False copyright infringement accusations that use Yandex Forms to spread the banking malware IcedID are directed at website owners.
Threat actors identified as TA578 have been carrying out similar attacks for more than a year, in which they convey legal threats via a website’s contact page to persuade users to download a report of the illegal information.
These reports purport to be evidence of DDoS attacks or unauthorized usage of copyrighted material, but instead infect a target’s device with malware including BazarLoader, BumbleBee, and IcedID.
using Yandex forms instead
This week, a new copy of the “Copyright infringement” threat that purported to be from Zoho claimed that we were using their copyrighted photographs on BleepingComputer.
“Hello,
Your website or a website that your business maintains violates a copyrighted image that belongs to our business (zoho Inc.).
Check this report for evidence of our copyrights, including links to the photos you used on www.bleepingcomputer.com and our earlier work.
Download it right away to see for yourself:
https://forms.yandex.com/u/62c3f14d59f1f7ef4295d2c1/success/?0=742998805032103091
I do believe you intentionally violated our legal rights under 17 U.S.C. Section 101 et seq., and you may be held accountable for statutory damages of up to $130,000 under Section 504 (c) (2) of the Digital Age Privacy and Security Act.
Therein is the Millennium Copyright Act (“DMCA”)
This message serves as official notice. I ask that the above-mentioned infringing materials be taken down. Please take note that upon receiving this letter, the DMCA requires you as a business to delete or cease access to the copyrighted materials. A legal action may be brought against you if you continue to use the aforementioned copyrighted content.
I do firmly believe that the use of the allegedly infringing copyrighted materials, as mentioned above, has neither the consent of the legitimate owner of the rights, nor of its agent, nor has it been authorized by the law.
I hereby affirm that I am authorized to act on behalf of the owner of the allegedly infringing exclusive and legal right and that the information in this message is accurate, all of which I thus declare under penalty of perjury.
Thank you,
ZOOHO, INC. zoho.com 07/06/2022 Christian Brdakic Legal Officer
However, this campaign differed from previous ones in that the threat actors now host their purported “reports” on Yandex Forms rather than Google Drive or Google Sites.
Yandex Forms is a free tool that users may use to design unique web forms, but threat actors can also use it to design phishing landing pages.
The copyright complaint has a link to forms.yandex.com that, when clicked, takes the user to a page that reads, “File ‘Stolen Images Evidence’ is ready for download.
An embedded firebasestorage.googleapis.com link in the Yandex Form will eventually download an ISO file with the name “Stolen ImagesEvidence.iso” after a brief delay.
When you open an ISO file in Windows 10 or Windows 11, it will mount as a new drive letter so you can access the files inside.
Due to the fact that they avoid the propagation of the Mark-of-the-Web to the included files and prevent Windows from alerting you that they are unsafe when you attempt to open them, ISO files have grown to be a common attachment in phishing attacks.
When the ISO file is double-clicked, a new drive letter will open, as shown below, with what seems to be a “documents” folder and a DLL file with an arbitrary name.
However, as can be seen in the shortcut’s properties below, this documents folder is actually a Windows shortcut that, when double-clicked, will launch a malicious DLL file using the rundll32.exe command.
This DLL serves as a loader for the IcedID banking trojan, a modular program that can steal Windows login information and send out further payloads to get initial access to networks like Cobalt Strike beacons. Frequently, these supplementary payloads trigger full-scale ransomware assaults on the now-vulnerable network.
The contact form submission demonstrates how persuasive these copyright complaints may be and how they make use of threats of legal action to convey urgency. Unfortunately, people frequently disregard safety and open the infected files as a result of this urgency.
Therefore, it’s critical to maintain your composure if you receive emails like this and to use VirusTotal to examine any unknown or dubious files before opening them on your computer.
