June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
FormBook Malware – Active IOCs
January 9, 2025
Multiple VMware Products Vulnerabilities
January 9, 2025
FormBook Malware – Active IOCs
January 9, 2025
Multiple VMware Products Vulnerabilities
January 9, 2025
Severity
High
Analysis Summary
Researchers have discovered that malicious actors are still using sender email address spoofing to their advantage in various malspam campaigns. Falsifying an email's sender address is commonly interpreted as an effort to pass security checks that may otherwise identify the message as malicious and give the digital message a more authentic appearance.
Spammers are increasingly using old, neglected domains in their operations, even though there are safeguards like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) that can be used to stop them from spoofing well-known domains. By doing this, the emails will probably get past security checks that use the domain age to determine whether they are spam.
In recent research, experts found that threat actors, such as Muddling Meerkat, have misused some of its own outdated, defunct top-level domains (TLDs) that haven't been used to host content in almost 20 years. Most DNS records, such as Sender Policy Framework (SPF) records, commonly used to verify the legitimacy of a sender domain, are absent from them. The domains are in very respectable TLDs and are brief.
Distributing email messages with attachments that contain QR codes that point to phishing websites is one such campaign that has been going on since at least December 2022. Additionally, it tells recipients to open the attachment and scan the QR code using their phones' WeChat or AliPay apps. The emails use Mandarin-language tax-related enticements and, in various ways, encrypt the documents in the QR code with a four-digit password that is part of the email body. In one instance, the phishing website asked users to input their card information and identity before committing fraud and paying the attacker.
The campaigns seem to broadly spoof arbitrary domains, even nonexistent ones, even though they use the neglected domains we observe with Muddling Meerkat. The actor could use this tactic to steer clear of the same sender's repeated emails. According to the researchers, they have also seen phishing campaigns that use traffic distribution systems (TDSes) to trick victims into visiting phony login sites to steal their credentials by impersonating well-known companies like Amazon, MasterCard, and SMBC. The following is a list of some email addresses that have been found to use fake sender domains:
- ak@fdd.xpv[.]org
- mh@thq.cyxfyxrv[.]com
- mfhez@shp.bzmb[.]com
- gcini@vjw.mosf[.]com
- iipnf@gvy.zxdvrdbtb[.]com
- zmrbcj@bce.xnity[.]net
- nxohlq@vzy.dpyj[.]com
A third type of spam is extortion, in which targets of emails are requested to pay $1,800 in Bitcoin to remove embarrassing films of themselves that were taken using a supposedly implanted remote access malware. The actor poses as the user and challenges them to check their own email address. The actor claims that the email was sent from the user's personal account as evidence that the device has been compromised.
Impact
- Security Bypass
- Identity Theft
- Sensitive Data Theft
- Financial Loss
Remediation
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
