Current phishing and malware campaign  [19.03.21]

CERT BWL currently identifies two attack vectors, which are explained below.

1. facts of the case - phishing email via SharePoint service

Currently, an email invitation to an initially harmless PDF document is sent via a supposed SharePoint-based service. When you open this "SharePoint service", you are redirected to a home page where you can download a PDF file. Although no malicious code is distributed when the PDF is opened, a link to a phishing page is integrated into this PDF file, which prompts the user to enter an email and password.

The forwarding link hidden in the PDF looks like this (it has been partially censored here as a precaution):

• htt**ps://siklus-**indonesia.org/**one

As soon as you click on it, it goes on to this address:

• http**/s://bws685taqjq.**typeform.com/**to/QEG**9XYV0

You should never enter your user account credentials on web forms or websites as described above to avoid compromise

2. facts of the case - ZIP file attached to an e-mail without encryption.

There are emails circulating with attached unencrypted ZIP files containing an xlsm file. It is an email that refers to a past real conversation - but with a fake sender email address.

The file contains a macro that could load further malicious code.

In case of suspicion, compare the sender and the sender's address, become suspicious of emails that you do not expect or where you do not know the sender. Be careful with attached archives.

If you have any questions, please contact the KIM.

Back to All news