Having tracked the activities of threat actors suspected of being involved in a large number of malicious spam attacks targeting organizations based in Turkey, Sophos researchers determined that the attackers flew under the radar using Excel formula injections to deliver the payload.
“The threat actor predominantly targets victims based in Turkey using malspam email messages written in the Turkish language. The spam author’s grasp of Turkish grammar, among other indicators, lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey,” wrote Sophos’s Gabor Szappanos in a July 12 blog post.
Researchers suspect that the method of attack may soon extend beyond the borders of the Türkiye Cumhuriyeti. “Successful ideas eventually infiltrate the entire crimeware ecosystem, and while this may not be the most effective tool for criminals, they can still use it like any other tool in the toolbox.”
While the attack itself wasn’t highly sophisticated, it used a novel means of delivering malware through simple email messages sent with Excel file attachments that carry out the attack, yet another example of the many ways attackers are evolving their methods to go unnoticed.
Several samples of phishing emails revealed the attackers followed the same structure in crafting the lures. “Later analysis revealed that the emails were generated by a builder that randomly selected from predefined sentence components, which explains the similarities,” Szappanos wrote.
As the email messages evolved, they grew more cryptic, which researchers suspect was due to the threat actor’s attempt for the message to appear less mechanical.
During analysis, researchers found Windows programs hosed on additional servers that were hosting the payload malware.
“These files were not downloaded by the Excel files, but they must have been placed on the servers by the threat actor. We see no reason for storing them on the servers. The executables in question turned out to be builder programs that generate both the malicious attachment files and the randomized malspam message. These tools also have SMTP mailer functionality to send out the malspam with the attachment."