Spam Campaign Delivers Password-Stealing Malware

Researchers with Trustwave recently detected an email spam campaign that delivers a password stealing malware to end users via a PowerShell script. The infection takes place in a multi-stage process that initiates when users open a .DOCX file which, in turn, downloads a remote rich text file (RTF) document that exploits the Microsoft Equation Editor tool (CVE-2017-11882). This malware targets email, FTP, and browser client credentials. Subject lines associated with this email campaign include “SWIFT COPY FOR BALANCE PAYMENT,” “Telex Transfer Notification,” “Request for Quotation (RFQ),” and “TNT STATEMENT OF ACCOUNT.” The NJCCIC recommends users and administrators keep their Windows OS and Microsoft Office software updated and scan their environments for the Indicators of Compromise (IoCs) provided in Trustwave’s report.