Serviceteam IT Security News

Having tracked the activities of threat actors suspected of being involved in a large number of malicious spam attacks targeting organizations based in Turkey, Sophos researchers determined that the attackers flew under the radar using Excel formula injections to deliver the payload. 

“The threat actor predominantly targets victims based in Turkey using malspam email messages written in the Turkish language. The spam author’s grasp of Turkish grammar, among other indicators, lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey,” wrote Sophos’s Gabor Szappanos in a July 12 blog post.

Researchers suspect that the method of attack may soon extend beyond the borders of the Türkiye Cumhuriyeti. “Successful ideas eventually infiltrate the entire crimeware ecosystem, and while this may not be the most effective tool for criminals, they can still use it like any other tool in the toolbox.”

While the attack itself wasn’t highly sophisticated, it used a novel means of delivering malware through simple email messages sent with Excel file attachments that carry out the attack, yet another example of the many ways attackers are evolving their methods to go unnoticed.

Several samples of phishing emails revealed the attackers followed the same structure in crafting the lures. “Later analysis revealed that the emails were generated by a builder that randomly selected from predefined sentence components, which explains the similarities,” Szappanos wrote.

As the email messages evolved, they grew more cryptic, which researchers suspect was due to the threat actor’s attempt for the message to appear less mechanical.

During analysis, researchers found Windows programs hosed on additional servers that were hosting the payload malware. 

“These files were not downloaded by the Excel files, but they must have been placed on the servers by the threat actor. We see no reason for storing them on the servers. The executables in question turned out to be builder programs that generate both the malicious attachment files and the randomized malspam message. These tools also have SMTP mailer functionality to send out the malspam with the attachment.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!