Investment, banking, energy, and insurance organizations around the world are having their chief financial officers and other finance executives subjected to a spear-phishing campaign distributing the NetBird malware, reports GBHackers News.
Attackers commence the intrusion by sending a malicious email referencing a leadership opportunity at Rothschild & Co, which includes a link masquerading as a brochure PDF that redirects to a Firebase-hosted page, findings from a Trellix report showed. Such a page seeks a CAPTCHA solution prior to hidden URL decryption and VBS script download, according to researchers. Aside from covertly injecting NetBird and OpenSSH, the script also establishes a hidden local admin account, activates Remote Desktop Protocol with firewall modification, and creates scheduled tasks for persistence. Further analysis revealed the presence of the same CAPTCHA tactics in older phishing pages, suggesting that the attack campaign may have been more widespread. Organizations should strengthen their defenses against such a threat by not only adopting endpoint detection and response tools but also conducting MSIExec activity audits and tracking dubious script executions, researchers added.
Attackers commence the intrusion by sending a malicious email referencing a leadership opportunity at Rothschild & Co, which includes a link masquerading as a brochure PDF that redirects to a Firebase-hosted page, findings from a Trellix report showed. Such a page seeks a CAPTCHA solution prior to hidden URL decryption and VBS script download, according to researchers. Aside from covertly injecting NetBird and OpenSSH, the script also establishes a hidden local admin account, activates Remote Desktop Protocol with firewall modification, and creates scheduled tasks for persistence. Further analysis revealed the presence of the same CAPTCHA tactics in older phishing pages, suggesting that the attack campaign may have been more widespread. Organizations should strengthen their defenses against such a threat by not only adopting endpoint detection and response tools but also conducting MSIExec activity audits and tracking dubious script executions, researchers added.
