Bad actors have launched a phishing campaign that aims to infect supporters of President Donald Trump with a dangerous banking Trojan.
The messages refer to highly publicized political issues and events and feature subject lines prefaced with “Fwd:” and “RE:” Deceived victims who take the bait have their system attacked by Emotet malware.
“The attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message,” noted researchers. ”Every link works and leads to benign web pages of the impersonated PAC.”
The Emotet downloader is contained in a Microsoft Word document attached to the malicious email.
Attackers were observed seeking to leverage media attention on the president’s decision to temporarily withhold funding from the World Health Organization pending the outcome of a formal investigation into the global health agency’s response to the Covid-19 pandemic.
Researchers said: “Like a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanism as messaging about timely and highly publicized, hot-button issues in politics.”
One email, sent with the subject “Fwd:Breaking: President. Trump suspends funding to WHO,” called for recipients who agreed with the suspension of funding to click a button labeled “Stand with Trump.” The attacker used Display Name Spoofing in an effort to hide the sender’s real address.
While the sender addresses used to spread the WHO-themed phishing messages varied, all were observed to have come from a legitimate account that had been compromised by the attacker. This tactic allowed the attacker to successfully pass email authentication protocols such as DMARC.
Using hijacked legitimate email addresses would also have made it very difficult for victims to grasp the fact that they were being duped by a cyber-criminal.
Researchers found that compromised email accounts of several small businesses around the world were used in each wave of the campaign that lured victims with the same stolen PAC email content.