According to the report from INKY, a malicious actor (or multiple actors) somehow managed to compromise the Craigslist mailing system and started sending out notifications to active users of the platform. The email notification, a simple message with just a few sentences and a button, warned the user that their recent ad included inappropriate content and violated Craigslist’s terms.
The button in the email claims to forward the reader to the platform, in order to remedy the problem. However, simply hovering the mouse over the button reveals the real link – a Russian domain – myjino[.]ru.
Abusing legitimate hosting sites
If the victim tries to remedy the issue by following the instructions in the email and clicking the link in the message, they would be sent to a customized document, uploaded to Microsoft OneDrive. So, in this campaign, a legitimate hosting service was abused to host a malicious file.
The victims were then instructed to download that file, fill out the form, and return it to firstname.lastname@example.org.
Clicking the download button, the victim would receive a compressed file named “form_1484004552-10012021.zip.” Uncompressing it gets them a spreadsheet, with macros enabled, titled “form_1484004552-10012021.xls”. This file was already flagged as malicious, by multiple security vendors.
To add to the “legitimacy” of the document, the malicious actors also added logos of DocuSign, Norton and Microsoft. Running the malware in a sandbox environment, the researchers said it “created and modified” multiple files. The malware also tried to connect to an external server, in order to download additional components, or possibly exfiltrate data. However, attempts received a “404 not found” error.
Looking to stay safe online? You should also check out our rundown of the best ransomware protection services out there today