Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Surfing the Tidal Waves of HR-Themed Spam Emails

Threat actors constantly improve their tactics and are always on the hunt for technical or social vulnerabilities they can exploit. The pandemic-induced Great Resignation, massive layoffs, continuous company restructuring, and upcoming holidays make this a very busy time of changes in the labor force.

Due to this upheaval, employees are always on the lookout for any updates from their Human Resources (HR) department, as HR often sends updates or notifications via company-wide email. Cybercriminals have picked up on this, and we are now seeing waves of different spam campaigns exploiting HR-related topics, a rather innovative and irresistible lure.

Fraudsters are pretending to be HR representatives and sending malicious emails with links that lead to phishing sites or attachments that can download malware. Over the past six months, we have seen a notable increase in HR-related malicious spam, which is expected to continue even after the holidays.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-1Figure 1 Daily Graph of HR-Themed Spam

 

On average, we are seeing about 200 emails per day in MailMarshal Cloud related to these lures. In early November, submissions spiked, reaching more than 1,400 malicious emails in one day.

Below are some recent campaigns that use HR-related themes, along with their context and a run-through of their attack flow.

 

Annual Leave Compliance

 

The holidays are just about here, and employees look forward to their much-anticipated vacations. Factors such as remaining leave credits and staffing schedules need to be settled, and employers retain the discretion to decline or revoke holiday leave requests.

The email below claims to be from the recipient’s HR department and contains a link for a supposed leave compliance report. The email purports to be a report shared through SharePoint, a Microsoft web-based platform commonly used for collaborative content management and sharing.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-2Figure 2 Leave Compliance Report Spam

 

Examining the email header, we see that the fraudsters used “[Company Name] HR Department” as the sender’s name to make the content more convincing and credible. However, the sender domain is newly created and does not correspond to the company. The Importance setting is also set to “High,” which marks the message as urgent and needs immediate attention.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-3

 

The "View File" button in the email body leads to a Chameleon phishing site hosted in CloudFlare's R2. Chameleon websites can adapt the background and logo of their page depending on the victim's information. This is made possible by collecting the domain name from the victim's email address and scraping the background image and logo from the legitimate website they are impersonating. Attackers then incorporate these on the phishing site so when it fully loads, it will resemble the real one.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-4Figure 3 Chameleon Phishing Website With testme.com vs google.com as Inputs

 

With this clever technique, attackers can deceive unsuspecting users into thinking the page they're accessing is legitimate and then proceed to steal their credentials. This system is a versatile disguise since it can adapt to the user's email address, unlike other phishing sites that focus only on impersonating one brand.

 

Termination List

 

Layoffs in the tech industry are making headlines, with more than 240,000 workers being impacted, according to a tech layoff tracker. From the biggest names in the industry down to start-ups, companies are grappling with extensive workforce downsizing. The use of email for layoff notifications invariably comes as a shock to the employees and is guaranteed to get the reader's attention. Phishers are taking advantage of this and crafting malicious emails with this lure.

Our example below shows a phishing email containing a link that leads to a supposed staff termination list. Like our previous example, this email claims to be sent by the company's HR representative. However, the sender domain does not correspond to the recipient's company.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-5Figure 4 Employee Termination List Spam

 

The email instructs the recipient to find their name on the termination list, compelling them to click on the link. Messages of this nature can trigger anxiety and might divert their attention from the fact that the URL indicated in the email does not correspond to the actual link embedded in the message.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-6Figure 5 HTML Code of The Email Body (With Redacted Information in Brackets)

 

In the email's HTML code, the content features the text: '{Company Name} Staff Employment Termination lists and new administrative position and transfers/{Company Name}/company/employees.xls.' This file path, however, does not correspond to any authentic company asset or location, nor does it adhere to standard URL formatting. Instead, it has been created solely for the purpose of creating a false sense of legitimacy within the email.

The actual link is another phishing site hosted in Cloudflare’s R2. When clicked, it leads to a bogus Outlook login page.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-7Figure 6 Phishing Site Impersonating Outlook

 

After the victim enters their credentials, the page will display an error message "The username or password you entered isn't correct. Try entering it again." Attackers sometimes design their phishing websites to ask for the victim's credentials multiple times to confirm the accuracy of the information or to potentially gather alternative passwords. After three tries, the website redirects to a bogus but benign PDF vacation request form, which obviously is not related to the topic, and there is, in fact, no termination list.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-8Figure 7 Landing Page After the Credentials Are Collected

 

Employee Satisfaction Report

 

Employee satisfaction drives performance. Employees who are happy or content excel in their roles, leading to increased employee retention. Maintaining or improving the well-being of staff is part of HR’s job, and to do so, they conduct interviews, surveys, and evaluations to gauge employee satisfaction.

In the phishing email below, fraudsters pretend to be an “HR Guru” who is sharing the result of an employee satisfaction evaluation. Along with these findings, included are recommendations to improve the morale of the staff.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-9Figure 8 Phishing Email Disguised as Employee Satisfaction Report

 

The embedded link in the email is a URL redirector hosted by Zoho Campaigns, an email marketing service. Threat actors often exploit services such as these to distribute different kinds of spam. The link then redirects to an online form created using Formstack. Formstack, on the other hand, is a form builder. Form builders are popular in phishing campaigns since they are easy to set up, and there are many free or affordable form builder services.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-10

 

Once the Formstack website loads, it will greet you with a welcome page that has a start button.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-11Figure 9 Formstack Welcome Page

 

Clicking this button will lead to a form where the adversary asks the victims to enter their login details, such as name, corporate email address, and job title. The last field is called “Authenticate Submission,” where they are instructed to enter their password.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-12Figure 10 Actual Phishing Form

 

This redirection chain is seen in other HR-themed phishing emails too. It can be summarized in 4 steps.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-13Figure 11 Phishing Redirection Chain

 

Placing the information collection form behind a “welcome page” is a cunning tactic to hide phishing contents and avoid detection. By concealing the actual phishing form behind this initial welcome page, the threat actors are trying to shield it from being flagged by security crawlers. The welcome page itself is just a logo and a button, which may lead security crawlers to perceive it as a benign, non-malicious website.

