Cybersecurity researchers have uncovered a new campaign that leverages a file-sharing service and reverse proxies to distribute malware and evade detection. The campaign, which has been active since at least July 2023, targets users in Japan and South Korea with phishing emails that contain malicious attachments or links.
The attackers use a file-sharing service called ShareBox to host their malicious files. ShareBox is a legitimate service that allows users to upload and share files without registration or login. However, the service also has some features that make it attractive for threat actors, such as:
- The uploaded files are not scanned by antivirus engines.
- The files are automatically deleted after a certain period of time, which reduces the chances of being discovered by security researchers.
- The files can be accessed by anyone who knows the URL, which can be easily obfuscated or shortened.
The attackers also use reverse proxies to hide the real location of their command-and-control (C&C) servers. Reverse proxies are intermediaries that relay requests and responses between clients and servers. By using reverse proxies, the attackers can:
- Bypass network security controls that block direct communication with malicious domains or IP addresses.
- Avoid being blacklisted by reputation-based systems that monitor network traffic.
- Conceal their identity and location from law enforcement agencies and security researchers.
What the Malware Does
The malware that is delivered by the phishing emails is a variant of the Ursnif banking trojan, which is designed to steal sensitive information from infected machines, such as:
- Banking credentials and online payment details.
- Personal and financial data stored in web browsers, email clients, and other applications.
- System information, such as operating system, IP address, and installed software.
The malware also has the ability to download and execute additional payloads from the C&C servers, which can perform various malicious activities, such as:
- Encrypting files and demanding ransom for decryption.
- Installing keyloggers and screen recorders to capture user input and activity.
- Spreading to other machines on the same network or via removable drives.
How to Protect Yourself
The threat actors behind this campaign are constantly changing their tactics and techniques to evade detection and increase their chances of success. Therefore, users and organizations should adopt a multi-layered approach to protect themselves from this and similar threats, such as:
- Educating users about the common signs of phishing emails, such as spelling and grammar errors, spoofed sender addresses, and urgent or threatening messages.
- Implementing security solutions that can detect and block malicious attachments, links, and domains, as well as monitor and analyze network traffic for suspicious behavior.
- Updating and patching systems and applications regularly to fix any vulnerabilities that could be exploited by malware.
- Backing up important data regularly and storing it in a secure location, such as an external drive or a cloud service, to prevent data loss in case of a ransomware attack.