Android ransomware attack spoofs the FBI with accusation of pornography

Ransomware attacks all generally follow the same playbook. The attacker encrypts or locks sensitive files on your computer or device and demands a ransom in order to unlock them. In most cases, the criminals behind the attack make no attempt to masquerade their identity, confident in their ability to convince enough people to pay the ransom. But one new malware campaign analyzed by cyber threat intelligence provider Check Point Research spoofs the FBI to lend an air of legitimacy to the ransom demand.

In a blog post published Tuesday, Check Point revealed the details behind a Malware-as-a-Service (MaaS) botnet known as Black Rose Lucy. Originally seen by Check Point in September 2018, Lucy acts as a dropper to spread malware and take control of Android devices.

More about cybersecurity

After a successful infection on an Android device, Lucy encrypts files and then displays a ransom note in a browser window. This note claims to be an official message from the FBI that accuses the victim of owing and storing pornography.

Beyond encrypting the data and locking the device, the attacker warns that the details of this offense have been sent to the FBI Cyber Crime Department’s Data Center. To regain control of the device, the victim is then told to pay a fine of $500 by using a credit card.

lucy-ransomware-check-point.jpg
Image: Check Point Research

In its analysis, Check Point found more than 80 samples of this attack distributed mostly through social media links and messaging apps. Masquerading as regular video player apps, these samples are able to control infected devices by exploiting the Android accessibility service, which is designed to assist people with disabilities by automating certain user interactions. To launch the attack, Lucy asks users to enable Streaming Video Optimization (SVO). This gives the botnet permission to use the accessibility service, thus allowing it to encrypt files on the device.

The malware’s code points to four different encrypted command and control (C&C) servers that can communicate with Lucy. The C&C servers are coded as domain names rather than IP addresses, which means that any one server taken offline can be reactivated simply by taking on a different IP address. The code indicates a range of commands that the C&C servers can issue without the user’s knowledge or permission, including ones to view all the directories on the device to encrypt files, decrypt files if the ransom is paid, decline the payment, and remove the malware from the device.

“We are seeing an evolution in mobile ransomware,” Check Point Manager of Mobile Research Aviran Hazum said in a press release. “Mobile malware is more sophisticated, more efficient. Threat actors are learning fast, drawing from their experience of past campaigns. The FBI mimic is a clear scare tactic. Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack. It’s a scary but very real possibility. We urge everyone to think twice before accepting or enabling anything while browsing videos on social media.”

To guard against mobile malware, Hazum advises people to install a security product on their device, use only official app stores and markets, and always keep the operating system and apps up to date.

Malware is easy to buy, own, and deploy,Research says.

A computer screen with program code warning of a detected malware script program. 3d illustration

A new study from research organization CyberNews.com found that malware is becoming increasingly easy to buy and deploy, even for those without technical backgrounds.

More about cybersecurity

While malware deployments have grown in sophistication over the years, the number of attacks has also risen, signaling a democratization of tools allowing less-experienced cybercriminals to take advantage of widespread information. The report found that through underground message boards and Dark Web marketplaces, bad actors can easily find “incredibly low cost” widely available “off-the-shelf malware and ransomware.” 

“What we found exceeded our expectations far beyond what we initially anticipated. As it turns out, you don’t have to be a programmer or even have any specialized technical knowledge to buy or create malware. In fact, the entry bar is set so low that practically anyone can do it–all you need is an online wallet loaded with some Bitcoin,” the report said. 

“Encrypted trojans that can remain undetected by even the most sophisticated antivirus systems? Custom-built ransomware tailored to your own specifications? Remote cybercrime courses for aspiring ‘online entrepreneurs?’ It’s all there and available for would-be cybercriminals–for the right price.”

CyberNews researchers looked at 10 so-called DarkNet marketplaces and found that buying malware is easy and fast, with cheap or even free programs allowing people to own malware. For just $50, would-be criminals can buy advanced tools on cybercrime forums that operate in the open, it found. 

According to its investigation, there is even customer support for malware tools that you can buy that include free updates as well as troubleshooting services.

