Malware sent via email

Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware.

For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website's contact page to send legal threats to convince recipients to download a report of the offending material.

These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target's device with various malware, including BazarLoaderBumbleBee, and IcedID.

Switching to Yandex forms

This week, BleepingComputer received a new version of the "Copyright infringement" threat pretending to be from Zoho, stating that we are utilizing their copyrighted images.

"Hello,
Your website or a website that your organization hosts is infringing on a copyrighted images owned by our company (zoho Inc.).

Check out this report with the links to our images you used at www.bleepingcomputer.com and our previous publication to get the proof of our copyrights.

Download it now and check this out for yourself:
https://forms.yandex.com/u/62c3f14d59f1f7ef4295d2c1/success/?0=742998805032103091  

I do think you've willfully infringed our rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damage as high as $130,000 as set forth in Section 504 (c) (2) of the Digital

Millennium Copyright Act (”DMCA”) therein.

This message is official notification. I seek the removal of the infringing materials mentioned above. Please take note as a company, the DMCA demands you to remove or terminate access to the copyrighted materials upon receipt of this particular letter. In case you don't stop the use of the above mentioned copyrighted content a court action will likely be started against you.

I do have a strong faith belief that use of the copyrighted materials described above as allegedly violating is not approved by the legal copyright owner, its legal agent, or the law.

I declare, under consequence of perjury, that the information in this message is correct and hereby affirm that I am authorized to act on behalf of the proprietor of an exclusive and legal right that is allegedly infringed.

Best regards,
Christian Brdakic
Legal Officer
zoho, Inc.
zoho.com
07/06/2022"

However, what was different with this campaign is that instead of using Google Drive or Google Sites to host their alleged "reports" like they did in the past, the threat actors are now using Yandex Forms.

Yandex Forms is a free service that allows users to create customized online forms but can also be used by threat actors to create phishing landing pages.

When a person clicks on the forms.yandex.com link in the copyright complaint, they are brought to a webpage that states, "File 'Stolen Images Evidence' is ready for download.'

Phishing landing page on Yandex Forms
Phishing landing page on Yandex Forms
Source: BleepingComputer

After a brief time, the Yandex Form will download an ISO file named 'Stolen_ImagesEvidence.iso' from an embedded firebasestorage.googleapis.com link in the Yandex Form.

An ISO file is a disk image file format that will mount as a new drive letter when opened in Windows 10 and Windows 11 so that you can access the enclosed files.

ISO files have become a popular attachment in phishing attacks as it bypasses the propagating of the Mark-of-the-Web to the contained files, causing Windows not to warn that they are risky when you attempt to open them.

After double-clicking on the ISO file, a new drive letter will open containing what appears to be a 'documents' folder and a randomly named DLL file, as shown below.

Contents of the Stolen_ImagesEvidence.​​​​​​​iso file
Contents of the Stolen_ImagesEvidence.iso file
Source: BleepingComputer

However, this documents folder is actually a Windows shortcut that, when double-clicked, will cause a malicious DLL file to be executed using the rundll32.exe command, as shown in the shortcut's properties below.

Properties of the enclosed documents shortcut
Properties of the enclosed documents shortcut
Source: BleepingComputer

This DLL is a loader for the IcedID, a modular banking trojan that can steal Windows credentials and deploy additional payloads to allow initial access to networks, such as Cobalt Strike beacons. These secondary payloads often lead to full-blown ransomware attacks on the now-breached network.

As seen from the contact form submission, these copyright complaints can be pretty convincing and utilize threats of legal action to create urgency to the message. Unfortunately, this urgency commonly leads to people throwing caution to the wind and opening the malicious files.

Therefore, it is important to always stay calm when receiving emails like these and to scan unknown or suspicious files using VirusTotal before opening them on your computer.

Related Articles:

New Latrodectus malware replaces IcedID in network breaches

Malicious AI models on Hugging Face backdoor users’ machines

CoralRaider attacks use CDN cache to push info-stealer malware

Hackers hijack antivirus updates to drop GuptiMiner malware

GitLab affected by GitHub-style CDN flaw allowing malware hosting