Trellix researchers identify World Cup/Arab-region themed email campaigns that impersonate FIFA and related entities to deliver phishing pages and malware to organizations. The top malware families seen are Qakbot, Emotet, Formbook, Remcos, and QuadAgent, with multiple sample campaigns and URLs discussed. #Qakbot #Emotet
Keypoints
- Phishing campaigns tied to football and FIFA events targeted Arab-country organizations, with email volume increasing 100% in October.
- Attackers exploit busy schedules and social engineering to prompt user interaction, enabling financial fraud, credential harvesting, data exfiltration, or reputational harm.
- Sample emails include impersonations of FIFA TMS helpdesk, Auckland City FC manager, FIFA ticketing, a fake legal notice, a WeTransfer-themed notice, and Snoonu spoofing.
- Malicious URLs and pages are used to deliver phishing pages; credentials may be posted to attacker-controlled PHP scripts.
- Malware families observed include Qakbot, Emotet, Formbook, Remcos, and QuadAgent, each serving information theft, backdoors, or PowerShell-based backdoors.
- Trellix protection highlights detections and specific rules (e.g., FE_Trojan_HTM_Phish_246, Phishing_Null_Content_33, Phishing_Qbot).
- Conclusion emphasizes continued attacks around the event window and advises vigilance for organizations tied to the event.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Attackers use HTML attachments and malicious file attachments (e.g., xlsm) to trigger redirects to phishing pages. “It contains a html attachment which redirects the user to a customized phishing page.”
- [T1566.002] Spearphishing Link – Emails contain hyperlinks leading to phishing pages or credential harvesters posed as legitimate brands. “contains a hyperlink which redirects the user to a phishing page.”
- [T1071.003] Application Layer Protocol: Email – Malicious email activity leverages email channels to deliver and propagate payloads and backdoor behavior. “inserts malicious replies into the middle of existing email conversations, using the compromised accounts of other infection victims.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – QuadAgent operates as a PowerShell backdoor. “QuadAgent: A PowerShell backdoor, and another tool used by the OilRig group to perform attacks on targeted machines.”
- [T1021] Remote Services – Remcos provides remote control/backdoor access to compromised systems. “Remote Access Software used to remotely control computers, once installed, opens a backdoor on the computer.”
- [T1071.001] Web Protocols – Credentials posted to attacker-hosted PHP scripts via phishing pages. “Credentials are posted to a PHP script hosted on the server managed by the attacker.”
- [T1555.003] Credentials in Web Browsers – Formbook steals credentials cached in web browsers (along with screenshots and keystrokes). “steal several types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes.”
- [T1113] Screen Capture – Formbook captures screenshots as part of data theft. (Quoted within the Formbook description: “…screenshots, and keystrokes.”)
- [T1105] Ingress Tool Transfer – Formbook can download and execute additional malicious files. “downloader, enabling it to download and execute additional malicious files.”
Indicators of Compromise
- [Attachment] Malicious attachments used in campaigns – Sample 3 (HTML attachment), Sample 6 (malicious xlsm attachment), and other variants
- [URL] Phishing pages and links – Sample 1 hyperlink to phishing page; Sample 3 phishing page link; and other campaign URLs