The zip attachment of the "PURCHASE ORDER" email contains a bat file. This runs a PS, which infects the machine with malware. The stolen data is exfiltrated via SMTP.
Cybercrime, Conti ransomware attacks grow worldwide
CISA-FBI cybersecurity experts: Conti ransomware attacks grow worldwide. : The malware has been involved in more than 400 cybercrime aggressions on U.S. and international organizations
Cybercrime actors are increasing attacks worldwide involving Conti ransomware. It has been denounced by the US Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). According to the two agencies, the malware has been observed in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment. Threat actors often gain initial access to networks through:
- Spear phishing campaigns using tailored emails that contain malicious attachments or malicious links;
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware;
- Stolen or weak Remote Desktop Protocol (RDP) credentials;
- Phone calls;
- Fake software promoted via search engine optimization;
- Other malware distribution networks;
- Common vulnerabilities in external assets.