Website contact forms are abused to deliver IcedID banking malware using emails with fake legal threats. The emails instruct recipients to click a link to review supposed evidence behind their allegations but are led to downloading IcedID, an info-stealing malware.

For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website contact form to send fake copyright infringement complaints to convince recipients to download a report of the offending material.

This threat is Important because:

1. Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive.
2. The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration and can lead to additional malware payloads, including ransomware.
3. This threat shows attackers are always on the hunt for attack paths for infiltrating networks, and they often target services exposed to the internet. Organizations must ensure they have protection against such threats.

This specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. 

IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on keyboard attacks, steal credentials, and move laterally across affected networks to deliver additional payloads.

Shifted From Google Drive/Sites to Yandex forms

A new version of the “Copyright infringement” started using Yandex Forms.

However, Before about one year ago hackers were using Google Drive or Google Sites to host their alleged malware, But at present time they are now using Yandex Forms instead of Google.

Yandex Forms is a free service that allows users to create customized online forms and publish them on the web.

But hackers are now abusing it to create phishing landing pages.

Hackers Using legal threats technique as a social engineering

This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering emails to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.

Hackers used legal threats as a social engineering technique while claiming that the recipients allegedly used their images or illustrations without their consent and that legal action will be taken against them. There is also a heightened sense of urgency in the email wording, with phrases such as “you could be sued,” and “it’s not legal.” It’s a sly and devious approach since everything else about this email is authentic and legitimate.

As seen from the contact form submission, these copyright complaints can be pretty convincing and utilize threats of legal action to create urgency to the message. Unfortunately, this urgency commonly leads to people throwing caution to the wind and opening malicious files.

Defending against these types of attacks

 Hackers remain motivated to find new ways to deliver malicious emails to enterprises with the clear intent to evade detection. Hackers have a clear goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don’t have the typical marks of malicious messages and are seemingly legitimate.

To Protect Yourself from this highly evasive campaign it is important to always stay calm when receiving emails like these and to scan unknown or suspicious files using VirusTotal before opening them on your computer.

 It is also important to review mail flow rules to check for broad exceptions, such as those related to IP ranges and domain-level allow lists, that may be letting these emails through.

Increase your awareness and knowledge to recognize and report these attacks.