Attackers use HTML smuggling techniques to hide malicious files in fake job opportunities
A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.
A series of attacks has been reported across West Africa, with attackers posing as prospective employers to lure victims into downloading malicious files.
Researchers from HP Wolf Security, who have been tracking the campaign, noted that they first spotted the attacks in “early 2022”, when an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities.
On investigating, researchers found that the domain used to send the email was typosquatted and did not belong to the mimicked organization.
A WHOIS request later revealed that the domain was registered in December 2021 and visiting the website returned an HTTP 404 response. To make the lure more credible, the threat actor also included a reply-to address of another supposed employee of the recruiting bank.
The emails contained HTML files which, if opened, prompt the user to download an ISO file, which in turn contains a Visual Basic script that executes malware.
This technique, called HTML smuggling, enables attackers to smuggle malicious files past email gateway security.
Researchers from HP Wolf Security discovered that attackers were using a downloader called GuLoader, which is executed using PowerShell via code stored in the Registry and is otherwise only run in memory.
“Detecting such a chain of infection is not easy, as the malware is only located in memory and the registry,” researchers noted in a blog post.
Speaking to The Daily Swig, Patrick Schläpfer, malware analyst at HP Wolf Security, said that while the research team doesn’t have insight on why Africa in particular was targeted, financial institutions generally offer “a high degree of opportunity for cybercriminals to monetize access and stolen data if they successfully compromise a bank’s network”.
Schläpfer added: “In this campaign the attackers used a combination of attack techniques. We would recommend that companies watch out for brand abuse, namely typosquatted websites that impersonate their brand.
“If these are found, they should be reported to the hosting provider and domain registrar as soon as possible.
“Furthermore, organizations should also make sure they have visibility over their network to isolate or block malicious process behavior. These recommendations apply to all organizations, not only the banking sector in Africa.”
The researcher also noted that while techniques such as phishing emails are not necessarily sophisticated, “such attacks still lead to infections”.
Schläpfer added: “In this campaign, the attackers put an unusual effort into setting up fake websites to increase the credibility of their emails and thus the chances of infection.
“The HTML smuggling technique also stands out as it’s not easy to detect and therefore often makes its way past email gateway to users.”
More information on the campaign can be found in HP Wolf Security’s blog post.