Skip to main content

Hackers spoofing US postal service to trap victims

US postal service
(Image credit: Pexels)

After making the rounds in Europe, a new phishing campaign has arrived in the US and the attackers behind it are impersonating the US postal system with the aim of infecting users' computers with a banking trojan according to new research from Proofpoint.

In November, researchers from the cybersecurity firm observed thousands of emails trying to deploy malicious Microsoft Word attachments in the US. These emails impersonated messages from the US postal service as part of a campaign to infect computers with the IcedID banking trojan.

IcedID was first discovered by IBM's X-Force Research division and the banking Trojan typically targets banks, payment card providers and financial institutions in an effort to steal user credentials.

However, the campaign discovered by Proofpoint is not targeting financial companies and is going after businesses in the healthcare industry instead. The phishing emails used in the campaign contain a malicious Word document that when opened, triggers a Microsoft Office macro that launches a PowerShell script to download and install IcedID onto a user's computer.

Phishing campaign

The US is the latest target of the campaign after Proofpoint observed the same threat actor targeting businesses in Germany by impersonating the German Federal Ministry of France. The attacker behind the campaign also employed the commercially available penetration testing tool, Cobalt Strike to deploy their malicious payloads.

To track down the origin of the malware, researchers at the firm analyzed over 5bn email messages, millions of social media posts and more than 250m malicious samples daily.

Proofpoint analyzed a number of characteristics including infrastructure, lure styles and macro code to identify and analyze the campaign's activity in the US. The firm found that the actions were not consistent with existing threat actors which suggests that a new group is likely behind the campaign.

Threat intelligence lead at Proofpoint, Christopher Dawson provided further details on the group and its malicious activities, saying:

"Although these campaigns are small in volume, currently, they are significant for their abuse of trusted brands, including government agencies, and for their relatively rapid expansion across multiple geographies. To date, the group appears to have targeted organizations in Germany, Italy, and, most recently, the United States, delivering geotargeted payloads with lures in local languages. We will be watching this new actor closely, given their apparent global aspirations, well-crafted social engineering, and steadily increasing scale."

  • Protect your devices from the latest cyber threats with the best antivirus software

Via TechRepublic