The email also contains urgent language and a link claiming to have documented evidence and comprehensive details of the infringement. The threat actors convince their target to click the “Download Evidence” button. If clicked, the target is directed to a webpage with a .su domain, which is considered malicious and associated with SmokeLoader malware. The webpage redirects to a .be domain to download an “Internal Briefing on Content Distribution Rules.zip” file. The extracted zip file contains a Microsoft Word document that, if opened, runs a script and utilizes CertUtil to decode the payload.
Recommendations
- Exercise caution with communications from known senders or legitimate platforms.
- Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
- Type official website URLs into browsers manually and only submit sensitive information on official websites.
- Keep systems and browsers up to date.
- Report malicious cyber activity to the NJCCIC and the FBI's IC3.
