New Spear-Phishing Campaign Targets Financial Executives with NetBird Malware

Trellix’s email security systems detected a highly targeted spear-phishing campaign aimed at CFOs and finance executives across industries like banking, energy, insurance, and investment firms in regions spanning Europe, Africa, Canada, the Middle East, and South Asia.

This meticulously crafted operation, uncovered by Trellix’s Advanced Research Center, leverages social engineering to impersonate a Rothschild & Co recruiter, dangling a “confidential leadership opportunity” as bait.

Sophisticated Multi-Stage Attack

What sets this campaign apart is its use of legitimate tools like NetBird a WireGuard-based remote access software and OpenSSH to establish persistent access to victims’ networks, showcasing a alarming trend of adversaries weaponizing trusted applications for malicious intent.

The attack infrastructure partially overlaps with other nation-state campaigns deploying remote access tools, though no specific threat group has been attributed yet.

Technical Breakdown of the Attack Chain

The attack begins with a deceptive email titled “Rothschild & Co leadership opportunity (Confidential),” urging recipients to view an attached “brochure” named Rothschild_&Co-6745763.PDF.

This file is not a PDF but a phishing link redirecting to a Firebase-hosted page (hxxps://googl-6c11f.firebaseapp[.]com) protected by a custom math CAPTCHA designed to evade traditional security defenses like Cloudflare Turnstile or Google reCAPTCHA.

Solving the CAPTCHA decrypts a hidden URL, leading to a ZIP file download (Rothschild&_Co-6745763.zip).

Once extracted, the ZIP reveals a VBS script that creates a directory at C:temper and fetches a secondary VBS payload (pull.vbs) from a command-and-control (C2) server at 192[.]3[.]95[.]152.

This second script silently installs NetBird and OpenSSH via MSI packages, starts their services, and configures NetBird with a preset setup key for remote access.

Additionally, it creates a hidden local admin account (“user” with password “Bs@202122”), enables Remote Desktop Protocol (RDP) with firewall adjustments, and sets up scheduled tasks to ensure persistence across reboots.

This multi-stage approach, combining defense evasion (e.g., bypassing UAC via “runas”), privilege escalation, and lateral movement capabilities through RDP and SSH, underscores the sophistication of the threat.

Trellix also identified related infrastructure, including older phishing pages with identical CAPTCHA tactics, indicating a broader campaign footprint, while France’s AMF recently warned of similar impersonation attacks with overlapping indicators.

Trellix advises executives to treat unsolicited recruitment emails with suspicion, avoid enabling scripts from unknown downloads, and report anomalies to security teams promptly.

For defenders, deploying Endpoint Detection and Response (EDR) solutions, monitoring suspicious script executions (via wscript.exe or PowerShell), auditing MSIExec activity, and tracking new local accounts are critical steps to mitigate such threats.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!