What is the issue - Researchers from Cisco Talos observed a new malspam campaign with signed emails that distribute the Gootkit banking trojan via the multi-stage malware downloader called JasperLoader.
Why it matters - This malspam campaign primary targets Central Europe with a focus on Italy and Germany.
The big picture
Cisco Talos researchers noted that these malicious campaigns included legitimate looking malicious file attachments or ZIP files that contain JS and XML files disguised as PDF invoices.
“JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process,” researchers wrote in a blog.
Worth noting - In these campaigns, attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails.
Signing malspam emails will add legitimacy to the emails and convince targets to open malicious emails.
“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader,” researchers concluded.