Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware. For over a year, threat actors tracked as TA578 have been conducting attacks in which a website’s contact page is used to send legal threats to convince recipients to download a report of the offending material. These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target’s device with various malware, including BazarLoader, BumbleBee, and IcedID.
This week, researchers received a new version of the “Copyright infringement” threat pretending to be from Zoho, stating that they are utilizing Zoho’s copyrighted images. However, instead of using Google Drive or Google Sites to host their alleged reports, TA578 are now using Yandex Forms. Yandex Forms is a free service that allows users to create customized online forms but can also be used by threat actors to create phishing landing pages. When a person clicks on the forms.yandex.com link in the copyright complaint, they are brought to a webpage that states, “File ‘Stolen Images Evidence’ is ready for download.”
After a brief time, the Yandex Form will download an ISO file named ‘Stolen_ImagesEvidence.iso’ from an embedded firebasestorage.googleapis.com link in the Yandex Form. An ISO file is a disk image file format that will mount as a new drive letter when opened in Windows 10 and Windows 11. ISO files have become a popular attachment in phishing attacks as it bypasses the propagating of the Mark-of-the-Web to the contained files, causing Windows not to warn that they are risky.
After double-clicking on the ISO file, a new drive letter will open containing what appears to be a ‘documents’ folder and a randomly named DLL file. However, this documents folder is a Windows shortcut that, when double-clicked, will cause a malicious DLL file to be executed using the rundll32.exe command, as shown in the shortcut’s properties below. This DLL is a loader for IcedID, a modular banking trojan that can steal Windows credentials and deploy additional payloads to allow access to networks, such as Cobalt Strike beacons. These secondary payloads often lead to full-blown ransomware attacks on the breached network.
Analyst Notes
Any user that receives an email with a downloadable file, specifically from an unknown user, is highly recommended to treat the download with suspicion. Prior to downloading any attachment, it is recommended to use sites such as VirusTotal to check the file.
https://www.bleepingcomputer.com/news/security/fake-copyright-complaints-push-icedid-malware-using-yandex-forms/
https://www.virustotal.com/gui/home/upload
