Skip to main content

Fake court summons used to spread phishing malware

(Image credit: Shutterstock)

The cybersecurity firm Cofense has discovered a new phishing campaign which targets users via a subpoena-themed email that appears to come from the UK Ministry of Justice with the end goal of infecting their systems with information-stealing malware.

Employees at insurance and retail companies have received these phishing emails that state that the recipient has been subpoenaed and needs to click on a link within the email to see more details about their case.

The enclosed link uses trusted sources including Google Docs and Microsoft OneDrive for the infection chain. While the Google Docs link is not malicious, it does contain a redirect chain that eventually leads to a malicious Microsoft Word file filled with macros. Once executed, the macro downloads a sample of the Predator the Thief information stealer malware via PowerShell.

The initial email also contains a warning that the recipient has 14 days to comply with the subpoena notice which is a scare tactic designed to trick users into clicking on the link inside the email.

Predator the Thief

Predator the Thief has all the basic capabilities of most information stealers. However, one of the unique things about this malware is the wide range of web browsers it targets which means even those using a less popular web browser could still be affected.

The authors of the malware use a Telegram channel to distribute their product but it also functions as a customer support channel.

Predator the Thief targets cryptocurrency wallets, browser information, FTP and email credentials. The malware also takes a screenshot of the infected machine and this information is send back to a Command and Control (C2) server via an HTTP POST.

After the information on the target is gathered and the sample has been sent to the C2, the binary then cleans up parts of the infection and self-terminates. This makes it much harder for the malware to be discovered.

To avoid falling victim to this latest phishing campaign, Cofense recommends disabling Microsoft macros by default and employing endpoint protection.