I just received seven comment spams from a cybercriminal. The comments asked me to go to a Yandex Form where they can do some evil such as collecting your bank account information or hitting your computer with a virus. Here are the spam comment titles:
Withdrawing 58 629 US dollars. Gо tо withdrаwаl >>
Withdrawing 38 087 US dollars. GЕТ >
You got 42 293 Dollars. Withdrаw >>
Transfer 44 026 USD. Gо tо withdrаwаl =>
Transaction 57 255 $. Withdrаw =>>
You got 34 652 $. Gо tо withdrаwаl >>
Transfer 39 737 US dollars. Withdrаw >>>
Identifying Phishing Attempts
The titles of the spam comments you received, promising substantial monetary rewards in exchange for visiting a Yandex Form, are classic examples of phishing tactics employed by cybercriminals. These deceptive messages aim to entice users with false promises of withdrawing large sums of money, ultimately leading them into a trap set by malicious actors.
Fake Copyright Infringement Complaints
Beware of Cybercriminals Using Fake Copyright Infringement Complaints via Yandex Forms to Spread Malware In the ever-evolving landscape of cyber threats, website owners are facing a new wave of attacks orchestrated by cybercriminals. A recent scheme involving fake copyright infringement complaints, purportedly from Zoho, has been identified as a tactic employed by threat actor TA578 to distribute banking malware like IcedID and other malicious software.
The Modus Operandi
TA578, a threat group known for its sophisticated attacks, has been leveraging website contact forms to send deceptive legal notices to unsuspecting recipients. These fraudulent complaints claim copyright violations and prompt the recipient to download a report allegedly containing evidence of DDoS attacks or copyrighted material associated with their website. However, instead of legitimate reports, these downloads serve as gateways for malware infiltration, including BumbleBee, IcedID, and BazarLoader. A Shift in Tactics
What sets this campaign apart is the utilization of Yandex Forms as the hosting platform for the malicious reports, diverging from the previously observed use of Google Drive or Google Sites. When recipients click on the provided forms.yandex.com link in the fake copyright complaint, they are led to a webpage enticing them to download ‘Stolen_ImagesEvidence.iso’ from a firebase storage link. The ISO file format cleverly bypasses Windows security warnings, concealing a DLL file that executes IcedID upon interaction.
Infection Process Unveiled
Upon opening the ISO file, a new drive letter appears containing a document folder and an obfuscated DLL file. This DLL acts as a loader for IcedID, a potent banking trojan capable of harvesting Windows credentials and deploying additional payloads like Cobalt Strike beacons for persistent access.
Staying Safe in the Digital Wild West
To shield against such insidious threats, users are advised to exercise caution when receiving unexpected messages from unknown sources. Vigilance is key in thwarting cybercriminals’ attempts to exploit legal intimidation tactics for nefarious purposes. It is imperative never to click on links embedded in emails or other sources without verifying their legitimacy and ensuring robust security measures are in place. In conclusion, safeguarding digital assets and personal information requires a proactive stance against cyber threats. By staying informed and adopting best practices for online security, individuals can fortify their defenses against malicious actors seeking to exploit vulnerabilities for illicit gains. Stay alert, stay secure!
