Source: https://cobaltstrike.net/2022/04/13/hackers-recruit-bank-employees-with-tempting-offers/
Cybercriminals are trying to “recruit” bank employees as part of new cyber attacks on the African financial sector. Over the past three weeks, attackers have been sending emails and messages to current employees of financial organizations allegedly with a job offer from a competitor bank. However, in fact, the offer is fictitious, and the message contains a malicious “surprise”, according to the HP Wolf Security research team.
To send phishing emails, attackers use email addresses very similar to the real ones, but with a difference of one or two characters (the so-called typesquatting attack, in which scammers use domain names similar to the real ones, but with a “typo”, in the hope that the victim will not notice the difference).
If the victim falls for the bait, she receives a second letter with an HTML attachment. After opening the file, its contents are decoded and displayed as a web loader window. The victim is asked to download a file that is already stored on the computer. Attackers use this technique, known as HTML smuggling, to effectively bypass security mechanisms that block the traffic of malicious sites.
The file contains a VBS script, which, after double-clicking on it with the mouse, initiates the creation of a registry key to ensure consistency on the system, the execution of PowerShell scripts and the deployment of GuLoader.
GuLoader is a loader for delivering RemcosRAT malware to the attacked system. The malware is a commercial Trojan for remote access (RAT), offered on cybercrime forums by subscription for a low fee.
Designed for attacks on Windows PCs, the Trojan is equipped with a keylogger function, and is also able to take screenshots, monitor the victim through the computer’s camera and microphone, steal OS data and personal files, record the victim’s activity in the browser and download additional malware.
Attacking bank employees, attackers most likely tried to gain access to the internal systems of banks either through corporate machines or through personal devices of staff working remotely.