund emails. The recipients were asked to submit a relevant request, using an attached MS Word document. As expected, the document holds a malicious macro that executes a PowerShell script, which in turn downloads and installs the payload onto the victim’s system. In this case, the payload was the Maze ransomware. The case in Italy was similar, with the actors impersonating the Agenzia Entrate (Italian Ministry of Taxation). The attack method and payload are the same, and the only thing that changes is the branding and language. In the period that followed, the researchers have noticed more spoofing attempts of a lower volume, which tried to trick the recipients by sending supposed RSA SecurID keys that are used by the German Ministry of Finance or sending emails as 1&1 Internet AG (German ISP).

Source: Proofpoint

Source: Proofpoint

In the United States, the actors changed the payload to the IcedID banking Trojan and their impersonation to the United States Postal Service (USPS). In this case, the lookalike domain was “uspsdelivery-service.com”, which is currently offline. The U.S. campaign is characterized as a medium-volume campaign and targeted mostly in the healthcare sector. By correlating everything, the researchers have reached the conclusion that all of the above campaigns are the work of the same actor who uses the SOA “gladkoff1991@yandex.ru”.

For those of you who are receiving emails that are similar to what we describe here, remember, tax services never send messages asking you to take necessary action via online means. There are no urgent tax returns, and even if there were, you would have received a call instead of an email message. That said, all of the messages of this kind are scams, and the presence of an attachment only makes the danger real. The email content is always the lure, and the attached document is the hook. Whatever the message claims, do not download and open the document, and even if you do, do not enable the macros on your office suite.

Do you have anything to comment on the above? Feel free to do just that in the section down below, or on our socials, on Facebook and Twitter.