"ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large organizations across multiple industry sectors.

A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around.

The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file.

Abandoned and Dormant Domains

Embedded in that is a malicious .lnk file that, when opened, initiates actions leading to the deployment of "MixShell," an in-memory implant featuring command-and-control and persistence mechanisms, according to Check Point Software, which is tracking the campaign as "ZipLine."

In many instances when sending emails, the attacker has been using domains and websites that match the names of legitimate US-based businesses, suggesting a well-planned and streamlined campaign. "What stands out is that these domains were originally registered between 2015 and 2019, long before the ZipLine campaign began," Check Point said in a blog post this week.

"By acquiring abandoned or dormant domains with legitimate business histories, the attackers significantly increased their chances of bypassing security filters and gaining the trust of targeted organizations," Check Point said. The domains provide perfect cover for a phishing operation because they typically have long-standing DNS records, business-sounding identities and clean reputations. 

Butlers as Founders

For all the careful planning, the fake company websites the attackers are using appear to have been cloned from a single template because they all have the exact same content, layout, and structure. Also, every About Us page on these websites featured the same picture of the supposed founders of the company, which, as Check Point discovered, was really a stock image of White House butlers.

The campaign has already swept across dozens of organizations, from small firms to enterprise organizations. Industrial manufacturers — mainly machinery, metalwork, and components producers — are prime targets, but hardware, semiconductor, consumer goods, biotech, and pharma companies are also in the crosshairs. "This distribution suggests that the attacker seeks entry points across wealthy operational and supply chain-critical industries instead of focusing on a specific vertical," the vendor noted.

Check Point's analysis of the malicious zip file revealed it contains real PDF and DOCX files pertaining to the topic of discussion — for instance a partnership inquiry, or a non-disclosure agreement, or more recently, internal AI impact assessments. The zip file is hosted on a subdomain of the legitimate Heroku platform-as-a-service, lending it an air of credibility.

Malicious Payload

Also embedded in the file is a malicious LNK shortcut, which launches a PowerShell command when clicked. The command then finds and pulls out another PowerShell script hidden in the zip files' raw binary data. The hidden PowerShell script runs entirely in memory, making detection hard. It sets up long-term persistence by, for instance, altering the system registry so that the malicious payload reactivates on every reboot. The script also periodically checks to see whether the .lnk payload is active and relaunches it if not.

In comments to Dark Reading, Check Point Research's threat intelligence group manager Sergey Shykevich says there are multiple aspects about the campaign that make it notable. This includes the fact that the attackers cause the target to initiate the email communication with them and are willing to engage in long email exchanges to establish credibility before taking any malicious action. Their techniques also hint at a very deep understanding of business processes, Shykevich says.

In most instances, when the attacker submits an inquiry through an organization's Contact Us form, they appear to be targeting managers within the sales, operations, and business partnership functions, he says. It's unclear who exactly from within the target organization typically responds, given the wide range and sizes of organizations that the attacker has targeted so far, he says. 

"Sophisticated groups can carry out such attacks," Shykevich says. "But they require far more extensive preparation than typical phishing campaigns."

A Constant Evolution

The ZipLine phishing campaign exemplifies how cybercriminals are constantly evolving their tactics to exploit human trust. Other recent examples are so-called ClickFix campaigns, where attackers overlay error messages on sites they have previously compromised to get users to take dangerous actions.

In the ZipLine campaign, exploiting a company's own Contact Us form to start the conversation allows the attacker to integrate into a company's legitimate business workflow without raising too many red flags. "For defenders, ZipLine reminds them that inbound communication vectors, including seemingly benign channels like corporate web forms, can be exploited as initial access points," Check Point said in the blog post. "Traditional detection methods focus on single-message analysis are insufficient to protect against this threat."