Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
The Trellix Email Security Research Team has discovered a malicious campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the United States since 2021. The attack starts with a spear phishing email with a geo-political theme. The spear phishing emails were themed around India Afghanistan relationship. Attacker used politics as a lure to trick users into clicking on a malicious link. The email used for this phishing attack contains an attachment or a weaponized URL that delivers an Excel sheet. Upon opening the Excel sheet, Excel executes an embedded malicious macro which then decrypts and installs a Remote Access Trojan (AysncRAT & LimeRAT) and maintains persistence.
The phishing email contains a malicious Excel sheet within an attached document and the attachment is named “India-Afghanistan-Relationship.xls”. The malicious Excel sheet appends “.xls” extension to the filename which gives wrong impression about the file type of the attachment. When opened, it looks like an Office document, but actually it is a malicious macro. The .zip attachment has a macro in it that can execute commands on victims, including downloading and installing malware on the victim’s machine (APT12).
The Excel sheet contains three URL links that appear legitimate but redirects victims to phishing websites. These URLs are spoofed at first glance to resemble a genuine government website and then redirects to fake web pages where they trick users into entering their login credentials.
Once the victim enters their username and password, APT12 deploys AysncRAT and LimeRAT on the system which will be used for further exploitation. Once the user clicks on a malicious URL, the page loads in a web browser but in fact it redirects to another web page that downloads malware on the victims machine. Once installed on the system, AysncRAT and LimeRAT will remain persistent. The suspect file name is “SessionID”.