A recent malicious payload delivery has been uncovered, tailored by geographic location. It’s a tactic not commonly used by attackers.
According to PhishMe analysis, on September 28 threat actors used a phishing narrative that claimed to deliver a scanned document needing the recipient's attention. Attached to the message was a .7z archive containing a malicious VBScript application tasked with obtaining and running the Locky ransomware or the TrickBot banking trojan. What was unique in this campaign is that before executing the intended payload, the VBScript determines where the target is located.
Depending upon the location of the target, they will be delivered different malware. This script is designed to deliver the TrickBot malware to targets in Great Britain, United Kingdom, Australia, Luxembourg, Belgium and Ireland. If outside of those locations, the target receives the Locky ransomware.
It is not uncommon for threat actors to deploy malicious payloads from multiple malware families during a single phishing campaign. These malware tools may include ransomware, a financial crimes trojan, or other botnet malware. However, it is not as common for those attackers to deploy different malware tools based upon the geographic location of their victim.
“By using different tools, attackers open up multiple fronts where network defenders and information security professionals are presented with multiple potential threats to address at the same time,” PhishMe researchers said in a blog. “Without the help of sufficient context, could create a scenario that puts network defenders at a disadvantage.”
To wit: By employing a geographical based approach to deliver malware, this forces enterprise security professionals, especially those who support multinational organizations, to formulate a response strategy that may vary from region to region. This adds in an additional level of complexity as defenders must devise a security plan for each region of operation.
“Involving actionable intelligence in the response planning phase can simplify this effort,” the researchers said. “By understanding the options for malware delivery, security professionals can realistically assess their options for defense and mitigation. Regardless of the malware payload, it is crucial for organizations to develop a plan to address and respond to a potential attack against network infrastructure.”