Newly discovered Lebal malware targets companies and organizations

Government organizations, private sector, and universities are in the target eye of Lebal malware

In the first week of January 2018, researchers detected 328 phishing emails^[1] that were spreading a brand new Lebal malware. According to research data, they were sent from IP address in Sao Paulo, Brazil, and aimed at high-profile organizations.

Comodo Threat Research Labs have announced that this data-stealing malware attacked^[2] five universities, 23 private companies, and a few government entities. Thus, experts warn that this cyber threat might continue spreading in the future.

Unlike standard malware infection, Lebal uses the sophisticated and complex process to bypass technical security means and mislead even the most vigilant individuals. Cybercriminals did not send the malware via standard contaminated email attachment but instead tried to disguise it in several layers. The first attempt is sent as a phishing email, while the second venture disguises as a link to Google Drive.^[3]

Fake FedEx emails included malware executable

Malware distribution campaign tricked users that they received an email from FedEx,^[4] which claims that the package failed to be delivered; hence the person must physically collect it in the nearby branch.

The letter also included a Google Drive link which was supposed to be the label that user has to print and take it in order to receive the package. Immediately after the user clicks on the contaminated link, Lebal malware is dropped on the system.

However, this social engineering campaign is just the first stage of the attack. When a user clicks on the affected link, the address bar shows https protocol, secure connection identifier, and drive.google.com domain. Additionally, the malicious file is included in an obfuscated Adobe Acrobat document.

Thus, everything looks legit. Even the most vigilant users may not suspect that something might be wrong, and this Google Drive link might download a malicious “Lebal copy.exe” file which immediately runs malware on the system.

Lebal malware steals private user’s information

The purpose of the Lebal virus is to steal personal user’s information stored in web browsers, including cookies and credentials. Additionally, it searches for details about instant messenger clients and emails.

Cyber criminals are also interested in locating and accessing cryptocurrency wallets. After the attack, the malware also targets FTP clients, for instance, FileZilla and WinSCP in order to find or obtain Bitcoin, Electrum or other digital currency wallets.

Thus, Lebal tries to steal all possible information and sends aggregated details to criminals via Command and Control server. Furthermore, these details might be used to commit further crimes.

The significant feature of the data-stealing malware is that it is capable of disabling targeted computer’s security. It can turn off antivirus and anti-malware programs, as well as bypass its detection. Therefore, it’s better to take some precautions in order to deal with consequences after the attack.

Companies, organizations, universities and home computer users should be especially careful with emails and do not rush clicking any links. In this case, if you do not expect to receive a parcel delivered by FedEx, you should not check what hides under suspicious Google Drive link. Your curiosity may lead to money or confidential information loss or even identity theft.^[5]