Threat actors attempted to leverage the current Brazilian presidential election to distribute the Astaroth WMIC Trojan to Brazilian victims. The emails had a subject line related to an alleged scandal involving Brazilian then-presidential candidate Jair Bolsonaro. Some campaigns impersonated a well-known Brazilian research and statistics company. Multiple delivery methods and geolocation techniques were used to target Brazilian users, who were encouraged to interact with the attached and downloaded archives containing .lnk files. These files downloaded the first stage of the Astaroth WMIC Trojan, previously spotted this year by the Cofense™ Phishing Defense Center and known to target South American users.
Figure 1 – Email Subject, Attachment, and Spoofed Sender
The threat actors included the common image and hashtag #VEMPRAURNA (highlighted in the red box in Figure 2). The hashtag encourages people to vote and the image itself is seen on many legitimate news and government websites adding a sense of legitimacy to the emails. Directly below this image is the heading “Pesquisa IBOPE”, which translates in English to Research IBOPE. IBOPE (Brazilian Institute of Public Opinion and Statistics) is a respected research institution. Because IBOPE is known for research and polling, an email from them is likely to include a questionnaire or request for input. Threat actors take advantage of this to pass the email off as legitimate correspondence and encourage the users to interact with the email by responding to a fabricated poll in the email body.
Figure 2 – Email Body
The message body of the emails encourages recipients to click a button indicating which of the two candidates they prefer and then provides a link where they may view the partial results. If recipients examine the links by hovering over them, the impersonation of IBOPE is further reinforced by the domain name (pesquisas-ibope[.]video) shown as the destination (See Figure 3), which is the same as the heading of the email. In addition, the supposed file name of the target corresponds to the link text, a pdf showing a percentage or a pdf showing a result.
Figure 3 – Links in message body, the top for voting for Haddad, the bottom for checking the results
The combination of an enticing subject, a carefully crafted and seemingly legitimate message body, and links that at first glance appear to be benign all contribute to a convincing narrative.
Threat actors almost always capitalize on high profile events such as elections in phishing and spear phishing attacks. Often the timelier, the more convincing, and thus the more important it is to have your organization’s users prepared to identify and report such attacks.
How to protect against nefarious politically themed phishing emails
Follow these 5 steps to ensure you’re staying vigilant against these types of phishing attacks:
- Check the sender domain. Were you expecting an email from this sender? Does the sender domain match previous emails you’ve received from this sender? Does it look suspicious?
- Check the email body for poor spelling, grammar and image use. Often times, threat actors won’t proofread their phishing emails before sending to victims. Check the body of the email and keep an eye out for poor spelling, grammar and strange use of imagery – anything out of the ordinary.
- NEVER click any links, hover over them instead. By hovering your cursor over these links, you can get a preview of the domain the link is sending you to. If the domain doesn’t match the organization or sender, watch out – it could be malicious!
- NEVER open any attachments. Cofense pointed out this year that malicious Office attachments were the #1 malware delivery method used by threat actors. Always be wary of unexpected attachments in emails as they could contain malware.
- Report ANYTHING that looks suspicious! Staying vigilant is important, but reporting suspicious emails to your security operations and incident response teams is a crucial step to stopping active phishing attacks in their tracks.
Learn how a Cofense customer leveraged Cofense Triage™ and phishing reporting to shut down an active phishing threat in only 19 minutes! Get a minute-by-minute breakdown here.
All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.