“In the many shadow markets of today, malware is easily bought, sold and traded on websites that are basically Dark Web versions of Craigslist. Some malware marketplaces are easy to find and open to anyone. Most of the malware tools sold in these entry-level websites are of inferior quality, made by neophyte hackers looking to make their names in cyberspace,” the report said. 

“On the other end of the spectrum are invite-only message boards, accessible only via the TOR network and run by veteran Eastern European cybercriminals who offer high-grade products used by serious clientele.”

The key to using malware is not skill but simply knowing how to find malware tools and there are a number of websites that provide detailed lists of forums where these tools are available. CyberNews researchers noted that one website has organized a list of places people can buy and sell malware that is organized by country. 

In an email interview, CyberNews PR manager Lina Bernotaityte explained that its difficult to pinpoint who exactly is behind these malware tools and all the features accompanying them, but even with their anonymity, it is safe to say that these malware creators come from countries and regions where cybercrime legislation is not strictly enforced and talented, tech-inclined people don’t have many opportunities for gainful employment. 

The report notes that a number of malware creators offer their tools for free to a select group of cybercriminals as a way to make sure they work and increase usage as well as future potential for payment.

CyberNews researchers wrote that they were able to find a wide variety of malware brands for sale with everything from banking trojans to ransomware builders and “modular malware bots.” 

“Some of the most popular malware tools available, data-stealing Trojans can steal anything from passwords, cookies, history, and credit card data to chat sessions from instant messengers and pictures from webcams,” the study adds.

This data stealing brand of malware is available for prices ranging from $50 to $150 and even comes with support features for any issues.

Remote Access Trojans have become one of the most popular brands of malware deployed by cybercriminals, used in a variety of attacks on companies and governments around the world. The study said these very powerful tools, which give hackers the ability to take control of someone’s entire system, are on sale for up to $1,000.

“Some remote access trojans, such as Imminent Monitor which was taken down by Europol in November 2019, are often promoted as legitimate remote administration tools in order to increase sales,” the report notes.

The more expensive brands of malware, which include modular bots and banking trojans, range from $400 to $5,000 depending on the sophistication of the package. 

CyberNews researchers found programs that give hackers the ability to build powerful ransomware trojans or purchase subscriptions to ransomware services for $800 per month or $2,500 for lifetime subscriptions. 

When asked how much a cybercriminal could typically make from any of these brands of malware, Bernotaityte said it largely depends on their targets and attack plans. 

Targeting gamers and stealing Steam skins is fairly low risk, so the reward is lower than other attacks and can net hackers up to $2,000 per week. Attacking payment accounts for fraud with things like PayPal scams comes with more risk but can give cybercriminals access to nearly $10,000 a week. 

When attackers go after businesses, it is much higher risk but they can expect to make far more than $10,000 per week, Bernotaityte said, adding that the value of these malware brands will force people to make changes to how they operate online.

“Aside from having a reliable anti-malware tool installed, the most helpful thing each user can do is think before clicking. Since most of these malware tools are deployed either in phishing emails or on shady websites, using caution when clicking anything on the web is more important than ever,” Bernotaityte added.

“At the end of the day, the increasing decentralization of malware tools means that cybersecurity professionals will have to keep up. The better we understand how malware is created, traded, and exploited by cybercriminals, the quicker the countermeasures can be deployed.”

Sophos zero-day attack exploited by hackers

Sophos releases emergency patch to fix SQL injection bug exploited in the wild, impacting its XG Firewall product.

Sophos

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing “a suspicious field value visible in the management interface.”

After investigating the report, Sophos determined this was an active attack and not an error in its product.

HACKERS ABUSED AN SQL INJECTION BUG TO STEAL PASSWORDS

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said in a security advisory today.

Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet.

Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall.

Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.

Sophos said that passwords for customers’ other external authentication systems, such as AD or LDAP, were unaffected.

The company said that during its investigation, it did not find any evidence that hackers used the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.

PATCH ALREADY PUSHED TO CUSTOMER DEVICES

The UK company, famed for its antivirus product, said it prepared and already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.

