Lebal is a dangerous malware that is being used to attack high-profile targets. Lebal was first detected in January of 2018. PC security analysts observed 328 separate phishing email messages that were being used to deliver Lebal to its victims. The email addresses linked to this Lebal attack were sent from an IP address located in Brazil and were designed to target universities, government institutions, private companies, and other high profile targets, rather than individual computer users. PC security researchers suspect that Lebal and attacks involving this malware may increase in the future.
Detailing the Lebal Attack
The approach that is being used to distribute Lebal seems to be quite sophisticated and is capable of bypassing many security measures and tricking even experienced computer users. The Lebal phishing email messages seem to bypass the typical method of including a file attachment that is transparently obvious to experienced computer users. In the case of Lebal, the attack is delivered using a highly-effective phishing email, as well as disguised links to Google Drive. Victims of the Lebal distribution campaign claimed that the email messages they received claimed to come from FedEx, related to a package that was not delivered supposedly. The emails alert the victims that they need to pick up the package at a branch near to their location, and will contain a link to the Google Drive to supposedly print a label needed to pick up the 'package.' Clicking on the link allows Lebal to be installed on the victim's computer. This social engineering campaign is fairly typical. However, one aspect of Lebal is tricky particularly, is that clicking or hovering over the link will reveal a URL with an HTTPS protocol leading to a domain on drive.google.com, and the file containing Lebal is an obfuscated PDF or Adobe Acrobat file. This means that, to an experienced computer user, the tactic used to deliver Lebal looks legitimate. Unfortunately, the Google Drive link delivers an executable file named 'Lebal copy.exe,' which executes Lebal immediately, carrying out Lebal's attack.
How a Lebal Infection Works
Once Lebal is installed on the victim's computer, it will proceed to collect information. Lebal is capable of collecting information stored on the infected computer's Web browser and also will scan the infected computer for information related to email, instant messaging, cryptocurrency wallets, FTP clients, and numerous other sources. Lebal will collect as much data as possible from the infected computer and relay it to its Command and Control server, with the intention of using the collected data to take money from the victims, carry out additional tactics and harmful actions or continue taking advantage of the victim. Computer users that have become victims of Lebal should, therefore, take steps to safeguard their information and, using a clean computer, change their login information and check their online banking accounts and other sensitive online accounts to ensure that no intrusion has occurred or to respond in case that it has.
Preventing Lebal Attacks
Corrupted email messages like the ones used to deliver Lebal are among the most common malware delivery methods. Therefore, computer users are strongly advised to take precautions when clicking on any links or downloading any files contained in unsolicited email messages, especially true if the computer user is not expecting a FedEx package. A security suite that is fully up-to-date can help computer users intercept malware like Lebal and prevent it from being installed on the affected computer. Since Lebal's targets seem to be concentrated at high-profile institutions in Brazil mainly, computer users in these targeted locations seeking to protect their information from Lebal specifically will need to take additional precautions, which may include being educated and adopting basic online safety procedures.