Cybercrimminals are using the fear generated from the recent wave of terror attacks to target corporate offices in the Middle East and Canada with spear phishing attacks.
One of the more sinister aspects of this campaign is the amount of obfuscation being used by the attackers, to include the names of real security officials and even some legitimate attachments.
Symantec's Lionel Payet said in a blog post that the company had noted malicious emails falsely using the address of the Dubai Police Force in the United Arab Emirates to convince the recipient that the email contained official correspondence on how to avoid terror attacks. To increase the email's validity the crooks used the name of the lieutenant general who heads the Dubai police and is head of security for the country.
The spear phishers then double down on their duplicity by including one legitimate attachment.
“The emails come with two attachments, one of which is a PDF file that is not actually malicious but acts as a decoy file. The malware resides in the other attachment, an archive, as a .jar file,” Payet wrote.
The phishers are using a multiplatform remote access Trojan called Jsocket, which is a new tool from the same group that created AlienSpy RAT.
“While the group behind this campaign mainly targeted UAE-based companies and employees, we have also seen similar spear-phishing runs targeting three other countries: Bahrain, Turkey and, more recently, Canada,” the blog post said, adding that Symantec believes the group is expanding its efforts further and it expects to see new countries targeted.