A patient and sophisticated new phishing attack is using the guise of business partnerships and Non-Disclosure Agreements (NDAs) to trick and infect U.S. manufacturing companies, security experts warn. Unlike typical mass emails, this scam involves weeks of careful conversation before criminals deliver a custom piece of malware, placing critical American industries at heightened risk.
The Deceptive Approach
The criminals begin their attack by creating a believable disguise, often taking over an abandoned or dormant website domain that has a history of legitimate business. Instead of sending out thousands of spam emails, they choose a more personal method: reaching out through a potential victim’s “Contact Us” form on their website. They introduce themselves as a U.S.-based company looking for a partnership or supplier, making the initial contact seem like a normal business inquiry. This tactic bypasses standard email security filters and forces the victim company to initiate communication in a familiar, trusted channel, typically an email thread.
Weeks of Trust-Building
What sets this campaign apart is the attackers’ patience. Once a company responds to the inquiry, the hackers do not immediately send malicious files. Instead, they engage in regular back-and-forth communication for several weeks. This extended conversation is used to build rapport and trust with the target. By the time the criminals introduce the malware, the victims have lowered their guard, viewing the conversation as a routine business opportunity rather than a cyber threat.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
The Malicious Document
The attack’s payload is delivered when the attackers ask the victim to sign a Non-Disclosure Agreement (NDA) to formalize the fake partnership. The attached file is a compressed archive containing a few documents. To appear safe, the archive includes clean files like a PDF and a DOCX document. However, the core of the attack is a hidden, malicious .lnk file (a shortcut file) that, when clicked, triggers a process. This process activates a custom, advanced piece of malware known as MixShell, which acts as a “backdoor” into the victim’s computer systems, often using a DNS-based control system to secretly communicate with the attackers.
The Global Target List
According to security researchers, the targets are focused on what is known as wealthy operational and supply chain-critical industries. Roughly 80% of the dozens of known victims are located in the United States. The scam, however, has also been successfully used against companies in Singapore, Japan, and Switzerland. The targeted sectors are diverse but crucial to the global economy, including industrial manufacturing, hardware and semiconductors, consumer goods and services, and biotech and pharmaceuticals. Experts believe the wide-ranging focus suggests the hackers are seeking any vulnerable entry point into complex global supply chains rather than focusing on a single type of business.
