From Global Brands To Local Companies, Supply Chain Impersonation Scams Are Rife
Cybercriminals are constantly developing new ways to attack organizations through email with the goal of stealing funds and/or data. One of the most successful approaches seen today is Supply Chain Impersonation.
Organizations deal with a wide range of suppliers whom its employees are used to receiving email from. Logos, signature styles, and even the layout of emails become very familiar to employees who instantly associate them with a known and trusted sender. Unsurprisingly, bad actors are using this to their advantage - by impersonating these trusted senders to deliver malware and phishing attacks.
Below, we examine two very different types of supply chain attacks, recently detected by Mesh - both impersonating shipping companies. The first, impersonates Maersk, a shipping company with a global brand. The attack contains malware that exploits a vulnerability in Microsoft Word. The second impersonates a small shipping company, based in the UK (we’ve edited this example to protect their identity).
Impersonating a Global Brand to Disseminate Malware
Attack Summary
Impersonating well-known brand
Generic, not targeted, and sent to many recipients
Contains a malicious attachment
Takes advantage of a vulnerability or bug in Microsoft Word
Seeks to avoid analysis by checking if it is run in a virtual environment
Attack Objective
Deliver malware to the recipient’s machine
Steal sensitive information
Infect other machines on the network
Detected By
Attachment Sandboxing
Sandbox Analysis
This type of malware is a Microsoft Word exploit which takes advantage of a bug or vulnerability in the Microsoft Office Word application to perform unanticipated behavior. The attacker can use these vulnerabilities to gain access to the system or install other malicious software. The sample steals sensitive user information. It gathers passwords and other credentials from various applications installed on the system. The sample avoids analysis by checking whether it is run in a virtual environment or monitored with debuggers or other monitoring tools. Simultaneously, the sample performs various changes on the system so it can remain hidden. Such changes include hiding files or file extensions, modifying security, notifications or system settings, deleting the original file, changing file attributes or other actions. The sample writes additional files on the system, which may be used in various ways, including ensuring persistence. The new files can be executables that continue the sample's actions or storage/configuration files that hold viable information for the sample. Furthermore, the sample performs certain actions over the network. This can include connecting to remote hosts or sending and reading data from different domains. The sample connects to certain domains to download files which it uses to accomplish its purpose or further infect the system. This behavior is obtained through the coming actions. The sample checks the system for elements which may indicate it is run in a virtual environment or monitored with debuggers or other monitoring tools. This can be done in an attempt to avoid analysis and antimalware detection.
Impersonating a Local Company to Elicit a Reply
Attack Summary
Impersonating a local shipping company in the UK (we have hidden their identity)
Using a “lookalike” domain
Targeting the accounts department
Malware-less, contains no links or attachments (even though the message says it contains an attachment)
Attack Objective
Looking to initiate conversation
Likely to follow-up with a request for payment
Detected By
Threat Intelligence
BEC Protection
Analysis
This email contained no Message-ID. The Reply-to-domain is different to the from-domain. The email contains phrases and terminology used in Business Email Compromise scams.
Conclusion
These two contrasting examples highlight the versatility of this particular type of email attack. Whether they contain malicious payloads or are malware-less, supply chain impersonation scams are highly successful at deceiving end users and can have disastrous consequences.
This further underscores the importance of implementing a robust and intelligent email security solution that can detect the full spectrum of email threats, including never-before-seen strains of malware.
For more information on how Mesh protects organizations against various types of supply chain impersonation attacks, request a free demo or trial today.