Cybersecurity experts have issued a warning about a new spear-phishing campaign targeting CFOs and financial executives in various industries across Europe, Africa, Canada, the Middle East, and South Asia. The attackers are using a legitimate remote access tool called Netbird to infiltrate the victims’ computers, as discovered by Trellix researchers.
The attack begins with a phishing email posing as a recruiter from Rothschild & Co., offering a “strategic opportunity” with the company. The email contains a fake PDF attachment that redirects recipients to a phishing link disguised as a Firebase app-hosted URL. What makes this attack unique is the use of encrypted redirect URLs that are only accessible after solving a CAPTCHA verification check.
Once the victim solves the CAPTCHA, a JavaScript function decrypts the link and leads to the download of a ZIP archive containing a VBScript responsible for retrieving and launching NetBird and OpenSSH on the infected host. These programs are installed, a hidden local account is created, remote desktop access is enabled, and NetBird is set to launch automatically on system reboot to ensure persistence.
Trellix also identified a redirect URL that has been active for nearly a year, indicating that this campaign may have been ongoing for some time. The use of legitimate remote access tools like NetBird highlights a growing trend among threat actors to evade detection by leveraging trusted applications.
In addition to this campaign, various email-based social engineering attacks have been observed in the wild, including those abusing trusted domains, Google Apps Script, Apple Pay invoices, Notion workspaces, and exploiting security flaws in Microsoft Office to deliver malware.
Furthermore, the rise of Phishing-as-a-Service (PhaaS) platforms like Haozi is simplifying the process for cybercriminals to launch phishing campaigns, with subscription-based kits offering automated setup and customer support. These services are lowering the entry barrier for attackers and scaling their operations through automation and community support.
As cyber threats evolve, it’s crucial for organizations to stay vigilant and educate users on identifying and defending against social engineering attacks. Microsoft has highlighted the increasing use of AiTM credential phishing techniques, such as OAuth consent phishing and device code phishing, to bypass MFA protections. User awareness and training remain vital in combating these sophisticated attacks.
The interconnected nature of these evolving cyber threats underscores the importance of proactive cybersecurity measures and continuous monitoring to protect against potential breaches.
