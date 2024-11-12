In July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the short and generic messages being replaced with what appeared to be legitimate stolen emails. The phishing emails exactly matched official invoice communication emails and, in some cases, still directly addressed the original recipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a variety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely that the group sourced the emails through previously exfiltrated credentials from their prior campaigns.

The concept of using stolen emails is not new, it was used extensively by the Emotet group and malware distributors such as Hive0118 (aka TA577), TA551 and TA570. In their campaigns, they leveraged thread hijacking, where new threads to stolen emails were used as a way to increase the appearance of legitimacy. The modified emails were sent to corresponding contacts of previous victims, making the final email look like a reply to the stolen email, thereby hijacking the email thread. The text the distributors add to the emails is often short replies, urging victims to look at the included attachments or URLs.

The technique employed by Hive0145 differs from thread-hijacking in that rather than adding a reply message to the stolen email, the original contents remain largely unmodified and only the attachment is switched to include a malicious payload using the original filename (without the original extension). Within the email body, Hive0145 also replaces both the local part and the domain of the original email sender with that of the new phishing victim to custom-tailor the email. The emails with hijacked attachments are then sent out in mass phishing campaigns. Hive0145 also appears to carefully consider the hijacked emails by only selecting ones referring to invoices and containing attachments. X-Force has observed the attachment hijacking technique since mid-2024 in campaigns targeting German, Spanish and Ukrainian speakers.