New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Phishing Emails Using Trump COVID-19 Information

Researchers at ProofPoint have identified a new phishing campaign that is using the positive COVID-19 test of the President of the United States as a lure in the email. The email is being used to spread the BazarLoader trojan, which has been linked to the TrickBot gang. The email claims to have insider information about the health of President Trump but requires the victim to download a document to get the information. Once the victim attempts to download the document, a fake Google Doc message is displayed which states that Google scanned the document and it is not malicious. When clicking the link, the BazarLoader executable is downloaded instead of a Microsoft Word document. Once installed, BazarLoader allows the threat actors to have remote access to the computer of the victim and use it to compromise the rest of the network. In the end, it was seen that the Ryuk ransomware was being deployed on the infected network. This breach of one computer ultimately turns into a breach of the entire network allowing the threat actor to deploy ransomware.

Analyst Notes

As with many threat actors, as the election nears, many will start to take advantage of the geopolitical landscape to compromise victims. These attacks can come in many forms including information stealing campaigns and ransomware infections that allow the threat actor to pursue financial gain. Phishing emails continue to be the first step in many attacks, and employees at a company must receive the proper training. As with many phishing emails, this one promises information that is not public knowledge and that should be the first sign pointing at a phishing email. Email threat scanning can help to detect most phishing messages and keep them out of employees’ mailboxes, but some will always make it through, no matter what. Utilizing endpoint monitoring such as Binary Defenses Managed Detection and Response is another great step to monitor for unusual activity on endpoints to find attacks and stop them before they can spread across a network.

More can be read here: