Proofpoint has been studying the distribution of the August malware through a personalized email campaign targeted at retail staff with the purpose of stealing credentials and sensitive documents. In the attack, the cybercriminal group known as TA530 sends false customer queries about duplicate charges or requesting help with orders with information specific to the retailer. First, how does the August malware work? Second, what can people do to spot this type of social engineering email attack when their job is to read and respond to these kinds of emails?
Opening documents from untrusted sources is a risky business process, but it may be necessary in order for organizations to provide good customer support. These files could be screenshots or documents containing transaction details, but there is the chance they may contain malicious macros or fileless malware being delivered as part of a social engineering email attack.
Proofpoint researchers blogged about the August malware that is targeted at customer service staff and management in the retail and manufacturing sector. A social engineering email containing a malicious attachment is sent with embedded macros that first check to see if the system is being monitored, and if not, runs fileless malware with a PowerShell script to download the August malware.
The malware can copy files, extract saved credentials, copy cookies and send configuration data to a remote command-and-control server. It uses an encrypted connection where the encryption key is sent via the browser user agent string. The August malware checks the MaxMind IP database for network information, task counts, task names and recent file counts to see if it is being run in a sandbox or under analysis.
People can be trained to detect a malicious social engineering email or document in the same way they are trained to not open phishing emails, but this could be difficult to do effectively. The more effective mitigation approach would be to instruct customer service staff not to open macros or embedded documents, and to only open attachments when they are specifically mentioned in the email and the customer has indicated the document is part of their troubleshooting process.
Depending on the nature of the customer inquiries, it may be difficult to direct customers to use particular formats for their attachments. Instead, it might make sense to change the business process to avoid social engineering email attacks and the opening of potentially malicious documents rather than implementing more security tools to secure the customer service staff's computers.
A customer support web portal could be used to enable customers to submit data, upload images and convert files into benign file types. For example, a Word document could be converted into a PDF, or a JPG could be converted into a PNG, where the conversion utility strips unnecessary and potentially malicious content.
If it is still necessary to open documents from unknown sources, there are options. Most customer service staff only use specific programs and secure systems to enhance productivity, so given this limited functionality, their computers can be configured to use a sandbox or a virtual machine for any application opening files from untrusted sources. Both options could limit a malicious file's access to just the virtual space or sandbox, and the attacker would need to escape the virtual environment to move laterally on the network.
Learn how to empower employees to protect themselves from social engineering attacks
Read Frank Abagnale's advice to enterprises on fighting back against social engineering
Find out how to locate and remove obfuscated macro malware