Cybercriminals are targeting website owners with fake copyright infringement complaints utilizing Yandex Forms. All this ruse is by the threat actor TA578 who is spreading a banking malware named IcedID, along with other malware.
Fake copyright complaints
A new version of the copyright infringement scam was spotted. The scam pretended to have come from Zoho and claimed that the target is utilizing its copyrighted images.
- For a year, a threat group named TA578 has been carrying out these attacks where the attackers used a contact page of the website to send legal warnings to fool recipients into downloading a report of the offending material.
- These reports are believed to have proof of DDoS attacks or copyrighted material associated with the website. In reality, they infect a system with different malware, such as BumbleBee, IcedID, and BazarLoader.
However, one thing that was different with this campaign is that the attackers are now using Yandex Forms instead of Google Drive or Google Sites to host their alleged reports as they did in the past.
Infection process
Whenever a targeted user clicks on the forms[.]yandex[.]com link in the copyright complaint, they are redirected to a webpage that mentions ‘File Stolen Images Evidence’ is ready to download.
- The Yandex Form downloads an ISO file named 'Stolen_ImagesEvidence[.]iso' from an inserted firebasestorage[.]googleapis[.]com link. The use of ISO files allows it to bypass any warnings by Windows security.
- Upon double-clicking the ISO file, a new drive letter opens that includes a document folder and a randomly named DLL file. The DLL is executed using the rundll32[.]exe command.
- This DLL is a loader for IcedID, a banking trojan that has the ability to steal Windows credentials and drop additional payloads for initial access, such as Cobalt Strike beacons.
Conclusion
These fake copyright complaints are convincing and take advantage of legal action to create a sense of urgency. Thus, users are suggested to always stay vigilant whenever receiving such messages from unknown sources. Further, never visit links that come in email or other sources without proper security.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dbe4_shutterstock_1419761330.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_347693147.jpg)
