Attackers exploit “Contact Us” forms and counterfeit NDAs to phish industrial manufacturing companies in order to enhance their SEO.

A recently uncovered phishing campaign, designed to bypass security measures and evade detection, is targeting firms in industrial manufacturing and other critical supply chain companies, according to Check Point researchers. The campaign is believed to be orchestrated by financially motivated threat actors aiming to deliver a malicious ZIP archive containing a PowerShell script. This script executes in memory and ultimately deploys a custom in-memory implant/backdoor known as “MixShell.” The malware employs DNS TXT tunneling with HTTP fallback for command and control communications, allowing it to execute commands and perform file operations remotely. Notably, the attackers invest significant effort in establishing trust with employees at victim organisations, encouraging them to download and execute the malicious ZIP file.

The attackers initiate contact through the “Contact Us” form on target companies’ websites, effectively tricking victims into starting email correspondence and bypassing reputation-based email filters. Researchers noted that the attackers often engage in credible, professional conversations over days or weeks, sometimes requesting that victims sign a Non-Disclosure Agreement (NDA) as a lure. The domains used for communication are meticulously chosen for their credibility, often resembling names of U.S.-registered LLCs or previously legitimate businesses. These domains, registered over five years ago, possess established reputations that help deceive both security filters and potential victims. Recently, a new wave of phishing emails has emerged, where attackers directly email employees, claiming to assist with AI-driven operational changes. Framed as an “AI Impact Assessment,” these emails request personal input from recipients, implying that their opinions will influence company decisions, thereby increasing the urgency and legitimacy of the request. 

Categories: Phishing Campaigns, Cybersecurity Threats, Supply Chain Vulnerabilities 

Tags: Phishing, Campaign, Malware, ZIP Archive, PowerShell, Backdoor, DNS Tunneling, Email Filters, Trust, AI Impact Assessment