Fake Moneycorp Confirmation Email Used to Distribute AveMaria Infostealer
Digital attackers used a fake confirmation email from foreign exchange and international service Moneycorp to infect recipients with the AveMaria infostealer.
A Thought-out Impersonation
In the beginning of June, the Zix | AppRiver team flagged what appeared to be a transfer confirmation email from Moneycorp.
Those responsible for creating the email attempted to add legitimacy to their attack by using spoofing techniques along with several instances of branding stolen from Moneycorp.
One of those instances displayed just half of the company’s logo. Such an omission might have raised someone’s suspicions.
Another instance appeared with the company’s contact information. The physical address was the same as the address listed for the company’s UK head office on Moneycorp’s website.
Even so, those who crafted the address line separated only the listed building and floor with a space. The rest didn’t have any spaces between them—only commas.
A similar spacing discrepancy arose between the telephone number and fax number listed in the email’s signature.
Your Malware Transfer Has Been Successful
In the text of their attack email, the malicious actors informed the recipient that one of their customers had used Moneycorp to send them a payment. They went on to explain that the details of the attack were available in the “word file attached.”
The issue is that the email didn’t arrive with an attachment sporting the usual .DOC or .DOCX file extension. It arrived with .7Z, a file extension which designates use of the free and open-source 7-Zip file archiver.
Inside the Attack Campaign’s Payloads
Once opened, the .7Z attachment infected recipients with an information-stealing malware family known as AveMaria.
Yoroi Lab became the first to write about AveMaria’s activities in January 2019. At that time, its researchers observed malicious actors impersonating a supplier’s sales office to send out fake invoices and shipping order confirmations. Those emails delivered an Excel sheet that exploited CVE-2017-11882 to deliver the malware.
Two months later, Morphisec revealed that it had witnessed an increase in AveMaria threat activity. The security firm specifically called out AveMaria’s handlers for using other threats’ delivery stages and fileless components to deliver their malware.
It was later that same year when Trend Micro revealed that it had spotted a spam campaign distributing AveMaria along with Negasteal or Agent Tesla, a threat of which the Zix | AppRiver team saw a lot in connection with the pandemic.
A Twist on the AveMaria Campaign
Troy Gill, manager of security research and senior security researcher at Zix | AppRiver, said that he’s seen spam campaigns distributing AveMaria in the past. But this one was a bit different.
“This version leveraged the UACMe software to defeat Windows user account control by abusing built-in Windows AutoElevate backdoor,” he explained. “This is mainly used by MSPs, sys admins, and security teams for privileged access management needs, but it can also serve as a path to privilege escalation for attackers.”
Defending Against Email-Borne Malware Attacks
The attack discussed above highlights the need for organizations to defend themselves against email-borne malware attacks. One of the ways they can do that is investing in an email security solution. Ideally, that tool should be capable of scanning incoming messages for malware signatures, campaign patterns, IP addresses, and other threat indicators. If that analysis happens in real time, organizations have the added benefit of legitimate correspondence reaching its intended business destination without delay.