Hackers are impersonating Bloomberg employees in an attempt to install remote access software on target computers, researchers said Wednesday.
The ruse seeks to capitalize on the influence of Bloomberg Industry Group (formally known as Bloomberg BNA), whose analysis major corporations use to track markets, according to Cisco Talos, which discovered the activity. The perpetrator is sending fake Bloomberg invoices that are laced with a “remote access trojan” tools that could be used to surveil computer networks or steal data.
The goal of the malicious email campaigns, and exactly who was targeted, remain unclear. But the perpetrator has clearly gone beyond the bumbling phishing emails in broken English that typically give other scammers away.
It’s a clever piece of social engineering from a cyber actor that has apparently only been active for a year, but which has looked for economical ways into victim networks. One of the tools used, called NanoCore, is available for purchase on underground forums for just $20.
The emails seen by Cisco Talos politely ask users in fluent English to enable Microsoft Excel features which allow for the execution of malicious code. One email, for instance, lists a New York City phone number that recipients can call for “customer service.” When CyberScoop dialed the number, an automated voice read a different phone number and said that the voicemail inbox was full.
Vanja Svajcer, technical leader at Cisco Talos, said the malicious emails have come at around monthly intervals over the last year.
“The level of sophistication does not require a big group to execute [the scam],” he said.
Svajcer and his colleagues said they had “moderate confidence” that the operators of the malware were Arabic speakers. One clue suggested targets for the campaigns could be in North Africa and the Middle East: Attackers used a file-sharing site popular in Algeria, Egypt and Yemen to deliver the malicious code to victims.
The researchers call the malicious email campaigns “Fajan,” a reverse spelling of the Iraqi city of Najaf, which is referenced in the malicious code.
Email security firm Proofpoint in December 2019 revealed another NanoCore phishing campaign aimed at manufacturers in Germany, among others.
Bloomberg Industry Group did not respond to a request for comment by press time on the research.