Hackers have been conducting fileless malware phishing attacks and restaurants are being focused on. Restaurants are being targeted as they tend to have relatively weak cybersecurity defenses and criminals can easily obtain access to the credit card details of thousands of customers.
The phishing attacks are used to download fileless malware – malware that stays in the memory and does not involve any files being placed to the hard drive. Due to this, fileless malware is particularly complex to detect. By changing to fileless malware, which most static antivirus solutions do not spot, the criminals can operate undetected.
While fileless malware can be short-lived, only remaining in the memory until the computer is rebooted, the latest variants are also persistent. The aim of the malware is to allow the attackers to install a backdoor that gives access to restaurants’ computer systems. They can then obtain the financial information of customers undetected.
The most recent fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been blamed to the hacking group FIN7; a group that has close associations with the Carbanak group.
The hacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to click on the attached RTF file. RTF files have been seen that are restaurant themed, named menu.rtf and relating to orders. Some emails seem to have been written to target specific restaurant groups.
One intercepted phishing email purported to be a catering order, with the attachment including a list of the items required. In the email, short instructions outlining when the order is needed and how to view the list of ordered items. The email was short, but it was particularly realistic. Many restaurants are likely to be tricked by these fileless malware phishing attacks, with access to systems granted for long periods before being seen.
As with other phishing campaigns, the user is asked to enable the content in the attached file. Opening the RTF file display a large image to the user that they must click in order to view the contents of the document. The document is expertly designed, appears professional and implies the contents of the document are protected. Double clicking on the image and confirming with a click on OK will initiate the infection process, running JavaScript code.
FIN7 has recently been carrying out attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to send the shellcode stage of infection, but different to previous attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being placed to the hard drive, it is hard to detect.
Furthermore, the researchers compared the RTF file against VirusTotal and saw that none of the 56 AV vendors are, at present, detecting the file as malicious.