 

Employee Handbook Acknowledgement

 

An employee handbook or manual gives a detailed overview of a company's mission, values, and policies. This manual is often given to employees during the onboarding process and regularly updated with new policies and regulations. Due to its significance, threat actors may exploit these types of documents or usually impersonate them as enticing lures for phishing purposes.

Below is a phishing email with a file attachment claiming to contain the company's complete employee handbook. Sent by a fake "HR Management" email address, this email contains a heavily obfuscated html attachment.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-14Figure 12 Fake Employee Handbook Spam

 

The subject and the attachment file name contain the date of email delivery, suggesting that this is the latest version of the handbook.

The attachment uses multiple obfuscation techniques, such as base64 string encryption, variable renaming, and control flow flattening to hide the URL redirection behavior.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-15Figure 13 The Entire obfuscated HTML Attachment Code

 

Once the script is decoded, it will open a phishing site with a CAPTCHA test to verify the user is human. This is another technique to hide the phishing content and avoid detection. Since CAPTCHA is designed to block automated bots, malicious sites use them to prevent security crawlers from analyzing and flagging their contents.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-16Figure 14 The Decoded Webpage Containing a CAPTCHA Test

 

Once you pass the CAPTCHA test, it will redirect to a bogus Microsoft login page. This initial page is served before loading the actual phishing site gives the illusion that the user is accessing a legitimate Microsoft app.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-17Figure 15 Fake Microsoft Login Site

 

This site is short lived and will redirect to the final landing page and is in fact just another fake Microsoft login page made to look like it was hosted via GoDaddy.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-18Figure 16 Final Landing Page

 

A confidentiality agreement, also known as a non-disclosure agreement (NDA), is a legally binding contract between an employer and an employee. Its purpose is to prevent disclosure of sensitive company information, trade secrets, and other proprietary data to unauthorized parties. Any employee who has access to sensitive information is often required to sign a confidentiality agreement. This is the lure used in our final example below.

The sender, pretending to be the HR director, is urging the recipient to sign what appears to be a confidentiality agreement. The email's tone manifests a sense of urgency, with the sender explicitly requesting "prompt attention." A 7zip file attachment was included in the email, which purportedly contains the Confidentiality Agreement document.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-19Figure 17 Fake Confidentiality Agreement Email

 

Inside the encrypted attachment is a VBE file, an executable script written in VBScript. It is named "Confidentiality Agreement form," a deliberate attempt to present itself as legitimate.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-20Figure 18 Malicious VBE Downloader Inside a 7z

 

Once the VBE file is opened, it will be executed through Windows Script (wscript.exe) which will decode its obfuscated functions. Once finished, it will execute a PowerShell command using the newly-deobfuscated code which will then download Remcos and GuLoader malware into the victims computer.

 

Surfing-the-Tidal-Waves-of-HR-Themed-Spam-Emails-21Figure 19 Malware Infection Chain

 

Remcos or Remote Control and Surveillance is a Remote Access Trojan (RAT) that grants the attacker full control over the infected computer and has been used in multiple cyberattacks. GuLoader is a shellcode-based downloader used by threat actors to distribute other shellcode and malware such as ransomware and banking trojans.

 

Conclusion

 

Cybercriminals continuously find new techniques and lures to steal credentials. This article notes that attackers are incorporating creative HR-related themes into their spam emails. By using social engineering, data obfuscation, and a timely and personal subject matter, these cyberattacks pose a significant risk to employees. Targeted victims are likelier to engage with malicious emails due to excitement over holiday vacations or fear of being laid off. Our analysis also finds that attackers have been actively leveraging techniques such as hidden phishing websites and obfuscated file attachments to avoid detection, therefore increasing the chances of getting more victim data.

We urge everyone to exercise extreme caution and stay up to date with the latest threats to avoid falling for these nefarious schemes.

 

IoC

hxxps://pub-d6a35764152345299e690fcaba91066e[.]r2[.]dev/rugaind.html#

hxxps://m[.]addthis[.]com/live/redirect/?url=https://bafybeidobzpdgxhc4eotu5kbojpfltyd4sjsn5gxqbp35k32ymhtibeucy[.]ipfs[.]dweb[.]link/rfq_2023[.]html/#

hxxps://xpncsep-zgpm[.]maillist-manage[.]com/click/1107d8d15757f4535/1107d8d15757e8355

hxxps://caduceusmedical[.]formstack[.]com/forms/boosting_employee_satisfaction

hxxps://twwhvw[.]ujuandjule[.]ru/gqzffy/#

f0b45089d8e6d329a1aecbc9c436faa2

c8c95a6a387113ef7117097bdc75b6e8

67b7b52e818256c024ba7704f5e1fc8d

 

Attribution: Icons used in flow charts are from Flaticon.com

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More