Network Security, Malware, Phishing

Malware operators use copyright notices to lure in businesses

Judge gavel

The threat of a copyright infringement claim has become the latest way for malware operators to trick their targets.

Researchers with Cisco Talos report that an ongoing attack in Taiwan is being spread via phishing emails that contain malware attachments.

Targeting businesses and advertising companies, the emails will pose as a legal notice from either a copyright holder a legal representative of a company making a copyright claim. Attached to the message will be a supposed PDF attachment that presents itself as a legal document with details on the complaint.

“The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware,” wrote Cisco Talos researcher Joey Chen,  

“Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign.”

Once the victim opens the attachment, which presents itself as a PDF but is actually an executable, they are redirected via a Google Appspot.com domain that then routes through another third-party URL shortening service before finally arriving at a Dropbox domain.

That domain then infects the victim with the actual payload: an info-stealing malware designed to harvest account credentials and other personal detail. The malware was identified as being either LummaC2 or Rhadamanthys, which are available on dark web markets.

“The infection chain begins with a phishing email containing a malicious download link,” Chen explained.

“When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file.”

Chen said that attributing the attack to any one group is difficult given the obfuscation tactics the operators employ.

“Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website,” the researcher wrote.

“However, there is no strong evidence that it was created by an author from that region.”

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds