Researchers of the AVANAN IB company discovered that the attackers bypass the Virustotal service, introducing the malicious software Empty images in emails.
Cybercentor sends a fraudulent document to the potential victim related to the Docusign electronic documents management service. The victim is asked to view and sign the document. It is noteworthy that, unlike other phishing campaigns, the link leads users to the real page of Docusign.
An example of a phishing letter
So the victim is convinced of the reliability of the letter. However, the main role in the attack is played by an HTM attachment sent together with the link of Docusign. The investment contains an SVG image encoded using BASE64. Although the image is empty, this file contains a JavaScript code, which redirects to a malicious URL, on which hackers further infect the user
This campaign differs from others in that it uses an empty image with active contents inside. Traditional services such as Virustotal do not find such an image, as the researchers explain.
In order not to become a victim of such attacks, users are recommended to be careful about any letters containing investments in HTML or HTM format. In addition, administrators can block all HTML.