Google URLs are being used to disguise malware sent through contact forms

New campaign uses social engineering to deliver the IcedID malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals have begun leveraging websitecontact formsto delivermalwareand the IcedID banking trojan to unsuspecting enterprise employees over email according to new research fromMicrosoft.

The Microsoft 365 Defender Threat Intelligence Team has been tracking a new campaign in which attackers are abusing legitimate infrastructure including website contact forms andGoogleURLs to bypassemail security filters.

According to Microsoft, these attacks begin with emails containing legal threats claiming that the recipient allegedly used their images or illustrations without consent and that legal action will be take against them.  These emailscreate a sense of urgencyas the recipients will likely want to avoid being sued and the site.google.com link used by the attackers makes their threats appear more legitimate.

Upon discovering the campaign, Microsoft reached out to Google’s security team which is already looking into the matter.

IcedID malware

If a targeted employee decides to investigate the contents of one of the campaign’s emails further and click on the site.google.com link, the page automatically downloads a ZIP file which contains a JavaScript file that downloads theIcedID malwareas a .DAT file. However, a component of the penetration testing kitCobalt Strikeis also downloaded and this allows the cybercriminals behind the campaign to control a user’s device over the internet.

Microsoft’s Emily Hacker and Justin Carrol provided further insight on this new campaign in ablog post, saying:

“While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As this new campaign is capable of delivering a wide range of malware, employees should be on the lookout for any suspicious emails claiming they violated copyright. They should also avoid clicking on any links in emails from unknown senders.

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

ChatGPT just got easier to find when you’re searching for something