Following last week’s reports phishing emails appearing to be from from Inland Revenue were making the rounds, yesterday CERT NZ released a warning of a phishing scam claiming to be from the Ministry of Primary Industries (MPI).
The email appears to come from a genuine-looking address: firstname.lastname@example.org. The email contains an attachment with keylogging malware.
The malware, CVE-2012-0158, may exploit a Microsoft Office vulnerability that was first found in 2012, but many systems have still not applied patches.
Attackers are still finding their way into those unpatched systems through the Python keylogger.
A 2016 blog from security firm VMRay says that although the exploit is old, attackers are still confident there are enough unpatched versions of the Microsoft Office exploit to make further attacks worthwhile.
The attached file is a malicious Word document that downloads and installs the keylogging software on the infected machine.
CERT NZ says that if users’ Microsoft Office patching is up to date, the malware cannot launch or do any damage.
Those running unpatched versions of Microsoft Office and have opened the attachment may have the keylogging software on their machines. CERT NZ recommends consulting an IT specialist for further mitigation.
CERT NZ also recommends the following tips for preventing further damage:
Keylogging software is difficult to remove. The best remediation is to rebuild your machine from the last back up taken before this email was received. We recognise this is a difficult step for many users and organisations.
Alternatively, take your machine to an IT specialist to rebuild the machine.
Enable multi-factor authentication across key online and administrative accounts. In these cases, if a person has your password, enabling multi-factor authentication will prevent them from logging in.
Once you’ve removed the malware, change all the passwords used on the computer since opening the malicious attachment.
Last Week Inland Revenue reported a phishing scam that masqueraded as a tax return form. The scam attempted to trick recipients into providing their personal and credit card data.
The fake IRD email appeared to be from Inland Revenue Department but was actually sent from an email address IRDxxxxx@s1.nzr.review