Gootkit banking Trojan continues to be delivered via fake invoices via Mailgun SMTP relay service and Microsoft one drive for business

cyber

Gootkit banking trojan is still being distributed via the Mailgun SMTP sending service, using Microsoft’s One drive business file hosting service to deliver the malicious macro enabled word docs that in turn download the gootkit banking trojan payload from another site.  These use compromised mail accounts or websites  to relay emails via the Mailgun SMTP relay service so they stand a better chance of being accepted by the receiving email recipient.

I don’t know whether they are using a compromised email account, that is stolen email credentials or whether they have hacked or compromised the website for facewebinar.com and are using the Mailgun api interface to send the malware laden spam. I am guessing from the email headers it is more likely to be stolen email credentials.

An email with the subject of  Account Invoice # 1373465  coming  from postmaster@facewebinar.com  with a HTML attachment that when opened will download a malicious word doc from a compromised or fraudulently set up  one drive hosting account  that in turn delivers the gootkit banking trojan.

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

 

To read the origianal article

https://myonlinesecurity.co.uk/gootkit-banking-trojan-continues-to-be-delivered-via-fake-invoices-via-mailgun-smtp-relay-service-and-microsoft-one-drive-for-business/

Laisser un commentaire

Next Post

Talos experts found many high severity flaws in Moxa EDR-810 industrial routers

Security experts at Cisco’s Talos group have discovered a total of 17 vulnerabilities in Moxa EDR-810 industrial routers manufactured by Moxa. The Moxa EDR-810 is an integrated industrial multiport router that implements firewall, NAT, VPN and managed Layer 2 switch capabilities. These devices are used in industrial environments to protect systems such […]