Ddos 
Image: Cofense
Cybercriminals have upped their game with a phishing campaign so cunning, it offers victims a choice—between stolen credentials or malware infection. Titled “Pick Your Poison”, this campaign was recently analyzed by the Cofense Phishing Defense Center, revealing a hybrid attack vector that leverages files.fm, a legitimate file-sharing platform, to deliver a double-edged payload.
The attack begins with a seemingly innocuous email, often disguised as a notification from a legitimate file-sharing service. In the case highlighted by the Cofense PDC, the email appeared to be a reminder regarding file deletion from files.fm, a cloud storage and file-sharing service. The email warns of an impending file deletion, urging the recipient to take immediate action to save or download the file. This creates a sense of urgency, a common tactic used in phishing attacks to prompt hasty clicks without careful scrutiny.
Upon clicking the embedded hyperlink, users are redirected to a legitimate files.fm page, further enhancing the illusion of safety. The deception culminates when users open the shared file, triggering either credential phishing or malware delivery. As the report states, “The key deception lies in the next step: when users open the shared file, the phishing attack and malware delivery are triggered.”
The truly insidious nature of this attack lies in the choices presented to the victim. Within the PDF file, users are typically given two options, such as “Preview” or “Download.” Both options lead to malicious outcomes. As the report emphasizes, “The most fascinating aspect of this cyberattack is that the ‘Preview’ and ‘Download’ hyperlinks are subjected to two different types of attacks, almost as if the threat actor intentionally designed the attack to trap the user, forcing them to choose which ‘poison’ they will fall for.”
- Preview: The Phishing Trap
Clicking “Preview” often directs users to a fake login page, meticulously designed to mimic a legitimate Microsoft login screen. These pages, while convincingly similar to the real thing, are designed to steal user credentials. Red flags, such as an unusual URL or a request to re-enter credentials for a shared document, may be present but are often overlooked by hurried or unsuspecting users.
- Download: The Malware Delivery
Choosing the “Download” option initiates the download of an executable file. This file often uses a deceptive name, such as ‘Secured OneDrive.ClientSetup.exe,’ to masquerade as a legitimate application. In reality, this executable installs malware on the user’s system. This technique, known as psychosocial engineering, manipulates the user’s trust and perception of safety.
In many cases, the downloaded file installs a Remote Administration Tool (RAT) such as ConnectWise RAT. ConnectWise Control, the legitimate software upon which the RAT is based, is a tool used for remote support and access. However, threat actors exploit it to gain unauthorized access to compromised systems, enabling them to control the system, steal data, and move laterally within the network.
The malware often employs persistence mechanisms to ensure its survival on the infected system. This can include modifying the system registry to automatically start with the system. As the report explains, “This registry modification allows the malware to reactivate with each system restart, serving as a reliable fallback mechanism.”
Related Posts:
- Cybercriminals Escalate Attacks with Sophisticated HR-themed Phishing Scam
- Copilot Phishing: New Scam Targets Microsoft Users
- Don’t Click! Fake Chat Used in Meta Business Account Phishing
- Amazon Prime Phishing Scam Steals Login, Payment Info
About The Author
