Warning: sending malware emails that abuse the identity of Masaryk University

Masaryk University's cyber security team warns against repeated phishing attacks using fictitious senders to send malware files.

3 Aug 2023 Warnings

What's going on?

On Wednesday, August 2, various organizations across the Czech Republic received a fraudulent e-mail titled "Request for quotation: MUNI//2308-02CZ" with malware in the attachment. In the e-mail, the attacker impersonates Tomáš Podolec, the alleged "MUNI Purchasing Manager". But this person does not exist at Masaryk University (MU); the email headers are spoofed, and the email is sent from mail servers in Vietnam. So, it is not a compromised account or device on MU.

You can read how e-mail header spoofing works and how to recognize it in our article here: https://security.muni.cz/en/articles-1/sifrovani-dat-2

What does this phishing look like?

In phishing emails, the attacker uses several techniques to make the email look credible and create a sense of urgency in the recipient of the email:

Forged sender headers refer to Masaryk University.
The footer of the message contains the university's contacts and its logo. Here, the attacker used publicly available information from the MU website to instill credibility in the message.
The message's footer also contains false information about the ESET antivirus check, which is supposed to give the impression that the attachment is not malicious.
The message's text is written in Czech and is very simple to encourage action as quickly as possible - opening the attachment.
The message has a high importance set so that it is highlighted to the recipient in the mail client.

You can see a sample of the fraudulent email in the image below. Malware is attached to the e-mail – a so-called Trojan horse from the family that manufacturers of various antiviruses refer to as Makoob, GULoader, or Nekark. The Trojan aims to gain control over the victim's computer and thus enable the attacker to carry out further malicious activity. Here, the attacker quite amateurishly only changed the executable file extension for Windows before inserting it into the attachment from .exe to .pdf.rar, apparently trying to bypass the automated spam filters of mail servers.

No description

This is not the first such attack

An almost identical wave of malware emails was sent out on Monday, July 17, with the same subject line “Request for Quotation: MUNI//2307-17CZ”. Since these e-mails are sent from external mail servers, preventing them from being sent is very difficult. Therefore, the best defense is an educated user who recognizes a fraudulent message and won’t fall for it.

So, how not to get fooled, and what to look out for?

Phishing messages are written in such a way that, at first glance, they are as closely related as possible to the work focus of the recipient, which arouses the tendency to click on them and then take further actions according to the instructions in the message (for example, open an attachment with malware). Their insidiousness also lies in their ease of disguising themselves among other work messages.

If you receive a similar message, follow a few rules:

Do not reply to the email.
Do not click on the links in it.
Do not open the attachment.
Report it to our team (ideally including the email header).

It goes without saying that your computer's software should also be up-to-date, and above all, an antivirus should be installed, which should recognize this type of attack and safely remove malware from the attachment.