The threat of a copyright infringement claim has become the latest way for malware operators to trick their targets.
Researchers with Cisco Talos report that an ongoing attack in Taiwan is being spread via phishing emails that contain malware attachments.
Targeting businesses and advertising companies, the emails will pose as a legal notice from either a copyright holder a legal representative of a company making a copyright claim. Attached to the message will be a supposed PDF attachment that presents itself as a legal document with details on the complaint.
“The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware,” wrote Cisco Talos researcher Joey Chen,
“Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign.”
Once the victim opens the attachment, which presents itself as a PDF but is actually an executable, they are redirected via a Google Appspot.com domain that then routes through another third-party URL shortening service before finally arriving at a Dropbox domain.
That domain then infects the victim with the actual payload: an info-stealing malware designed to harvest account credentials and other personal detail. The malware was identified as being either LummaC2 or Rhadamanthys, which are available on dark web markets.
“The infection chain begins with a phishing email containing a malicious download link,” Chen explained.
“When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file.”
Chen said that attributing the attack to any one group is difficult given the obfuscation tactics the operators employ.
“Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website,” the researcher wrote.
“However, there is no strong evidence that it was created by an author from that region.”
