Over the last few weeks, Cyberint has witnessed an ongoing attack campaign targeting social media influencers, attempting to infect them with malware by impersonating large clothing retailers. The campaign targets influencers across multiple social media platforms but currently appears to mostly focus on influencers operating on YouTube. Further, although the infection process is not sophisticated, it is notable and appears to be evolving.
The recent campaign impersonates large retailers and reaches out to social media influencers via email, regarding a collaboration to promote the brand. As part of the partnership, the influencers are offered a product for their choosing which they can redeem by downloading a “catalog”. The claimed value of the product changes from brand to brand but is mostly between $1,000 and $3,000 USD.
The end-goal of the threat actor is currently unknown, but Cyberint’s assessment is that their intention is to take control over the influencers’ social media accounts, and then either demand a ransom, or leverage the accounts for additional phishing purposes.
Figure 1: “Promotions” sent to influencers
Notable Aspects of the Campaign
While attack campaigns targeting social media influencers have been seen in the past, there are several unique characteristics in this attack worth mentioning:
- The threat actors use legitimate services and non-typical hosts for the malware campaigns. As of now, the “catalogs” were hosted on either Github or Google Drive. Further, the catalog is an .exe file accompanies and several additional files, all within a password encrypted ZIP.
Figure 2 & 3: Google Drive containing the malicious ‘catalog’ file | Instructions to redeem the promotion
- The malware appears to be a trojan from the Amadey family. Cyberint also identified indications of a second stage download and attempts to drop a Derkziel info-stealer .
- The emails are sent from either lookalike or spoofed ‘do-not-reply’ addresses of the brands.
Figure 4: Email sent to a targeted influencer
As the campaign does not target the companies but rather independent influencers, mitigation options are limited. Nevertheless, Cyberint recommends considering operating a dedicated brand ambassador or influencer outreach program to share the following key points:
- The company will only communicate with influencers through official verified social media channels and/or an official @domain email account. Moreover, contacted individuals should verify the source of all emails before divulging personal information.
- Comments or messages from non-official sources asking an influencer to initiate contact with a brand should be ignored, as these are likely impersonation attempts.
- Exercise caution when opening unsolicited communications, especially those with links or attachments.
- To mitigate compromise of account and as a best practice in any event, users should implement MFA on all accounts.