F.A.C.C.T. (formerly Group-IB) reported that a large-scale malicious email campaign (over 300 emails) was detected in the early days of May. The attackers used spoofing to disguise the sender’s address and the emails contained a Loki stealer, designed to steal victims’ credentials.
The emails, reviewed by F.A.C.C.T. Security Operations Center (SOC) experts, asked recipients from Russian companies to provide a quotation “with competitive prices for the products listed in the attached purchase order document.”
The email did contain a ZIP archive, however, when opened, the Loki stealer was downloaded to the user’s computer. The stolen data could be used for various malicious activities such as gaining access to mail accounts, databases, financial fraud, extortion, or espionage.
Yaroslav Kargalev, head of the F.A.C.C.T. Security Operations Center (SOC), commented: “Despite the fact that the text of the letter was written in a rather “clumsy” language, likely using machine translation, the signature of the sender and their email address could inspire trust among the recipients.”
Kargalev also noted that spoofing (spoofing the sender address) is the most popular technique used in 2023 for masking malicious mailings. In the first quarter of 2023, spoofing was detected in 67.5% of email attacks detected by the Managed XDR cyber attack prevention system.
