Author: Nathan Toporek
On May 21 Infoblox observed a malicious spam campaign delivering Graftor malware via malicious file attachments. The threat actor(s) used a generic Invoice theme to lure victims into opening a weaponized Excel Spreadsheet.
Graftor, a.k.a LoadMoney, is a family of adware that has been used by threat actors for more than nine years.1 Once a victim is infected, it will install unwanted software on their machine.
While our samples no longer fully executed, past versions of Graftor were capable of browser hijacking, injecting advertising banners, installing other unwanted applications, changing a user’s homepage and search provider, and launching other adware. They also had anti-detection capabilities such as antivirus and sandbox detection.2
Over the years, threat actors have distributed Graftor via malicious spam emails, as well as via free software (freeware) installers.3
In this campaign, threat actor(s) used a subject line of RE:Fwd: REQUOTE PENDING ORDER to lure victims to open the email. Individual messages were empty, but all emails had a malicious attachment named INVOCE#4587.xlsx.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.