In a new blog post Proofpoint security researchers explain that they have recently detected a low-volume targeted phishing campaign aimed at organizations in France and Germany. The campaign provides an interesting example of a phishing campaign that spans multiple languages and countries and shows the role of language as another variable that attackers can leverage to evade organizations’ existing defenses.
Kay takeouts from the blog post include:
Twelve different Microsoft Word document attachments were detected in this campaign, cycled with multiple senders and headings to create a classic longline phishing campaign, enabling them to evade reputation-based blocking. Automated analysis of the attachment revealed that the documents include a malicious macro (that is, a VBA virus) that downloads and installs the Andromeda (aka Gamarue) malware. Obfuscation for both the macro code and the Andromeda payload enabled them to achieve a high degree of antivirus evasion: at the time Proofpoint analyzed them, the attachments were detected by <10% of antivirus engines, and the Andromeda payload was detected by only five percent.
In September, Proofpoint noted that the URLs in unsolicited email sent to recipients in France and Germany were less likely to be malicious than URLs in emails to recipients in the US or the UK. Modern phishing campaigns take advantage of the flexibility of URLs and the fact that a URL can be made malicious after the message has been received to regularly thwart even the most up-to-date URL reputation databases. Relying on attachments rather than malicious URLs to deliver the payload, this campaign shows that it would be wrong for organizations in France and Germany to think that they are less targeted than their counterparts in the US or UK.
These three samples from a single campaign exemplify the variation of attachment name, lure, subject and sending address that make modern longline phishing campaigns so effective against reputation- and signature-based defenses. The Word attachments included an obfuscated Word macro that was designed to evade detection, and with at least twelve different attachments in a relatively low-volume longline campaign the odds were high that they would be unknown to antivirus and reputation and therefore would be allowed to pass even the most robust anti-spam gateway. URL or attachment, in either case it's a perfect example of why organizations must complement their existing anti-spam gateway with advanced detection capabilities: something always gets through even the best traditional defenses.