A "JAR" Full of Problems for Financial Services Companies (Dec 19, 2018)
An email campaign targeting banks and financial services organizations has been observed by researchers at Menlo Labs that attempts to trick victims into clicking on the provided links that install malware. The campaign was found to be active in the UK and US since August 2018, and uses Google's Cloud Storage service, "storage.googleapis[.]com," to host the malicious payload to make it appear legitimate. The unknown threat actors utilize malicious URLs as the detection of them is a lot lower, even on machines with antivirus and spam filters, if the URL is not already in the threat repository. The malicious links either install a VBScript payload or a JAR file. The VBScript and JAR file payload appear to belong to the "Houdini" malware family that install Remote Access Trojans (RAT) into the machine.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications. Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.