A new trojan named as Muncy has been found targeting users worldwide. The malware is distributed via a phishing campaign that impersonates the logistics giant DHL, a popular shipment distribution firm, to lure users. Apart from spoofing the emails, the threat actors are also leveraging the poorly configured SMTP servers to spread the malware.
According to Segurança Informática (SI) Lab, the phishing email that is used to carry out this campaign is <support@dhl[.]com>. In order to deceive the users, the email is propagated under the subject line of ‘DHL SHIPMENT NOTIFICATION’. This email comes attached with a malicious attachment, which if opened, results in the download of an .exe file. The .exe file installed on the victim’s machines is actually the Muncy trojan.
Once executed, the malware scans the infected machine and collects personal information including FTP data. After the initial execution of the malware, a new process is created and executed. This includes scanning the user’s C:\ drive and sending sensitive information to sameerd[.]net, the domain managed by cybercrooks.
“The malware is packed, and during the malware analysis, we cannot unpack it. After the first execution, it is unpacked to the PE File .data section that was empty at start. The threat executes a scan to all C:\ drive trying to find sensitive data and files (mainly FTP files) and that will be send to a final endpoint managed by crooks (sameerd.net),” explained the SI-Lab researchers.
Furthermore, the researchers also observed that no persistence was identified in the user’s device during malware infection life cycle.
You must be cautious when you receive such emails. If you are not expecting any orders, then ignore the email as this can be a social engineering tactic to steal your personal data.
Researchers noted that the discovery of the new Muncy malware highlights how bad actors are quickly adapting attack techniques and artifact characteristics to launch their attack campaigns successfully, without even being detected.