In a recent spear-phishing campaign, cyber actors impersonated a US-based financial institution’s brand in an attempt to get recipients to download a Windows application unaffiliated with the financial institution. The unknown cyber actors tailored the campaign to spoof the financial institution through registered domains, email subjects, and an application, all appearing to be related to the institution.

Threat Overview

In February 2021, a US-based financial institution was notified of a spear-phishing attempt which impersonated the financial institution’s brand to target a renewable energy company. The phishing e-mail’s theme involved funding for a loan and instructed the recipient to download a Windows application to complete the loan process to receive more than $62 million. The fraudulent loan amount was in line with the victim’s business model. The phishing e-mail appeared to originate from a United Kingdom–based financial institution, stating the US financial institution’s loan to the victim was confirmed and could be accessed through an application which appeared to represent the US financial institution. The phishing e-mail included two .pdf files, one of which spoofed the name and likeness of the UK’s National Crime Agency and another which appeared to contain SWIFT information. The phishing e-mail also contained a link to download the application and a username and password for access.

As part of this spear-phishing campaign, the cyber actors also registered a fraudulent domain impersonating the US financial institution. This domain hosted the executable purporting to be the Windows application which the recipient received the link for in the original spoofed email.

The below indicators were observed in conjunction with this spear-phishing campaign. These suspicious activities/indicators should be observed in context and not individually.

The following files were attached to the spear-phishing e-mail:

• Filename: Computer Feeder Message(Name Redacted).pdf
  • MD5: 57865182db4f963cf9ea7709384dd750
  • SHA256: bd45ae2cbc302bd219d4c59469d1ebb1f8049f3bd025bd19eb4572176b5176f5
• Filename: Swift Copy(Name Redacted).pdf
  • MD5: fadcde66f6edf79442dce2be4f11ef60
  • SHA256: 375a0566bdfc04f8d24fae429a415434c679d3b5e7a7c97b8ddd5cea98e0aa0c

The following file was downloaded if the recipient clicked on the malicious link in the spear-phishing e-mail:

• Filename: (Name Redacted).exe
• MD5: 3d1111389aac89274f0eaf87c30732fe
• SHA256: e09ae3c1ff5489f300ec9ecfc76ffdab90b6dab07eff1a0edf38285ab1e2b801

The malicious .exe file downloaded from the link embedded in the spear-phishing e-mail calls out to the domain secureportal (.) online.

Recommendations

1. Ensure anti-virus and anti-malware software are enabled and signature definitions are updated regularly in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed attacker tools delivered via spear-phishing.
2. Deploy application control software to limit which applications and executable code can be run by users. Email attachments and files downloaded via links in emails often contain executable code. Application control software limits users to only execute applications and code allowed by the organization, rendering malicious executables delivered via spear-phishing unable to execute.
3. Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make spear-phishing much more effective by enabling attackers to move laterally across a network, gain additional accesses, and access highly sensitive information.
4. Be suspicious of unsolicited contact via email or social media from any individual you do not know personally.\
5. Be suspicious of unsolicited or unexpected email or social media messages enticing recipients to open an attached or hosted file.
6. Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites.
7. Ensure operating systems and applications are updated to the most current versions.

Fortify 24×7 encourages our readers to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at [email protected] When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. If you have experienced a breach and need incident response assistance, please contact us at 833-200-0777 or fill out the form here.