The security update will also add a special box in the XG Firewall control panel to let device owners know if their device has been compromised.

sophos-xg-alert.png
Image: Sophos

For companies that had devices hacked, Sophos is recommending a series of steps, which include password resets and device reboots:

  1. Reset portal administrator and device administrator accounts
  2. Reboot the XG device(s)
  3. Reset passwords for all local user accounts
  4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Sophos also recommends that companies disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature. Instructions to disable the control panel on the WAN interface are available here.

Skype Phishing Attack Targets Remote Workers’ Passwords

skype for business

Attackers are sending convincing emails that ultimately steal victims’ Skype credentials.

Remote workers are being warned of a new phishing campaign targeting their Skype passwords.

The phishing emails look “eerily similar” to a legitimate Skype notification alert, according to a report released by Cofense on Thursday. Emails indicate users have 13 pending Skype notifications that can be checked by clicking a “Review” button.

“It is not uncommon to receive emails about pending notifications for various services,” researchers wrote. “The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the ‘Review’ button without recognizing the obvious signs of a phishing attack.”

Those red flags are apparent upon closer inspection. The sender address, which spoofs a convincing Skype phone number and email address in the sender address, appears legitimate at first glance. But the real email address – an external, compromised account – can be found in the return-path (displayed as “sent from”).

Upon clicking “Review,” users are redirected through an app.link (hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5) and finally to the end landing page (hxxps://skype-online0345[.]web[.]app).

The .app top level domain, used for this phishing landing page, is backed by Google to help app developers securely share their apps. It adds an air of further legitimacy to the phishing attack, researchers said.

phishing email

“A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case,” said researchers. “The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.”

The webpage impersonates a legitimate Skype login page, asking for victims’ Skype credentials. The threat actors have done their research – they’ve added recipients’ company logos to the login box, as well as a disclaimer at the bottom warning that the page is for “authorized use” of that company’s users only.

The username is also auto-filled (due to the URL containing the base64 of the target email address) – another trick that leaves little room for doubt on the victims’ side.

“The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor,” said researchers.

Skype phishing email

The campaign is one of many looking to leverage the wave of remote workers who, in the midst of the corona virus pandemic have come to rely on online conferencing tools like Webex (as well as Zoom and other platforms). With this upward spike in online meetings, compromised Skype credentials could be sold on underground forums, or used to log into accounts where sensitive files and data are shared (among other malicious activities).

Earlier in April, a phishing campaign reeling in victims with a recycled Cisco security advisory that warns of a critical vulnerability. The campaign urges victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead.

Researchers warn users to stay on the lookout for bad actors spoofing web conferencing and virtual collaboration apps. In general, attackers are taking advantage of the panic around the coronavirus with phishing emails around financial relief,promises of cure and symptoms informations details.

“With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures,” said Cofense researchers.

COVID-19 smishers,Mobile industries teams up

The UK’s mobile and finance industries have teamed up with GCHQ’s National Cyber Security Centre (NCSC) to better detect and block SMS phishing attempts designed to capitalize on the COVID-19 crisis.

Known as smishing, these attacks use similar social engineering and spoofing techniques as phishing emails but arrive as texts, tricking users into clicking on malicious links and/or divulging personal and financial information.

The current initiative is part of an ongoing NCSC-backed project by the Mobile Ecosystem Forum (MEF), Mobile UK and UK Finance centered around the MEF-developed SMS SenderID Protection Registry.

Organizations that sign up to the registry can protect their text message headers, making it difficult for fraudsters to impersonate their brand in fake SMS phishing attempts. The system will check to see if a message is being sent by a genuine organization and block it if not.

According to Mike Fell, head of cyber-operations at HM Revenue and Customs (HMRC), the current project builds on an HMRC trial which resulted in a 90% reduction in reports of the most convincing HMRC-branded SMS scams.

Some 50 banks and government organizations have signed up to have their text messages protected, with 172 SenderIDs registered to date. Over 400 unauthorized text variants are being blocked thus far, but the blacklist is growing all the time.

