Cybercriminals have been conducting fileless malware phishing attacks and restaurants are in the firing line. Restaurants are being singled out as they tend to have relatively poor cybersecurity defenses and criminals can easily gain access to the credit card details of thousands of customers.
The phishing attacks are used to install fileless malware – malware that remains in the memory and does not involve any files being written to the hard drive. Consequently, fileless malware is particularly difficult to detect. By switching to fileless malware, which most static antivirus solutions do not detect, the criminals can operate undetected.
While fileless malware can be short-lived, only existing in the memory until the computer is rebooted, the latest variants are also persistent. The purpose of the malware is to allow the attackers to install a backdoor that provides access to restaurants’ computer systems. They can then steal the financial information of customers undetected.
The latest fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been attributed to the hacking group FIN7; a group that has close associations with the Carbanak group.
The attacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to open the attached RTF file. RTF files have been discovered that are restaurant themed, named menu.rtf and relating to orders. Some emails appear to have been written to target specific restaurant chains.
One intercepted phishing email claimed to be a catering order, with the attachment containing a list of the items required. In the email, brief instructions explaining when the order is needed and how to view the list of ordered items. The email was brief, but it was particularly convincing. Many restaurants are likely to be fooled by these fileless malware phishing attacks, with access to systems granted for long periods before detection.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
As with other phishing campaigns, the user is prompted to enable the content in the attached file. Opening the RTF file presents the user with a large image that they must click in order to view the contents of the document. The document is expertly crafted, appears professional and suggests the contents of the document are protected. Double clicking on the image and confirming with a click on OK will launch the infection process, running JavaScript code.
FIN7 has recently been conducting attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to deliver the shellcode stage of infection, but in contrast to past attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being written to the hard drive, it is difficult to detect.
Further, the researchers checked the RTF file against VirusTotal and discovered none of the 56 AV vendors are currently detecting the file as malicious.