Attackers pushing the Noodlophile infostealer are targeting businesses with spear-phishing emails threatening legal action due to copyright or intellectual property infringement, Morphisec researchers have warned.
The campaign
The emails, ostensibly sent by a law firm, are tailored to the recipients: they mention details like specific Facebook Page IDs and company ownership information, and are being sent to key employees or generic inboxes (e.g., info@, support@) of various businesses and enterprises across US, Europe, Baltic countries and the APAC region.
Spear-phishing email leading to Noodlophile stealer installation (Source: Morphisec)
The emails are also written in a variety of languages, likely with the help of generative AI tools, but savvy recipients will (hopefully) be suspicious of law companies using Gmail addresses that seem wholly unconnected to the stated sender.
Unfortunately, there will always be careless and easily rattled users that will read the email, be bothered by the threat of legal action, and download the proffered PDF to find out more about the “situation”.
The PDF (actually, a malicious ZIP or MSI archive file posing as a PDF) is not attached to the email. Instead, users are asked to click on a link to download it.
The malware is delivered through legitimate, signed applications vulnerable to DLL side-loading.
“The [malicious] archives contain disguised artifacts, such as batch scripts renamed as .docx files or self-extracting archives (SFX) posing as .png files, which are executed by the malicious libraries loaded within the legitimate application,” the researchers explained.
“Following the side-loading of malicious DLLs, the campaign introduces an intermediate stage to bridge the initial execution and the deployment of the final stealer. The side- loaded DLLs rename additional files within the archive-such as those disguised as .pptx, .docx, or .pdf extensions-to reveal BAT scripts and portable Python interpreters. The final stealer is hosted on free platforms like https://paste[.]rs/Gc2BJ, a tactic that complicates detection and takedown.”
Noodlophile is evolving?
The Noodlophile stealer is capable of retrieving a variety of data from target systems and web browsers (Chrome, Brave, Edge, Opera, and others):
- Cookies and autofills (to grab login credentials)
- Saved credit card information
- Information about the computer (installed OS and versions, RAM, installed security software), etc.
“The stealer maintains persistence via the ProgramsStartup directory and employs self- deletion techniques to remove traces after execution, further complicating detection,” the researchers noted, and pointed out that these newer versions of Noodlophile also contain placeholder functions that could point to additional capabilities the malware developers intend to add to it in the future: keylogging, screenshot capture, process monitoring, listing browser extensions and grabbing browser history, and file encryption.
Previously, threat actors – possibly the same ones behind this latest campaign – targeted creators and small businesses with the Noodlophile malware disguised as output files created by a legitimate-looking AI tool.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!