All of the UK’s major operators — BT/EE, O2, Three and Vodafone — have signed up, as have leading messaging providers including BT’s Smart Messaging Business, Commify, Firetext, Fonix Interactive, HGC Global Communications Limited, IMImobile, mGage, OpenMarket, SAP Digital Interconnect, Sinch, TeleSign, Twilio and Vonage.

“We are pleased to be supporting this experiment which is yielding promising results,” said NCSC technical director, Ian Levy. “The UK government’s recent mass-text campaign on COVID-19 has demonstrated the need for such industry collaboration in order to protect consumers from these kinds of scams.”

The news comes as the NCSC claimed an early win in its suspicious email reporting service which was officially launched this week

It said more than 80 malicious web campaigns were taken down in a day after 5000 suspicious emails were flagged to the automated service for investigation.

WHO SAYS COVID19 MADE An Increase in Cyber-Attacks

The World Health Organization (WHO) has confirmed reports earlier this week that thousands of staff emails and passwords were leaked online, adding that it has seen a “dramatic increase” in cyber-attacks since the start of the COVID-19 crisis.

Rita Katz, director of SITE Intelligence Group, said earlier this week that suspected Neo-Nazi groups had posted the details online, on platforms including 4chan, Pastebin and Twitter.

This was part of an alleged months-long harassment campaign of staff at the organization and others fighting the pandemic, including the Centers for Disease Control and Prevention, the World Bank, the Gates Foundation and the National Institutes of Health.

In a brief update yesterday, the WHO confirmed that 450 active WHO email addresses and passwords were leaked online, plus thousands belonging to “others” working on COVID-19 response.

Despite describing the log-ins as “active,” it claimed that the credentials didn’t pose a security risk as they were old. However, an “older extranet system” used by current and retired staff and partners was affected, it admitted.

Steps are being taken to improve authentication security on the site, presumably by mandating two-factor authentication or similar.

More generally, the WHO claimed it had seen a dramatic surge not only in attacks aimed at its staff but in phishing emails spoofing its name to trick the general public.

It pointed in particular to scams aimed at soliciting donations to fictitious funds, although there are many others, designed to covertly install malware and harvest credentials.

The number of attacks in general has increased five-times over the number seen during the same period last year, WHO claimed.

“Ensuring the security of health information for member states and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic,” said WHO CIO, Bernardo Mariano.

“We are grateful for the alerts we receive from Member States and the private sector. We are all in this fight together.”

267 million Facebook profiles sold for $600 on the dark web

Facebook

Threat actors are selling over 267 million Facebook profiles for £500 ($623) on dark web sites and hacker forums. While none of these records include passwords, they do contain information that could allow attackers to perform spear phishing or SMS attacks to steal credentials.

Last month, security researcher Bob Diachenko discovered an open Elasticsearch database that contained a little over 267 million Facebook records, with most being users from the United States.

For many of these records, they contained a user’s full name, their phone number, and a unique Facebook ID.

The ISP hosting the database eventually took the server offline after being contacted by Diachenko.

Soon after, a second server containing the same data plus an addition 42 million records was brought online but was quickly attacked by unknown threat actors who left a message telling the owners to secure their servers.

Second server breached by unknown actors
A second server breached by unknown actors

Of this new data, 16.8 million records included more information such as a Facebook user’s email address, birth date, and gender.

It was not discovered who these servers belonged to, but Diachenko believed that it was owned by a criminal organization who stole the data using the Facebook API before it was locked down or via scraping public profiles.

Data now being sold for £500

This weekend, cybersecurity intelligence firm Cyble discovered a threat actor selling this database for £500 on the dark web and through hacking forums.

 In a conversation with Beenu Arora, CEO of Cyble, BleepingComputer was told that the researchers have purchased the database to verify the data and that they are adding it to their http://AmIbreached.com breach notification service.

Database for sale

Like Diachenko, Arora is unsure how this data was compiled.

