# Attackers Insert Themselves into the Email Conversation to Spread Malware **[blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware](https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware)** ## Minerva Labs Blog News & Reports [Tweet](https://twitter.com/share) The “never get gifts from strangers” rule applies for suspicious email attachments as well as enterprises and SMBs alike educate their employees about the dangers lurking in cyberspace. One of the most popular threats is malware delivered by email with a malicious document attached to it. The increasing awareness to this type of attack results in a negative impact on the success ratio of massive phishing campaigns; however, cybercriminals (as always) are adapting. This short blog post provides an example of advance tactics that adversaries use in such campaigns to overcome these challenges. ----- ### Leveraging Existing Trust The rule “never accept gifts from strangers” applies to many settings, including suspicious email attachments. But what if you recognize the sender? Moreover, the attachment is a part of an existing email thread? A recent campaign the attacker leveraged a previously compromised email account belonging to an employee of a prominent Chamber of Commerce. The adversary sent generic responses to existing threads, attaching a malicious Microsoft Office document. Abusing compromised trusted senders is a powerful persuasion tactic, which greatly increases the chances of opening the malicious attachment even by a trained recipient. Below is one of the messages sent during this attack. –Most of its contents are authentic, but the last reply was appended by the attacker: The attachment is a malicious document prompting the victim to allow macro execution: ----- The malicious macro is comprised of two modules: the first decodes an embedded command and the second executing it using the Shell function: The command itself has another layer of obfuscation, which was added by the publicly [available tool Invoke-DOSfuscation:](https://github.com/danielbohannon/Invoke-DOSfuscation) ----- Decoding this results in a simple, typical PowerShell script, which downloads an executable Windows binary from a remote website: The payload in this case was a Gozi ISFB/Ursnif malware, capable of stealing sensitive data from a victim. Moreover, once the attackers established compromised the victim’s machine they might use it to launch future similar campaigns. ### Prevented by Minerva In this case attackers were trying to evade “human detection” by leveraging clever social engineering techniques and “machine detection” (i.e. evading security products) by obfuscating the downloader and payload. Minerva’s Malicious Documents Protection capabilities prevents this evasive threat and provide useful data to SOC and IR teams, capturing the full context of the attack: ----- To better understand this type of attack watch our webinar: Why Do Malicious Office Documents Keep Infecting Me? Interested in learning more about Minerva's Endpoint Protection? ## IOC ### Document (SHA256): 460073875b11a5c8f1f0fe4ecf4967d0c90d066867b5ca57fd2a25df6bc384c0 URL: ### Executable Payload (SHA256): ae6ca8aab5bbd5ff08915011c6c773808a37440d805bdff247ebac9a5d060631 ### URLs: hxxp://tapertoni[.]com/Flux/tst/index[.]php?l=ab1[.]tkn (analyzed sample) hxxp://tapertoni[.]com/Flux/tst/index[.]php?l=ab2[.]tkn hxxp://tapertoni[.]com/Flux/tst/index[.]php?l=abc1[.]tkn hxxp://nesocina[.]com/Flux/tst/index[.]php?l=abc1[.]tkn hxxp://nesocina[.]com/Flux/tst/index[[.]php?l=abc2[.]tkn hxxp://nesocina[.]com/Flux/tst/index[.]php?l=abc3[.]tkn [« Previous Post](https://blog.minerva-labs.com/why-is-malware-able-to-evade-detection?hsLang=en-us) [Next Post](https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware-0?hsLang=en-us) » ### Interested in Minerva? Request a Demo Below -----