Warning: Repeated Malware Campaign Exploiting Masaryk University Identity
Masaryk University's cyber security team warns of a recurring malware campaign exploiting a fictitious sender identity and the name of Masaryk University.
What's going on?
This is the same campaign we alerted about last August. Both then and now, the campaign is spreading across various organizations in the Czech Republic. The attack proceeds by recipients receiving an email with the subject "Request for quotation: MUNI//2403-06CZ" with malware in the attachment.
In the e-mail, the attacker impersonates Tomáš Podolec, the alleged "MUNI Purchasing Manager". But this person does not exist at Masaryk University (MU); the email headers have been spoofed, and the email is sent from mail servers located in Great Britain. So, it is not a compromised account or device on MU.
You can read how e-mail header spoofing works and how to recognize it in our warning.
What does this phishing look like?
In phishing emails, the attacker uses several techniques to make the email look credible and create a sense of urgency in the recipient of the email:
a) The email header
- Forged sender headers refer to Masaryk University.
b) Email body
- The message's text is written in Czech and is very simple to encourage action as quickly as possible - opening the attachment.
- The message has a high importance set so that it is highlighted to the recipient in the mail client.
c) The email footer
- The footer of the message contains the university's contacts and its logo. Here, the attacker used publicly available information from the MU website to instill credibility in the message.
- The message's footer also contains false information about the ESET antivirus check, which is supposed to give the impression that the attachment is not malicious.
You can see a sample of the fraudulent email in the image below. Malware is attached to the e-mail – a so-called Trojan horse from the family that manufacturers of various antiviruses refer to as Makoob, GULoader, or Nekark. The Trojan aims to gain control over the victim's computer and thus enable the attacker to carry out further malicious activity. Here, the attacker quite amateurishly only changed the executable file extension for Windows before inserting it into the attachment from .vbs to .pdf.rar, apparently trying to bypass the automated spam filters of mail servers.
Since these emails are being sent from external mail servers, it is very difficult to prevent their distribution. In short, the best defense is an educated user who can identify fraudulent messages!
So, how not to get fooled, and what to look out for?
Phishing messages are written in such a way that, at first glance, they are as closely related as possible to the work focus of the recipient, which arouses the tendency to click on them and then take further actions according to the instructions in the message (for example, open an attachment with malware). Their insidiousness also lies in their ease of disguising themselves among other work messages.
If you receive a similar message, follow a few rules:
- Do not reply to the email.
- Do not click on the links in it.
- Do not open the attachment.
- Report it to our team (ideally including the email header).
It goes without saying that your computer's software should also be up-to-date, and above all, an antivirus should be installed, which should recognize this type of attack and safely remove malware from the attachment.