Fake Moneycorp Confirmation Email Used to Distribute AveMaria Infostealer

Digital attackers used a fake confirmation email from foreign exchange and international service Moneycorp to infect recipients with the AveMaria infostealer.

A Thought-out Impersonation

In the beginning of June, the Zix | AppRiver team flagged what appeared to be a transfer confirmation email from Moneycorp.

Those responsible for creating the email attempted to add legitimacy to their attack by using spoofing techniques along with several instances of branding stolen from Moneycorp.

One of those instances displayed just half of the company’s logo. Such an omission might have raised someone’s suspicions.

Screenshot of the fake Money Corp transfer confirmation email. (Source: Zix | AppRiver)
Screenshot of the fake Money Corp transfer confirmation email. (Source: Zix | AppRiver)

Another instance appeared with the company’s contact information. The physical address was the same as the address listed for the company’s UK head office on Moneycorp’s website.

Even so, those who crafted the address line separated only the listed building and floor with a space. The rest didn’t have any spaces between them—only commas.

A close screenshot of the attack email’s address line. (Source: Zix | AppRiver)
A close screenshot of the attack email’s address line. (Source: Zix | AppRiver)

A similar spacing discrepancy arose between the telephone number and fax number listed in the email’s signature.

Your Malware Transfer Has Been Successful

In the text of their attack email, the malicious actors informed the recipient that one of their customers had used Moneycorp to send them a payment. They went on to explain that the details of the attack were available in the “word file attached.”

The issue is that the email didn’t arrive with an attachment sporting the usual .DOC or .DOCX file extension. It arrived with .7Z, a file extension which designates use of the free and open-source 7-Zip file archiver.

Inside the Attack Campaign’s Payloads

Once opened, the .7Z attachment infected recipients with an information-stealing malware family known as AveMaria.

Yoroi Lab became the first to write about AveMaria’s activities in January 2019. At that time, its researchers observed malicious actors impersonating a supplier’s sales office to send out fake invoices and shipping order confirmations. Those emails delivered an Excel sheet that exploited CVE-2017-11882 to deliver the malware.

Two months later, Morphisec revealed that it had witnessed an increase in AveMaria threat activity. The security firm specifically called out AveMaria’s handlers for using other threats’ delivery stages and fileless components to deliver their malware.

It was later that same year when Trend Micro revealed that it had spotted a spam campaign distributing AveMaria along with Negasteal or Agent Tesla, a threat of which the Zix | AppRiver team saw a lot in connection with the pandemic.

A Twist on the AveMaria Campaign

Troy Gill, manager of security research and senior security researcher at Zix | AppRiver, said that he’s seen spam campaigns distributing AveMaria in the past. But this one was a bit different.

“This version leveraged the UACMe software to defeat Windows user account control by abusing built-in Windows AutoElevate backdoor,” he explained. “This is mainly used by MSPs, sys admins, and security teams for privileged access management needs, but it can also serve as a path to privilege escalation for attackers.”

Defending Against Email-Borne Malware Attacks

The attack discussed above highlights the need for organizations to defend themselves against email-borne malware attacks. One of the ways they can do that is investing in an email security solution. Ideally, that tool should be capable of scanning incoming messages for malware signatures, campaign patterns, IP addresses, and other threat indicators. If that analysis happens in real time, organizations have the added benefit of legitimate correspondence reaching its intended business destination without delay.

Avoid an email-borne malware attack with the email threat protection tools of Zix | AppRiver.