A new hacker has been found impersonating the U.S. Postal Service and other government agencies to deliver and install backdoor malware to various organizations in Germany, Italy and the United States, according to new research. The campaigns are consistent with emerging tactics from hackers to use increasingly sophisticated social engineering and spoofing to deliver malware. The hacker sent malicious email messages with recipients that were business and IT services, manufacturing and healthcare.
The hackers used different tools to deliver each of the country specific campaigns, impersonating organizations that would be familiar to users in those countries to lure the victims. Various lures included emails informing recipients of the urgent need to open documents to avoid tax penalties, or to view tax refunds with a deadline for processing, among others, researchers noted.
The hacker used commercial software, Cobalt Strike, in its attacks. The tool is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Although this software is legitimately used, this is not the first time hackers have used it for malicious purposes. Other hackers, including Cobalt Group, APT32 and APT19, also have deployed and executed campaigns using it as malware.
The newly observed activity is evidence of a growing trend that security teams already have seen, in which email-based attacks are becoming more socially savvy. The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape.