What is Lebal? New sophisticated malware found targeting several universities, government agencies
Researchers said the phishing attack included multiple layers designed to dupe even security vigilant users.
Security researchers have spotted a new strain of sophisticated malware that is targeting a number of high-profile entities, including five universities, 23 private companies and several government organisations.
According to researchers at Comodo Threat Research Labs, the developers behind the malware camouflaged their malicious payload in several layers. Rather than deploying the malware through the usual email attachments, Comodo said the hackers tried to build a "complicated chain to bypass technical security means and deceive human vigilance".
The phishing email, disguised as a message from FedEx, claims that the delivery service could not deliver a package that exceeded its "free-deliver limit" and the user must physically collect it at a nearby outlet.
It requests users to click on a link to download and print out an "attached label" that needs to be submitted in order to receive the parcel. The malicious link itself is disguised as a Google Drive link. Once a user clicks on it, the hackers' website pops up with the malicious "Lebal copy.exe" file ready to download.
Researchers also noted that "secure", "https" and "drive.google.com" are all present in the address bar to ward off any suspicions by vigilant users and trick them into believing the site is trustworthy.
"How can anyone know not to trust something with "google.com" in the address bar? But... the reality stings," researchers noted in a blog post. "For many, it's hard to believe, but skilled cybercriminals use drive.google.com for placing their phishing malware. And this case is not an isolated incident.
"Google – as well as many other cloud storage services – definitely should take urgent steps to solve this problem. At minimum, they should provide constant real-time checks for malware.
Masquerading as a normal Adobe Acrobat document, Lebal copy is actually a piece of malicious malware designed to harvest a slew of sensitive data from victims.
Once downloaded, the malware figures out the version of OS and applications running on the infected machine, steals private data from the user's browsers such as cookies and credentials, and scours for information about email and instant messenger clients.
The malware then pulls credentials from FTP clients such as FileZilla or WinSCP in an attempt to find and access any cryptocurrency wallets like Bitcoin or Electrum.
"In short, it grabs everything it can extract from a victim machine," Comodo wrote. "Finally, it makes a connection with cybercriminals' command-and-control server and passes all the gathered information to the attackers. It also tries to turn off OS defense means and hide itself from anti-malware tools in various sophisticated ways."
According to their analysis, researchers said this attack has been targeting 30 mail servers and appears to be linked to an IP address and domain in Sao Paolo, Brazil. All 328 phishing emails were sent on 8 January, they added.
The firm has not named the organisations targeted or specified where they are located. IBTimes UK has reached out to Comodo for further comment.
"Phishing emails become more sophisticated and refined," Fatih Orhan, head of Comodo Threat Research Labs, said. "Cybercriminals actively invent new methods to trick users into clicking on a bait link. As we can see from the example above, it is not so easy to distinguish a malicious file or link, even for a cybersecurity aware user. That's why for ensuring security today, companies need to not only train people for the cybersecurity vigilance skills but use reliable technical protection means as well."