In a variation of standard payroll fraud, attackers in this email impersonate the accounts payable department to deliver a malware attachment. Using basic display name deception, they first change the name to AP (standard for an accounts payable team) and then send a generic email to employees, notifying them that their direct deposit is attached. While the attachment itself is an XLS file, further review indicates that it contains malware consisting of VBA macros.

Status Bar Dots
Impersonate Attack Image

Why It Bypassed Traditional Security

This is an interesting email due to the fact that the malware is not particularly well-hidden and should’ve been flagged by traditional security tools. That said, the email domain is trusted—daum.net is a South Korean web portal that is used in similar ways to Gmail and has SPF and DMARC enabled. 

Detecting the Attack 

Content analysis on this attack shows that there is formal language and contains information related to financial transactions. In addition, the mismatch between the display name and the username indicate that this may be an attack, as well as the fact that this email has never been seen sending to this organization. When combined with the clear indicators of malware within the attachment, it becomes immediately apparent that this is an attack. 

Risk to Organization 

To run this scam, attackers use social engineering, knowing that employees would likely be interested in a direct deposit notification, particularly if they were not expecting a paycheck at this point. Should an employee click on the attachment, it would automatically download malware to the computer, setting the stage for a more nefarious second-stage payload to be downloaded. 

Analysis Overview

Vector

Payload-based

Goal

Malware Delivery

Tactic

Free Webmail Account

Theme

Direct Deposit Payment