Author: Jeremy Ware
From 21 to 23 March, we observed a malspam campaign distributing the Burkina trojan. First seen in October 2017, Burkina is a trojan distributed through executable (EXE) files sent via email.
Burkina infects a victim’s computer and attempts to harvest credentials, interrupt standard processes, conceal network connections, and other malicious actions. The malware then reaches out to a command and control (C&C) server to receive additional instructions.
The threat actor can use the stolen credentials to carry out additional malicious acts, including dropping a ransomware package or distributing additional payloads such as Trickbot.1
The campaign we observed delivered Burkina via spam emails. Both the subject line – WG:Re:AG:Re:New order. – and body – See attached PDF – of each message were identical. The emails carried a malicious EXE attachment masquerading as a PDF with the filename SPL6677.pdf.exe.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.