‘Beyond the Grave’ phishing campaign targets hedge funds

• A new phishing campaign dubbed ‘Beyond the Grave’ targets hedge funds and financial institutions.
• The companies that have been infected by the ‘Beyond the Grave’ virus includes Elliot Advisors, Capital Fund Management, AQR, Citadel, Baupost Group, and Marshall Wace.

What is the issue - A new phishing campaign dubbed ‘Beyond the Grave’ targets hedge funds and financial institutions.

Why it matters - A member who goes by the name ‘XanderBauer’ posted in BleepingComputer forums stating, ‘Beyond the Grave Virus infecting Hedge Funds’. In the post, XanderBauer stated that a new virus named ‘Beyond the Grave’ which is designed to affect the confidentiality of hedge funds has emerged.

This campaign targets the US and international hedge funds.

Who are the targets - The companies that have been infected by the ‘Beyond the Grave’ virus includes,

• Elliot Advisors
• Capital Fund Management
• AQR
• Citadel
• Baupost Group
• Marshall Wace

“BYTG will continue to attack banking and financial institutions. Palantir and FireEye are currently investigating the Beyond the Grave virus,” the post read.

XanderBauer also attached a few screenshots in the forum post which indicated that apart from the above mentioned 6 companies, another company named Alliance Bernstein has also been targeted.

The contents of the phishing email

The screenshots also revealed that the phishing emails purported to be from a financial research company named Aksia. The email body contained research details related to ESMA suspending short-selling during Brexit and included a link to the research.

“Dear Bill, Aksia’s Investment Research team has been working on the EU plans for Brexit, and in particular, the European Securities and Market Authority discussing the possibility of suspending short selling during the critical days around 29th March 2019.

While we continue researching the issue to examine the likelihood of this move being concerted with other financial regulators worldwide we have prepared a two-page briefing on the subject so that hedge funds can better analyze their position.

Our current best analysis is that the most likely scenario is for short selling to be abruptly suspended at the Asian market open on 27th March 2019 only to be reinstalled no earlier than after the Easter break,” the email read, BleepingComputer reported.

Upon clicking the link, it opens a blank page. However, the attacker described in an image that victims responded to the phishing email asking for more details as the link does not work.

The bottom line - These kinds of phishing campaigns continue to evolve, therefore, users must exercise caution while opening any email attachments that are from anonymous senders. It is recommended to always check the legitimacy of an URL before clicking it.