Cybercriminals often enhance their phishing tactics to lure unwitting users into downloading malware. In one such new phishing threat uncovered by security researchers from Proofpoint, threat actors are tricking users into opening/downloading a malicious file disguised as a Privacy Tool service. The said tool is advertised as a files protector and can be used to encrypt user data via a zip-like utility service. Attackers are leveraging a fake website to promote the malicious tool, and have included instructions on how to download it.
Using Smoke Loader Payload
Proofpoint stated that the attackers are using Smoke Loader as an initial payload. Smoke Loader is a popular malware downloader available on the dark web and used by several cybercriminal groups. Once a user downloads the privacy tool, the Smoke Loader automatically installs additional malware payloads, including RedLine and Raccoon Stealer. The malware is specially crafted to exfiltrate sensitive data from the targeted system.
RedLine malware was uncovered in early 2021 and can compromise cold wallets that store cryptocurrencies. Raccoon Stealer is an infamous malware-as-a-service active since 2019, available across various darknet forums. The malware can steal users’ private data such as credentials, credit card details, website cookies, usernames, hardware details, location, installed security software, system data, and data related to Bitcoin wallets.
While threat actors behind this malware campaign are unknown, Proofpoint stated it identified one IP address linked with OpenNIC, a public domain service provider.
“The use of a privacy-themed lure to download information-stealing malware is an ironic yet predatory mechanism for enticing users to download malware. The lure is likely effective as the threat actors behind the campaign appear to have taken considerable time and effort to design a legitimate-looking privacy tool. Based on additional indicators uncovered, it is likely this threat actor is conducting – and has previously conducted – similar campaigns using privacy themes and convincing lures to distribute Smoke Loader and follow-on malware. Proofpoint anticipates this type of theme and activity to continue, especially for consumers who do not have corporate privacy and security services already installed on their hosts,” Proofpoint said.