An email phishing campaign has attempted to infect unsuspecting victims with the Adwind cross-platform remote access trojan (RAT) purporting to be an important document from the SWIFT financial messaging system.
Security researchers from Comodo Group’s Threat Research Lab have discovered a campaign with targeted spam messages alerting recipients to a bank transfer made to their designated bank accounts, advising them to review an attached document to avoid discrepancies. Of course, the purported .pdf file is actually a remote access trojan called Adwind.
Researchers suspect that this particular variant was used in order to spy and carry out reconnaissance missions on victims while downloading additional malware programs directly based on the information gathered by attackers on the environment.
Malicious emails purporting to originate from SWIFT is particularly effective since messages with the promise of money incite an emotional response by overriding critical thinking – all of which makes it more likely for the victim to open the attachment.
“When it comes to an enterprise’s financial accounts, the emotions rise even more,” researchers wrote. “If an employee receives an email, they will be afraid to not open it. What if they pass up something very important for the enterprise? Could they be punished for not looking into that email? Consequently, the chances that a potential victim will click on the infected file grow.”
Much of the attack stemmed from IPs based in the Netherlands, Cyprus and Turkey. The attack lasted nearly 9 hours on February 9.
Faith Orhan, head of Comodo Threat Research Lab said:
As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise’s network. They combine technical and human patterns as an explosive combination for breaking down the door to let the malware in. But it only works if the company has been careless about the right defense of that door.
Image credit: Pexels.