The NJCCIC observed a campaign sending multiple messages impersonating legal notices. These messages make claims such as a fine will be issued, identity needs to be verified, or compliance has failed. When users click the message's “Open” button, they are directed to a Google Drive-hosted PDF that claims an e-signature is required to view the legal document.
Clicking the “Download E-Sign” button redirects the user to a page that appears to be from Docusign and requests a key to verify the e-signature and download the purported document. After entering the access key and clicking the link, a malicious Visual Basic script named “DocuSign-E-Key_Generator-ID-<wbr/>COLETTER-ZS9090827.vbs” is downloaded and executed, running a PowerShell-based payload named "agent.ps1." This payload creates a hidden working directory, establishes persistence via a scheduled task, and communicates over a WebSocket to the command-and-control (C2) IP address "144[.]172[.]111[.]183." These steps can enable threat actors to gain remote access and exfiltrate data, including personally identifiable information (PII), credentials, and financial information.
Recommendations
- Avoid clicking links and opening attachments in unsolicited emails.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Users are advised to only download applications and software from official sources.
- Maintain robust and up-to-date endpoint detection tools on every endpoint.
- Consider leveraging behavior-based detection tools rather than signature-based tools.
- If you suspect an account has been compromised, change the account's password immediately and ensure MFA is enabled for all online accounts.
- Review the Don't Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
- Report malicious cyber activity to the NJCCIC and the FBI's IC3.

