Fast-changing Trojan attack identified; masquerades as a paid invoice

In the early afternoon of Feb 20th, GreatHorn’s threat response team identified a widespread, rapidly changing trojan attack pattern. Masquerading as a confirmation on a paid invoice, the attack is sophisticated in that it lacks the consistency of a typical volumetric attack, making it more challenging for email security tools to identify and block. The attack is hidden within a link that automatically downloads a Word template using a .doc extension. That document has the Trojan buried within it.

Unlike many attacks that use a single pattern with slight customizations, this attack uses a variety of different subject lines, email content, email addresses, display name spoofs, and destination URLs.

In some cases, the threat spoofs the name of an employee in the target company, but appears to use the email address of a compromised account, and in others, it uses an unrelated name while still using the email address of a compromised account . There appears to be no consistency to the targets in terms of department or function.First identified at 12:24pm on Wednesday, February 20th, the attack has (so far) consisted of three distinct waves, each wave corresponding with a different destination URL, one at 12:24pm ET, one 2:05pm ET, and a third at 2:55pm ET, suggesting an attack pattern that anticipated and planned for relatively quick shutdowns of the destination URLs.

The GreatHorn security team is currently monitoring to see if this attack has any additional permutations and is providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email sent to employees, often with a display name of a fellow employee, but using an external email address from what appears to be one of several compromised accounts.
  • Subject lines vary but reference “receipt” or “invoice”. Subject lines included the following:
    • “Transaction for Your Invoice 4676”
    • “Payment receipt bill 483477”
    • “Receipt for Invoice 23649”
    • “[Internal name spoof] Payment receipt 02094924”
  • Sender email addresses appear to be from legitimate, compromised accounts, primarily from South American companies, while the sender display name is typically an arbitrary one.
    • A small handful of attacks were highly targeted, appearing to be from another employee at the recipient’s organization and with customized subject and display names

Body content generally follows a pattern that confirms the receipt of a payment for an invoice, but uses slightly different language to evade capture.

Microsoft identified a small portion of these as spam and moved them to the junk folder (an incorrect designation given the malicious nature of the attack), but allowed a number of them to be delivered to user inboxes.

The attack was found (and eliminated) in 10% of GreatHorn’s customer base. GreatHorn correctly identified the attacks as suspicious and removed them entirely from upon confirmation of its malicious nature.




GreatHorn Security Response:

  • Attack emails within GreatHorn’s customer base were correctly identified under GreatHorn’s out-of-the-box policies
  • All attack emails within GreatHorn’s customer base have been removed from customer inboxes and junk folders.
  • All customers of GreatHorn Email Security can rest assured that this destination has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked

We are continuing to monitor for evidence of this malware and remain vigilant to a fourth attack wave. We will provide additional information and remediation support as our investigation continues.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

Ready for a demo?

Schedule a personalized demo, and we'll show you:

  • Advanced analysis that identifies even the most sophisticated threats
  • In-the-moment warnings to educate employees
  • Robust search and remediation to reduce exposure time
  • Account takeover protection

...and a 5-minute deployment to get you up and running fast.