Fake Copyright Infringement Warnings with Googlesites URL being Used to Spread Ransomware
Ransomwares can be dreadful. It is one of the topics that gives sleepless nights to many businesses. A ransomware attack can lead to huge losses both in terms of capital and customer trust. You must have noticed a lot of news about how ugly ransomwares can get.
While ransomware attacks are highly complicated in themselves, the initiation of this uphevil is quite simple. There are three prime sources how a ransomware can enter your network -
a. Simple phishing emails that contain malicious attachments, or
b. Through drive-by downloading (visiting malicious web pages using unpatched browsers).
c. Insider threats
But mostly Phishing emails!
Since people and machines are getting smarter in filtering such phishing attempts, the adversaries have been continuously trying to find new ways to send such malicious payloads to the target.
Web Forms
Web forms are the basic “contact us” forms that are present in most of the homepage / websites of organizations/people. If you fill such a form then your message will be sent to the recipient as a trusted email. Most likely the receiver will be a person in the sales department, marketing or sometimes CEO. Totally depends on the needs. But the point is that even if the email contains intentionally put malicious URLs, they easily fly under the radar and land into a legit reader’s inbox.
This situation is being exploited in the wild.
An attacker creates a phishing email claiming copyright infringements is sent to web-admins and they are asked to click on the URL to download a document and see the evidences.
Copyright is a very serious matter and most of the organizations take it very seriously. They take utmost care to ensure that there occurs no such occasions of infringement. And adversaries know this. For example, if you tell someone that they have used some images that break the copyrights, then the natural tendency for the listener is to ask “which image are you talking about?”. And that’s the chance when the innocent victims fall for clicking on malicious URLs.
On first glance, that sounds pretty scary and is likely to get many site owners to click on the link to learn more about the details of the accusation. When you do, you will be served a webpage with a link to file with your “copyright infringement evidence.”. We don’t really suggest doing this until unless you are doing so in a protected and sandboxed environment.
Since the google sites are newly made so they may not be reported red by online scanners like virustotal.
In a blogpost techlicious reported a similar incident and they were also able to download and analyze the payload. In the version of the scam received, one could download is a .zip file containing a javascript (.js) file called “Copyright Infringement Evidence.js”.
The file was ran through Virus Total and it came back as a backdoor trojan — identified as js.Trojan.Cryxos.5779 and JS/Kryptik.BXN — that can be used to install ransomware and other malicious programs.
Only 15 of the 60 malware scanning engines in Virus Total picked this up (BitDefender, Emsisoft, eScan, ESET-NOD32, FireEye, GData, MAX, NANO-Antivirus), meaning it currently has a high chance of slipping through most antimalware protection.
It is an important learning (and a reminder for many) that
- We need to be cautious about Phishing URLs
- Avoid downloading attachments from unknowd origins
- Never try to open/run any file from unknown sources with sensitive extensions like .exe, .dll, .js, .jar, .docx, etc.
- Run your PCs as a local user and not as an administrator. A local user needs admin to authorize installation of any application
- Take continuous backups
If you’ve received a similar phishing email, please post in the comments below [with the malware URL redacted] so others will find it when doing a Google search and avoid the risk of having their systems compromised.
