Dangerous letters for small online retailers

Cybercriminals often choose very small companies as their targets. Small businesses rarely spend significant money on security systems, often do not even have an IT specialist, and most important, are more likely to operate from just one or two computers, which makes it easier to choose a target that holds the kind of information cybercriminals are usually hunting for. Recently, our technologies detected yet another attack aimed at small online stores. Attackers, using social engineering methods, tried to force the owners of such businesses to run malicious scripts on their computers.

Social engineering

The most interesting aspect of this attack is the trick by which attackers convince a store employee to download and open a malicious file. They send a letter pretending to be a customer who has already paid for an order but cannot receive it. They claim there were problems at the post office and ask the store to fill out a document with details (sender information, tracking number, and so on). Would any decent businessperson ignore that letter?

The letter, in imperfect but quite understandable English,  contains a link to an object hosted on Google Docs. Clicking the link starts the download of an archive, which of course contains a malicious file — in this case, one with a.xlsx extension.

From a technical point of view

The attack is simple but effective. First, it is clearly not a mass mailing — the text of the message is written specifically for online stores and was most likely sent to an appropriate list. Second, it contains nothing malicious. It’s just a couple of paragraphs of text and a link to a legitimate service. Automatic mail filters are unlikely to stop such a message. It’s not spam or phishing, and most important, it does not have malicious attachments.

The XLSX file contains a script that downloads and runs an executable file from a remote service — the banking Trojan DanaBot, known to our systems since May 2018. This malware has a modular structure and can download additional plugins that enable it to intercept traffic and steal passwords and even cryptowallets. As of this writing (according to statistics for the third quarter of 2019), it is among the top 10 banking malware families.

The intended targets of this attack are very small shops, so it is very likely that the infected computer from which employees read mail will also be the main machine for banking operations. In other words, it will contain information that attackers are looking for.

How to stay safe

First, all computers need a reliable security solution. Our security technologies not only identify DanaBot (as Trojan-Banker.Win32.Danabot), but also register scripts that download this Trojan with the heuristic verdict HEUR:Trojan.Script.Generic. Therefore, computers running Kaspersky solutions will be able to stop such an attack even before the Trojan is downloaded to the machine.

Second, update widely used programs in a timely manner. Updates for operating systems and office suites should have top priority. Attackers often use vulnerabilities in such software for malware delivery.

For very small companies, we recommend using Kaspersky Small Office Security. It requires no special management skills, reliably protects against Trojans, and also checks the versions of common third-party applications.