Security researchers have discovered a new phishing scam which lures users into opening a malicious Excel document by pretending to offer their HIV test results.
Phishing campaigns have seen a huge increase over the past year as the scammers behind them have begun employing new tactics to trick users into falling for their schemes.
This time though, they may have taken things too far as researchers at Proofpoint have observed scammers sending phishing emails with malicious Excel spreadsheets pretending to be patients’ HIT test results from Vanderbilt University.
While those who are more observant may notice that the university’s name is misspelled in the contact of the email as “Vanderbit”, most users likely won’t as the rest of the phishing email appears as if it comes directly from the university.
Malicious Excel file
The phishing emails sent out in the campaign all contain an attachment named “TestResults.xlsb” that requires users to ‘Enable Content’ to view their test results.
If a user does decide to enable content, malicious macros are then executed which download and install the Koadic penetration test and post-exploitation toolkit.
Through Koadic, the attackers are able to gain complete control over the infected computer and from there they can execute any command they like to download additional malware or steal files from the machine.
Senior director of threat research and detection at Proofpoint, Sherrod DeGrippo provided further insight on how cybercriminals are now using health-related lures to trick users into falling for phishing scams in a blog post, saying:
“This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent Coronavirus-themed lures we observed. They are a constant tactic as attackers recognize the utility of the health-related “scare factor.” We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information. Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person. If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”