“At this stage, we are not aware of how the data got leaked at the first instance, it might be due to a leakage in third-party API or scrapping,” Arora told BleepingComputer. “Given the data contain sensitive details on the users, it might be used by cybercriminals for phishing and spamming.”

How can this sold data affect you?

The database being sold does not contain Facebook account passwords, but it does contain email addresses and phone numbers for some users.

This could allow attackers to create spear-phishing campaigns that aim to steal your password using email campaigns or SMS texts that pretend to be from Facebook.

If the phishing emails contain information such as dates of birth and/or phone numbers, some users may be more prone to believe them and thus provide the attackers with the requested info.

Cyble recommends users tighten their privacy settings on Facebook accounts and be cautious of unsolicited emails and text messages.

Clearview AI source code exposed

A cybersecurity company claims that a Clearview AI server has been publicly exposed and has temporarily released the source code associated with its facial recognition technology. A worrying situation since the start-up’s database contains several billion photos of users of social networks that could be exploited by malicious people.

Trouble continues for Clearview AI! After being accused of collecting photos of social media users to feed its facial recognition system, the New York start-up has seen its source code and some of its private keys displayed publicly following a security breach. TechCrunch explains this Friday, April 17, 2020, that the firm SpiderSilk noticed that one of the servers of Clearview AI was exposed and its configuration allowed everyone to register.

A DANGEROUS DATABASE

With billions of images, the Clearview AI database can recognize large numbers of people from single photography. The start-up has kept repeating that its software is only accessible by the authorities. However, many organizations and companies have already used it. The fact that the source code for this technology is leaked worries that it could fall into the wrong hands.

Security breach exposed Clearview AI source code and app data

The exposed server contained, beyond the source code which is associated with the company’s database, multiple copies of its application for devices that run on Windows, MacOS, Android and iOS. SpiderSilk has taken screenshots of the latter, recently removed from the AppStore after violating the terms of use imposed by Apple. The cybersecurity firm also spotted the authentication tokens associated with Clearview AI on the Slack collaboration platform which would have technically enabled them to consult internal exchanges if they had wished to do so.

CLEARVIEW AI CONDUCTS AN INTERNAL AUDIT

Some 70,000 videos filmed in a residential building which would be located in Manhattan (New York), but which could not be formally identified at this time were also stored on the cloud of the start-up. Asked by TechCrunch about them, the founder of Clearview AI assured that these “were filmed with the explicit authorization of the place’s owner within the framework of the prototyping of a CCTV”.

Besides, Hoan Ton-That also judged that the security breach which his company has just paid for has “exposed no biometric or personal data” and indicated that a “full internal audit is underway” for determining its origin. As a reminder, an investigation was opened by the attorney general of the US state of Vermont to determine whether Clearview AI has violated certain data protection rules. The social networks on which the start-up probably collected photos of users such as Facebook, Twitter, and YouTube, in particular, urged the firm to put an end to these practices.

GitHub accounts stolen through phishing attacks

GitHub accounts stolen in ongoing phishing attacks

GitHub users are currently being targeted by a phishing campaign specifically designed to collect and steal their credentials via landing pages mimicking GitHub’s login page. 

Besides taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to “those owned by organization accounts and other collaborators.”

“If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password,” GitHub’s Security Incident Response Team (SIRT) says.

GitHub’s SIRT published information on this ongoing phishing campaign dubbed Sawfish to increase awareness and allow users that might be targeted to protect their accounts and repositories.

Phishing attack targets active GitHub accounts

The phishing emails use various lures to trick targets into clicking the malicious link embedded in the messages: some say that unauthorized activity was detected, while others mention repository or settings changes to the targeted user’s account.

Users who get tricked and click to check their account’s activity are then redirected to a fake GitHub login page that collects their credentials and sends them to attacker-controlled servers.

The phishing landing page will also exfiltrate the victims’ 2FA codes in real-time if they’re using a time-based one-time password (TOTP) mobile app, making it possible for the attackers behind this campaign “to break into accounts protected by TOTP-based two-factor authentication.”

However, “[a]ccounts protected by hardware security keys are not vulnerable to this attack,” the Git repository hosting service’s SIRT explains.

