Copyright Infringement

12 Febuary 2025

By Samantha Clarke, Hiwot Mendahun and the Mimecast Threat Research team

Campaign Flow

Mimecast Threat Researchers have been monitoring and investigating an infostealer campaign targeting various organizations with focus towards Retail, Travel and hospitality industries. The campaign sees threat actors impersonating well-known law firms contacting business with regards to a copyright infringement, to lure victims into downloading malicious files from Dropbox. The malicious files seek to deliver malware in the form of various InfoStealers.

Distributed through Mail Merge, which is a service that enables the distribution of personalized bulk email campaigns by integrating recipient-specific data into templates. Threat actors exploit free trial accounts from Mail Merge in conjunction with Gmail, to orchestrate and distribute large-scale email campaigns. By abusing legitimate platforms, they bypass certain DNS authentication, ensuring the successful delivery of their malicious campaigns.

Once the user downloads the files, the executable when run utilizes a GitHub repo belonging to LoneNone1807 which includes several malware files. The repository includes a recent campaign that begins with a highly obfuscated batch file, which, when executed, downloads and installs two types of malware: XWorm and RedLine. XWorm is a remote access trojan (RAT) that allows attackers to control infected systems, while RedLine is an information stealer designed to extract sensitive data from victims. The malware employs advanced obfuscation techniques, using highly encoded batch scripts with layers of nested commands and dynamically generating payloads to bypass traditional detection mechanisms.

Mimecast observed a steady stream of campaigns initially starting around July but picking up around August time with its biggest spike in December for this campaign.

There have been several analyses conducted on malware found on LoneNone1807 GitHub account including a recent malware campaign that begins with a highly obfuscated batch file. The full details of the malware’s capabilities can be read from SANS research.

Tactics Techniques and Procedures:

T1566.002: Phishing - Spear phishing Link
T1102.001: Web Service - Dead Drop Resolver
T1071: Application Layer Protocol (Command and Control)
T1574.002: Hijack Execution Flow - DLL Search Order Hijacking
T1562.001: Impair Defenses - Disable or Modify Tools
T1497: Virtualization/Sandbox Evasion
T1056: Input Capture
T1010: Application Window Discovery
T1082: System Information Discovery

Mimecast Protection

We have identified several attributes in the campaigns which have been added to our detection capabilities.

Targeting:

UK and US, Predominantly Retail, Travel and Hospitality sectors

IOCs:

File Hashes:

• 8c6eaefb476c4b2679fb4f08e92f6e98a90cb941afb5c1fcd1fe651e3c47ca68
• 27d78d9a5f40932da3305ba4ca0494076a539a8a648a8c8e36ee4c35bc76bb00
• bc056f72454c34de86bdda578a0e67663470119dcc230aca2e692bab4ac64f9c
• 02dad6cacc5ff17cc7dea8565e4eb7091e146822e5d2505c373889fc476a26f2
• 71f502cc7b65f6c436582d8c31986e30bdc5d94ba84957a10259b0b4a6bd3459
• 5b690097611a0529584d759df8a7f472acf7448aeeab046ae01d8dbe21349dcc
• ae3ff323a5ae34175a4101589c6394c1aed17adf39137e582f96c15f122673a0
• 1da0b740d3466c1fd55ede1728c5a3783b003c0511a16668061dbf8080cfb002
• 0ca5044d7ae4946054b9223c835bd347df3752aab2a3126bb81dd8c4f7df2747
• 64e0bfcc0b531f623adea6d888bd58450002474c7cd90c5c2c385d7eae2449eb
• 0973047957a83c19ddad2638b46eb6a2bc2659366dbcec69583d2fc4c9473f85
• 92dab0afa2c6488bf5a069bfcd5d18094145e5551d8d996cb01d3d3765bd5b00

Recommendations

• Ensure you have an Attachment Protect policy and URL Protect policy is set to protect the organization.
• Search through your email receipt logs to determine if any of file hashes have been delivered to your users.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.