Security researchers have discovered a new campaign, which appears to be trying to trick victims into installing a malicious attachment, much like similar other campaigns. Hackers may be distributing malicious payload into the victim’s computer with the help of fake emails from companies like Uber, UPS, Invoicely, QuickBooks and Secure Parking.

The emails consist of a document requesting to be signed using the DocuSign software, which enables organizations to manage e-documents.

Cybercriminals delivering malware through Word document attachments have become highly common these days. However, the subject lines differ from case to case. Sometimes, hackers would use the subject line “files” or “paperwork“. At times, they would use “documents” in the subject line.

In other similar campaigns, hackers would use email subjects like “Private info belonging to your friend has been stolen“, “Your colleague’s account was compromised” or “We have got access to your friend’s account“.

The payload gets installed only after users open the MS Word document attachment. The document users “Enable content” in order to make sure that the macro is executed on the machine. Interestingly, researchers have observed that all emails contain exactly the same macro content. After the macros run, a PowerShell command executes in the background.

“The senders identify themselves as the Red Skull hacker crew and claim to have hacked into someone’s account. They apparently found an intimate picture of his girlfriend and threatened that person to distribute the picture to his complete contact list.”

Ultimately, the execution of macros installs ransomware onto the victim’s computer, usually demanding $500. Upon failing to pay money, the picture would be sent to the victim’s contact.

Researchers recommend users that they should refrain from clicking or opening links in emails directly, instead type in the main URL in your browser or search the brand/company via a search engine.

Also Read:

TagsCyber Security