"Christmas in July" Phishing Campaign Attempts to Deliver Malware

Summary

The NJCCIC identified a "Christmas in July"-themed phishing campaign targeting New Jersey public organizations. In the above example, the body uses lighthearted verbiage to set the recipient at ease. The email contains a link that directs the target to a suspicious URL with a serving IP address of 193[.]3[.]19[.]220 located in Moscow. Interestingly, corresponding indicators of compromise (IOCs) share similarities to those found in the recent Joint Cybersecurity Advisory related to Truebot activity, and the Russian IP associated with this phishing campaign resides within the same CIDR range. The target is redirected through various proxies (1, 2, 3) to a final URL of precisiongroupsa[.]com/xzadf. An analysis of the example above was performed on a Windows OS and displayed various processes running in the background. An Open File – Security Warning dialogue box opens and prompts the target to manually execute a JScript file ( Any.Run image below). A headless PowerShell is initiated and attempts to execute several processes; however, analysis of the final payload is limited at this time due to sandbox evasion techniques.

Recommendations

The NJCCIC advises users to ignore and delete these phishing emails, report the activity to their IT department if applicable, and avoid releasing these types of correspondence to their inbox from a quarantined environment. Users are advised to refrain from responding to unsolicited communications, clicking links or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking action. Phishing emails and other malicious cyber activity can be reported to the FBI's Internet Crime Complaint Center ( IC3) and the NJCCIC. 

Additionally, organizations are advised to implement filters at the email gateway to identify and block emails using known phishing tactics and those from suspicious IP addresses, create an email gateway rule to flag communications in which the “reply” email address is different from the “from” email address, and identify emails that originate outside their network by marking them with an “external email” tag in the subject and body since these emails should be given additional scrutiny. Furthermore, create a policy and procedure to identify and report business email compromise (BEC) scams, including periodic employee awareness training; establish policies and procedures that require any requests for highly sensitive information or large financial transactions be authorized and approved by multiple individuals via a secondary means of communication beyond email; and implement Domain-Based Message Authentication, Reporting, and Conformance (DMARC) to reduce the risk of email spoofing. Further information can be found in the SPF Technical Guide.