The campaign begins with a phishing email that contains an HTML attachment disguised as a routine document in a ZIP archive. The HTML file uses obfuscation techniques to evade detection and exploit vulnerabilities in Windows system functionalities.

Trustwave SpiderLabs recently discovered a dangerous backdoored DLL module within a fake version of the Advanced IP Scanner installer. The malicious version of the installer contains a DLL named pcre.dll.

The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice. The email header has an email address format that uses the domain ‘temporary[.]link’.

Recently, SpiderLabs identified a phishing email with an attached archive that included a Windows executable disguised as a fraudulent bank payment. This action initiated an infection chain culminating in the deployment of Agent Tesla.

The malware is distributed through a multi-stage infection chain involving weaponized PDF files, internet shortcuts, and PowerShell loaders, with similarities to the previously disclosed Phemedrone Stealer.

Trustwave researchers reported that over the recent days, they had observed phishing attacks that employed a mix of compromised Microsoft 365 accounts and .rpmsg encrypted emails to distribute the phishing message.

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

A successful Meta-Phish attack could result in the loss of PII, login credentials, and Facebook profile links. Instead of a phishing link to an external landing page, the mail sample is crafted with a link that points to an actual Facebook post.

Trustwave SpiderLabs’ researchers uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.

These websites have the capability to change their background and logo depending on the user’s domain. The phishing sites are stored in the InterPlanetary File System (IPFS).