Skip to main content

Russian hackers are targeting U.S. emails with phishing malware

Hackers are targeting both U.S. and European email accounts with a new phishing malware, according to a study done by cybersecurity researchers at Palo Alto Networks’ Unit 42.  Named “Cannon,” the malware has been around since October, collecting screenshots and other information from the PCs of unsuspecting victims and sending it back to Russian operatives.

Leveraging a classic social engineering tactic, “Cannon” sends out phishing emails and involves tricking victims into opening messages about recent news events like the crash of an airliner in Indonesia. The emails also contain an attachment to an older formatted Microsoft Word document which requires the macro feature for the file to open successfully. Once the victim opens the file and enables macros, a code then executes and a trojan malware spreads and infects a computer whenever Word is closed.

Once the trojan malware is running, it will collect screenshots of the PC desktop in intervals of 10 seconds, and system information every 300 seconds. It then logs into a primary POP3 email account, a secondary POP3 email account, and attempts to get the download path for downloaded information. Finally, it moves all attachments to a specific path and creates a process that sends the email back to a hacker with all attachments.

“In late October and early November 2018, Unit 42 intercepted a series of weaponized documents that use a technique to load remote templates containing a malicious macro. These types of weaponized documents are not uncommon but are more difficult to identify as malicious by automated analysis systems due to their modular nature. Specific to this technique, if the C2 server is not available at the time of execution, the malicious code cannot be retrieved, rendering the delivery document largely benign,” explains the Unit 42 research unit.

“Cannon” appears to be linked to Sofacy, a hacking group which has previously distributed “Zebrocy” and other similar malware linked back to the Russian government. To protect against these types of phishing attacks, it is always best to avoid opening emails from suspicious email addresses. Even though Microsoft has taken steps to block malicious macros, it also is best to not to use the feature and avoid it entirely. You also should keep your antivirus up to date and make sure that you’re running the latest versions of Windows 10.

Editors' Recommendations

Arif Bacchus
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
New COVID-19 phishing emails may steal your business secrets
Woman Checking Her Email

Google Forms are being used as a way to obtain the sensitive information of business owners through COVID-19 phishing emails, according to a new report.

As reported by Bleeping Computer, phishing messages based on COVID-19 have started to become increasingly popular in recent weeks.

Read more
A new phishing scam pretends to be your boss sending you an email
how to back up emails in outlook laptop

One of the latest email scams is a simple yet masterful ploy that gets companies to give up money under the guise of communicating with senior members of an organization within an email chain.

As reported by ZDNet, the scam is called a business email compromise (BEC) campaign and is described as a prompt where a nefarious actor, disguised as a company boss, sends an email that looks like a forwarded email chain, with instructions to an employee to send money. Targets of this type of scam are typically employees in the finance department or someone who has the ability to send wire transfers.

Read more
Hackers can now sneak malware into the GIFs you share
A video call in progress on Microsoft Teams.

How low will malware go to get onto your device? We thought using Minecraft to gain access to your computer was the most nefarious method hackers have produced, but there's a new, even lower type of attack that uses Microsoft Teams and GIFs to mount phishing attacks on your computer.

The new attack is called GIFShell and it installs malware on your computer to steal data. It does so by sneaking itself into innocent-looking GIFs and then waiting for you to share the GIF with your colleagues via Microsoft Teams.

Read more