Ddos 
Attack flow | Image: Trellix
Trellix’s Advanced Research Center has uncovered a highly targeted and stealthy spear-phishing campaign aimed at finance executives across Europe, Africa, the Middle East, Canada, and South Asia. The attackers’ goal? Trick victims into installing NetBird, a legitimate WireGuard-based remote access tool, under the guise of a career opportunity from Rothschild & Co.
The phishing operation combines clever social engineering with evasive tactics such as Firebase hosting, JavaScript-based custom CAPTCHAs, and staged VBS downloaders, effectively bypassing many standard email and web defenses.
The initial phishing email is carefully crafted to impersonate a Rothschild & Co recruiter and presents an enticing “strategic opportunity” in financial leadership. Instead of a real PDF, the attached brochure is a Firebase-hosted webpage disguised as a file.
“The attached ‘brochure’ isn’t a PDF but a Firebase-hosted page hiding behind a math-quiz custom CAPTCHA,” the report states.
Once the victim solves the CAPTCHA, they are redirected to a site that delivers a ZIP archive—Rothschild_&_Co-6745763.zip—containing a VBS script that initiates the malware installation chain.
Once executed, the VBS script silently downloads a secondary VBS payload that:
- Installs NetBird and OpenSSH via MSI files.
- Creates a hidden local admin account (user / Bs@202122).
- Enables RDP access, configures firewall rules, and sets NetBird to auto-start.
- Deletes desktop shortcuts to avoid detection.
“The script creates a hidden local account… flips on Remote Desktop while opening the firewall… and removes any NetBird desktop shortcuts,” the report explains.
This results in persistence and remote access via encrypted channels—an ideal foothold for lateral movement and potential data exfiltration.
The phishing pages are hosted on Firebase and other Google-hosted app platforms, making them appear trustworthy. They use custom JavaScript-based CAPTCHAs that decrypt hidden redirect URLs upon user interaction, bypassing conventional detection mechanisms.
“Attackers are leaning on these custom CAPTCHA gates more and more, hoping to slip past defenses,” the report warns.
Trellix notes that these tactics mimic or overlap with previous nation-state phishing operations, though no attribution has been made as of this writing.
Trellix’s researchers identified similar infrastructure reused in older campaigns. Notably, an older page impersonating SharePoint was found still delivering the same VBS payload, suggesting a broader operation likely reusing toolkits and hosting setups.
“The page is still live… and it serves a ZIP… that archive drops the same VBS payload seen in the current campaign,” the report notes.
The Autorité des marchés financiers (AMF) in France also recently warned of phishing attacks impersonating the organization. Trellix confirmed IOC overlaps with their current findings, though the lures differ.
Organizations should monitor for Firebase and WebApp hosting, scrutinize CAPTCHA behavior, and block suspicious MSI and VBS execution flows at the endpoint.
Related Posts:
- Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows
- AgentTesla and Beyond: McAfee Reveals Diverse VBS Malware Tactics
- The Monero crypto-currency mining activity affects more than 30 million users worldwide
- CVE-2024-21302, CVE-2024-38202: Zero-Day Vulnerabilities Expose Windows Systems to “Unpatching” Attacks
- Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
Donate