▼ Summary
– A phishing campaign targets industrial manufacturing and supply chain companies using sophisticated methods to bypass security and avoid detection.
– Attackers use “Contact Us” forms on company websites to initiate credible, professional email exchanges, sometimes over weeks, to build trust.
– The campaign delivers a malicious ZIP file containing a PowerShell script that installs the “MixShell” backdoor, using DNS TXT tunneling for command and control.
– Newer tactics involve direct emails posing as internal AI initiatives, such as an “AI Impact Assessment,” to lure victims into downloading malicious content.
– Over 80% of targets are U.S.-based enterprises, though small and medium businesses are also affected, with attackers tailoring efforts based on perceived value.
A sophisticated phishing campaign is actively targeting industrial manufacturing firms and other critical supply chain organizations, using deceptive tactics to bypass conventional security measures. Security researchers have identified a financially motivated threat group employing highly convincing social engineering techniques through corporate “Contact Us” forms. This approach allows attackers to initiate seemingly legitimate email exchanges, effectively evading reputation-based email filters and gaining the trust of employees before delivering malicious payloads.
The attackers engage in prolonged, professional email conversations with their targets, often spanning several days or weeks. A key element of their strategy involves requesting victims to sign a fake Non-Disclosure Agreement (NDA), which serves as both a lure and a decoy document. Once trust is established, the target is directed to download a malicious ZIP archive from a subdomain of herokuapp.com. This archive contains a PowerShell script designed to execute in memory, ultimately deploying a custom backdoor known as “MixShell.” This malware employs DNS TXT tunneling with HTTP fallback for command-and-control communications, enabling remote execution of commands and file operations.
Notably, the threat actors use domains that appear credible and legitimate, many of which correspond to the names of U.S.-based LLCs. Some of these domains were registered over five years ago, lending them an air of authenticity that helps deceive both security systems and potential victims. In a more recent variation of the campaign, attackers have shifted to direct email outreach, posing as internal initiatives related to AI-driven operational changes. These emails frame the request as an “AI Impact Assessment,” urging recipients to complete a questionnaire and implying executive-level endorsement to enhance legitimacy.
The campaign has primarily targeted organizations in the United States, though companies in Singapore, Japan, and Switzerland have also been affected. Both enterprise-level and small-to-medium-sized businesses have been victimized, with attackers demonstrating a willingness to invest significant time in cultivating relationships regardless of company size. The ongoing nature of this threat underscores the importance of vigilant employee training and robust email security protocols to mitigate risks associated with socially engineered attacks.
(Source: HelpNet Security)
-
-
-
-
-
-
