2 min read

Cybercrooks Push FormBook Info-Stealer in New Omicron-Themed Phishing Campaign

Alina BÎZGĂ

December 13, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Cybercrooks Push FormBook Info-Stealer in New Omicron-Themed Phishing Campaign

COVID-19 has been a recurrent theme in phishing campaigns and cyberattacks this year, but threat actors haven’t exhausted the subject quite yet. While holiday-themed threat activity is still rampant during the shopping season, the discovery of the Omicron COVID-19 variant has opened new opportunities for criminals to expand their phishing repertoire.

Bitdefender Antispam researchers monitoring Omicron-related spam traffic have caught a malicious phishing campaign trying to infect recipients with a well-known data stealer.

The generic message is similar to a previous malspam campaign (serving the same malicious payload) and resembles a request to revise shipment information found in a Proforma invoice attachment. As expected, the attackers cite new government policies in response to the Omicron variant and offer no other information to recipients. Sample analysis has not shown any tailor-made versions targeting a specific organization or business.

“Please find attached PI. Still pending for confirmation of vessel. Kindly note that Government has some new policy in response to the OMICRON COVID-19 strain outbreak. Documents will be sent following final confirmation,” the email reads.

The attachment (P-INV DeC-21 PO-409865-00454357527018_pdf.arj) contains GuLoader, a remote access Trojan (RAT) downloader best known for its anti-VM capabilities to evade detection. The use of this downloader to spread malicious payloads such as FormBook, AgentTesla and Netwire has grown in popularity since its discovery in late 2019.

In this attack, cybercriminals use GuLoader to spread FormBook, a popular info-stealer spotted by Bitdefender researchers in global phishing campaigns in July and September 2021.

Attackers are impersonating an Indonesia-based company that makes packaging products to spread the form grabber malware. Over 90% of the malicious emails originate from IP addresses in the US and telemetry shows a clear focus on Asia-based targets. However, the campaign has spread globally, popping up in inboxes across Europe including the UK, Germany and the Netherlands.

Formbook is notorious for harvesting login credentials and banking-related data on web forms. While our researchers couldn’t attribute the campaign to any specific group, the attackers are motivated by money.

We expect more threat actors to piggyback on Omicron in coming weeks, as users travel or prepare for Christmas and New Years’ celebrations. Users are advised to stick to good cyber hygiene and install a security solution on their devices. Keep operating systems and apps up to date and never access attachments from unsolicited emails without being able to verify their validity.

Bitdefender customers are already protected from FormBook malware. The attached file, detected as Trojan.GenericKD.38151652, is blocked by both our consumer and enterprise solutions.

With Bitdefender Total Security and XEDR, users and businesses enjoy the best anti-malware protection and threat detection and response against e-threats across all major operating systems. The real-time protection feature included in our security software safeguards against e-threats, including viruses, worms, Trojans, ransomware, zero-day exploits and spyware, to keep you and your data safe.

Note: This article is based on technical information courtesy of Bitdefender Labs

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Greenland hit by cyber attack, finds its health service crippled Greenland hit by cyber attack, finds its health service crippled
Graham CLULEY

May 20, 2022

1 min read
Nikkei Singapore HQ Hit with Ransomware Nikkei Singapore HQ Hit with Ransomware
Filip TRUȚĂ

May 20, 2022

1 min read
QNAP Warns Customers of New Wave of Deadbolt Ransomware Attacks QNAP Warns Customers of New Wave of Deadbolt Ransomware Attacks
Vlad CONSTANTINESCU
1 min read