Dive Brief:

• A “highly targeted” spearphishing campaign is attempting to ensnare financial executives at banks, investment firms, energy utilities and insurance companies around the world, Trellix said in a report published Wednesday.
• The malicious emails are rigged with installers that allow the hackers to remotely access victim computers.
• With this amount of access to legitimate accounts, attackers could steal files or initiate fraudulent money transfers, potentially without raising red flags.

Dive Insight:

The spearphishing campaign that Trellix observed is notable because of both its techniques and the targets it involves.

The malicious use of NetBird, a remote-access tool, is a notable example of hackers’ tendency to rely on legitimate-looking applications in order to avoid raising suspicion. 

“In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network,” Trellix senior manager of threat research Srini Seethapathy wrote in the company’s report.

The combination of spearphishing, NetBird installation and other attack stages is an important reminder that hackers’ techniques are always evolving and improving, according to Trellix.

“This attack isn't your typical phishing scam,” Seethapathy wrote. “It's well-crafted, targeted, subtle, and designed to slip past technology and people. It is a multi-stage attack where the adversary uses social engineering and defense evasion techniques to create and maintain persistent access to the victim system.”

The attackers’ choice of victims is also important. Trellix said the spearphishing emails were “sent to CFOs and other executive-level employees in the financial department of the targeted firms.”

Financial executives are among the valuable targets for financially motivated hackers because they control access to payment systems. A hacker impersonating a low- or even mid-level financial employee could run into problems stealing money if the employee’s supervisors were to become suspicious. Posing as a CFO or other executive, however, would be more valuable for an attacker, the researchers noted.

The combination of unfettered remote access and high-level authority would make this a potent intrusion if carried out successfully. “Once an adversary is successful in creating and maintaining persistent access via a remote access tool like NetBird,” Seethapathy wrote, “the potential impact is huge.”

The attackers have not yet targeted American companies, according to Trellix’s report, which listed the victim geographies as Europe, Africa, Canada, the Middle East and South Asia. But threat groups often test out attacks in one region before deploying them elsewhere, suggesting that financial executives at U.S. companies might soon appear on these attackers’ radar.

Researchers at Proofpoint said in an X thread on Wednesday that their data “indicates this activity included over 2,200 messages to over 300 organizations globally.” They disagreed with Trellix about the nature of the attack’s scope, writing, “We would not consider this activity highly targeted, but rather opportunistic.”

Trellix did not identify the attackers, although it said that some of their infrastructure overlapped “with at least one other nation-state spear-phishing campaign that delivers and installs remote access tools and backdoors.”

To avoid falling victim to this campaign, CFOs should treat unsolicited recruitment emails with skepticism, especially when they contain attachments, Trellix said. The company also encouraged executives to refrain from bypassing security warnings and to alert their security teams to any unusual messages.