Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors have been abusing OneNote documents to move the AsyncRat credential-stealing Trojan in a new malicious phishing campaign, according to Bitdefender Labs researchers.

Two malicious files (Invoice_32566.one and Invoice_76562.one) delivered via short malspam campaigns caught the eye of our malware and antispam analysts between Jan 13-20, specifically OneNote attachments that claim to be invoices from Ultramar, a well-known Canadian gas and home fuel retailer.

The email body provides only a short intro to the aforementioned invoice in English and French and urges recipients to review the attachment invoice for details. While the phishing emails themselves displayed no remarkable content, the preferred file format used to deliver the malicious payload to its target caught the attention of our researchers.

“It’s clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices, said Adrian Miron, manager at Bitdefender’s Cyber Threat Intelligence Lab. These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims.”

More interestingly, though, the hosting malware domains used in the malspam campaigns analyzed by security researcher Victor Vrabie appear to belong to a Catholic Church in Canada and a digital service provider in India.  This is just another classic tactic attackers use. They used legitimate, but compromised, webservers to host their malicious payloads in an attempt to evade detection and facilitate data exfiltration.

Distribution-wise, the two malicious campaigns targeted users in Canada, the US, the UK and even Hungary, with most emails originating from IP addresses in the United States. AsyncRAT is a nifty remote access tool designed to stealthily let an attacker infiltrate the devices of the target victim’s device. The malicious software allows easy monitoring and control of infected machines via keystroke capturing, screen recording, remote file execution and more.

Cybercriminals can use these features to steal login and sensitive financial information to commit fraud, or deliver more deadly payloads to cripple the target’s machine and network. AsyncRAT is a remote access tool designed to stealthily allow an attacker infiltrate a victim’s device.

Users should keep an eye out for suspicious emails that contain unsolicited OneNote attachments, continue to practice good cyber hygiene, and use a dedicated security solution to block any new attacks and phishing.

All Bitdefender customers are protected from AsyncRAT. The email attachments (Invoice_32566.one and Invoice_76562.one) are detected as Trojan.Generic.33078815 and Trojan.GenericKD.65021348, and blocked by both our consumer and enterprise solutions.

Bitdefender security solutions offer real-time protection to safeguard you and your personal data against the latest e-threats, including info-stealing Trojans, ransomware and spyware. You can enjoy the best anti-malware protection and threat detections across all major operating systems to ensure that, if you do receive a fraudulent email or malicious attachment, your device will not fall into the hands of cyberthieves.

Note: This article is based on technical information courtesy of Bitdefender Labs

Stay Safe Everyone!