Targeting The CFO: A Sophisticated NetBird-Enabled Phishing Campaign

Published Date: May 30, 2025
Category: ShadowOpsIntel
Share:

Trellix researchers uncovered a sophisticated spear-phishing campaign targeting CFOs and financial executives across multiple industries. The campaign used social engineering and a carefully crafted multi-stage attack to deploy NetBird and OpenSSH on victims’ machines, creating hidden backdoors for persistent access. The campaign, leveraging a social-engineered email from a fake Rothschild & Co recruiter, successfully evaded detection with CAPTCHA-protected phishing pages. It delivered a malicious VBS script that installed NetBird and OpenSSH, created hidden admin accounts, and enabled RDP access. This allowed attackers to establish encrypted remote access to the compromised systems.

Severity Level: Critical

Attack Flow: From Phish To Persistent Remote Access

  1. Initial Contact – Spear-Phishing Email:
    • Subject Line: Rothschild & Co leadership opportunity (Confidential)
    • Sender: Spoofed email claiming to be from a Rothschild & Co recruiter
    • Objective: Entice the recipient (CFO or finance exec) to click a malicious PDF link claiming to be a job opportunity brochure.
  2. Phishing Link & CAPTCHA Evasion:
    • Malicious Link: Redirects to Firebase-hosted phishing page
    • hxxps://googl-6c11f.firebaseapp[.]com/job/file-846873865383.html
    • CAPTCHA Trick: Custom CAPTCHA built using JavaScript to evade automated scanners.
    • After CAPTCHA: Victim is redirected to a second Firebase domain to download a ZIP file
    • hxxps://googl-6c11f.web[.]app/job/9867648797586_Scan_15052025-736574.html
  3. ZIP Archive & First-Stage VBS Script:
    • ZIP Name: Rothschild_&Co-6745763.zip
    • Contains: Rothschild&_Co-6745763.vbs (VBS dropper)
    • Execution:
      • Creates folder C:\temper\
      • Downloads next-stage payload from: hxxp://192[.]3[.]95[.]152/cloudshare/atr/pull.pdf
      • Saves it as pull.vbs and executes it using elevated privileges (runas via wscript.exe)
  4. Second-Stage VBS Script:
    • Payload URL:
      • hxxp://192[.]3[.]95[.]152/cloudshare/atr/trm
    • Actions:
      • Saves and renames file to trm.zip
      • Extracts two MSI installers:
        • NetBird.msi (VPN tool)
        • OpenSSH.msi
    • Installs both silently via msiexec
    • Launches NetBird with setup key:
      • E48E4A70-4CF4-4A77-946B-C8E50A60855A
  5. Establishing Persistence:
    • Creates a hidden local admin account:
      • Username: user
      • Password: Bs@202122
    • Configures system for remote access:
      • Enables Remote Desktop (RDP)
      • Opens Windows Firewall rules for RDP
      • Sets services (netbird, sshd) to auto-start
      • Creates a scheduled task to restart NetBird on system boot
      • Deletes desktop shortcuts to avoid detection

Affected Regions:

UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, Brazil

Affected Sectors:

Banking, Energy, Insurance, Investment firms, Mining, Semiconductor.

Recommendations:

  1. Treat unsolicited “opportunities” or cold-recruitment emails with skepticism, especially when they come with a ZIP or obscure download link.
  2. Never bypass security warnings to enable content or scripts from downloads.
  3. Report unusual contact attempts to security teams, even if the email seems “harmless.” Early reporting is often what prevents compromise.
  4. Deploy EDR to your infrastructure and triage EDR alerts related to suspicious command/script execution (via PowerShell, CMD.exe, MSHTA, WScript) and suspicious user account creation (in particular when user is added to privilege accounts).
  5. Vigilantly track instances of wscript.exe or powershell.exe originating from non-IT users, especially C-suite members.
  6. Regularly audit MSIExec activity on end-user devices to detect any unusual installations, particularly those involving script-driven behaviors.
  7. Implement policy rules to flag and investigate any instances of uncommon ZIP archive combinations, especially those paired with VBS files.
  8. Maintain visibility over new local accounts added to the Administrators group, particularly those with generic usernames like “user”.
  9. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/525dd4d309a4c2f6e2935724af1ed089c4aceb1c026ad57ea9e7f2b4a886a6d9/iocs.

MITRE ATT&CK

TacticTechniqueID
Initial AccessSpear‑phishing LinkT1566.002
ExecutionUser Execution – open ZIP / run VBST1204.002
ExecutionVBScriptT1059.005
Command & ControlIngress Tool TransferT1105
ExecutionPowerShellT1059.001
Defense Evasion / ExecutionSigned Binary Proxy – msiexecT1218.007
PersistenceCreate/Modify Windows ServiceT1543.003
PersistenceRemote Access Tools: Remote Desktop SoftwareT1219.002
PersistenceScheduled TaskT1053.005
PersistenceLocal AccountT1136.001
Privilege EscalationBypass UAC (runas)T1548.002
Defense EvasionModify RegistryT1112
Defense EvasionImpair Defenses – FirewallT1562.004
Lateral MovementRemote Service – RDPT1021.001
Lateral Movement / C2Remote Service – SSHT1021.004

Source:

  • https://www.trellix.com/blogs/research/cfo-spear-phishing-netbird-attack/
  • https://netbird.io/knowledge-hub/netbird-response-to-spear-phishing-campaign-targeting-financial-executives

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.