Emails referencing the Colonial Pipeline ransomware attack and looking like they’ve been sent from the corporate IT help desk have been hitting employees’ inboxes and asking them to download and run a “ransomware system update.”
“Phishers excel at leveraging current events and other cyber-attacks to create urgency in their communications. In this case, no doubt many recipients wanted to ‘do the right thing and help out the IT team’ by clicking on the bad link,” Inky researchers noted.
The fake ransomware system update emails
The emails look rather convincing: they look like they are coming from the company help desk staff, they contain no egregious grammar or spelling errors, and are quick to come to the point.
“The malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com) controlled by cybercriminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” the researchers noted.
The link in the emails would lead those who click on it to a landing web page hosted on those same domains and branded with the target company’s logo and imagery and offering the “ransomware update”:
The delivered payload was, unfortunately, the Cobalt Strike penetration testing tool – a tool loved by many attackers.
Luckily, this particular payload is detected as a possible threat by quite a few of AV solutions, but definitely not most of them.
Aside from implementing technological defenses to spot and block this type of emails, Inky researchers urge organizations to think about creating an IT policy stating that employees will not be asked to download certain file types.
“A standard and formalized communications protocol that is widely shared, and frequently reinforced, would help as well,” they added.