Phishing email sample
Phishing email sample (GitHub)

This ongoing phishing campaign targets currently-active GitHub users working for tech companies from multiple countries using email addresses obtained from public commits.

The phishing emails are delivered from legitimate domains, either using previously-compromised email servers or with the help of stolen API credentials for legitimate bulk email service providers.

Attackers behind this campaign also make use of URL-shortening services designed to hide the landing pages’ URLs and have also been observed while chaining multiple URL-shortening services for enhanced obfuscation.

To further help them make the malicious links used in the attack look less suspicious, the threat actors also use PHP-based redirectors on compromised sites.

How to defend against these phishing attacks

Users that haven’t configured two-factor authentication for their GitHub accounts using a security key are advised by the Microsoft-owned company to:

“In order to prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn two-factor authentication,” GitHub also advises users. “Also consider using a browser-integrated password manager.”

“These provide a degree of phishing protection by auto-filling or otherwise recognizing only a legitimate domain for which you have previously saved a password.

“If your password manager doesn’t recognize the website you’re visiting, it might be a phishing site.”

One year ago,attackers were using Github’s platform to host their phishing kits by abusing the service’s free repositories to deliver them via github.io pages.

An Update of Age-Old Excel 4.0 Macro Attack

XLS files sent via emails appear password protected but aren’t, opening automatically to install malware from compromised macros, according to researchers.

Hackers have updated the age-old Excel malware attack technique with a new passwordless twist. Researchers have identified a new method that no longer requires victims to enter a password to open a danger document, more readily exposing them to potential malware infection.

Researchers from security firm Trustwave said they discovered a new malspam campaign that sends Excel 4.0 xls 97-2003 files with a compromised macro in email messages. The ploy is predictable and attempt to dupe users with themes ranging from fake invoices to COVID-19 related lures.

In past campaigns, this type of attack uses a password-protected Excel 4.0 document. The message body contains a password that attackers use to tempt targets with to open the Excel document. The idea is, a password protected Excel document is sent encrypted using Microsoft Enhanced Cryptographic Provider v1.0. The encryption layer often allows the malicious email to slip past email defenses. The document itself contains Excel 4.0 Macro sheets – one of which harbors a malicious macro.

The updated technique maintains the encrypted Excel document. It also still requires user interaction – in that users must still be tricked into opening the Excel document from inside the phishing email. The difference is, when a victim opens the password-protected document, hackers have devised a way that opens the encrypted and password-protected document without requiring the physical input of a password.

According to Trustwave researcher Diana Lopera, in a blog post outlining the discovery posted Friday, “A password has been applied to the Excel files, which used the Microsoft Enhanced Cryptographic Provider v1.0 algorithm to encrypt the attachments.”

Next, she explains, “Password protected documents can only be opened with the correct password as this is the key needed in the decryption process… Excel first attempts to open a password protected Excel file using [a] default password ‘VelvetSweatshop’ in read-only mode.”

In the background, the researchers said, the Excel document is opened using the pre-determined default password. “Hence, no password input was required from the user nor was a warning from the application prompted. The content of the XLS files were immediately displayed.”

That allows for the malicious Excel 4.0 document to follow a familiar infection routine.

The actors embedded malicious activity in macro sheets with random names. Contained within the Excel sheets is a malicious macro.

“The macro will download a binary from a compromised site, save it on disk under C drive, and execute them,” she said.

The macro links to a compromised site that hosts Gozi, a banking trojan that can ride along on a victim’s banking transactions, stealing credentials that are used to transfer funds from a victim’s account.

Indeed, the way Excel treats the file when a user clicks on it is a read-only bug that’s been known for more than 10 years, Trustwave researchers noted. Researchers at Mimecast Threat Center also discovered a campaign recently spreading the LimeRAT malware that takes advantage of a vulnerability regarding this read-only feature posted online in 2013.

Trustwave researchers said the threat is one of a raft of new malspam campaign leveraging the password-protected Excel 4.0 macro to engage in malicious activity.