If one of the links is clicked, the target is directed to hxxps://zoommeetinginvlte[.]re<wbr />plit.app and then hxxps://aqi.sa[.]com/<wbr />invitation/process[.]html. This link automatically downloads “lnvitepdf[.]exe,” potentially putting sensitive information and devices at risk. Additionally, threat actors employ a homoglyph technique in this campaign, where characters that look identical or very similar in certain fonts are actually different, making them seem legitimate and deceiving their targets. This technique enables threat actors to visually mimic the word “invite,” replacing the lowercase “i” with a lowercase “l” in the first link and executable file.
Recommendations
- Exercise caution with communications from known senders or legitimate platforms.
- Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
- Hover over links in emails or messages to view the actual destination URL before clicking.
- Be aware of homoglyph techniques in which threat actors exploit visually identical or similar characters from various fonts or alphabets.
- Type official website URLs into your browser manually and only submit sensitive information or download files from official websites.
- Keep systems and browsers up to date.
- Report malicious cyber activity to the NJCCIC and the FBI's IC3.
