True North Networks Blog
Beware: Spoofed Email From the SEC
Be aware of a NEW malware email campaign that is highly targeted in nature and uses spear phishing emails that are spoofed to make them appear as if they were sent by the Securities and Exchange Commission (SEC) in an attempt to add a level of legitimacy and convince users to open them. The emails are pretending to be from the SEC Electronic Data Gathering Analysis and Retrieval (EDGAR) system and the authentic looking phishing email contains an attachment complete with logos, branding, and wording that would you would expect to see on documents received from the SEC.
When the attached Word document is opened, victims would be greeted with a message informing them that the document contains links to external files, and asking them to allow/deny the content to be retrieved and displayed. Should they agree, the malicious document reaches out to an attacker-controlled command-and-control (C&C) server which executes the first malware infection. Code is retrieved, obfuscated, and then executed, which kicks off persistence on systems, registry rewrites, scheduled task creation, and DNS requests are made. In this particular case, the malware features the capability to leverage scheduled tasks, as well as registry keys to obtain persistence making it more likely that subsequent attacks can fly under the radar for longer periods.
Please let your staff know to be extra careful with email that appears to be coming from the SEC, and in particular their EDGAR system, or with an attachment.