In July 2019, Wapack Labs identified a large email campaign using malicious word documents to deliver a variety of malware. The emails are presumed related by way of similar social engineering, the same URL shortening tactic and shared office exploit for CVE-2018-11882. In several cases, the emails were sent from legitimate organizations indicating a prior infection was leveraged as a launching point to attack additional entities.
This report provides details on the malicious emails and the delivery phase of this attack. Attribution is currently unclear however social engineering suggests supply chain and maritime transportation targeting. This targeting requirement is consistent with what Wapack Labs has dubbed “Daily Show.”