SBA Grants Notifications Used for Phishing Purposes

Image credit:
Image credit:

SBA (Small Business Administration) recently started a loan program for many eligible small businesses in the United States, helping them survive during the COVID-19 pandemic as most businesses are in a severe financial crisis like never before.

However, the cyber attackers have found a way to use the notifications from SBA as phishing baits for businesses applying for the government aid.

Here’s what’s happening:

Attackers have been actively trying to deliver a malicious attachment known as REMCOS Remote Access Tool (RAT) via emails impersonating the SBA.

These “fake” emails are brilliantly designed to resemble the “real” emails that businesses receive from SBA, encouraging the victim to click on the attachment and respond in a timely manner in order to retain the loan opportunity., clearly taking advantage of the financial desperation of small businesses in this disastrous time.

When closely analyzed, these phishing emails have many grammatical errors as well as use broken english language. However, the overall layout of these emails is incredibly similar to the original SBA emails including the official “U.S. SBA” logo and footer has the same info as the “IBM X-Force Threat Intelligence” badge.

“The victim is presented with an application number and is urged to complete the application before March 25th,” they say. “In order to do this, victims are requested to sign the attached form and upload it to the SBA website.” – BleepingComputer mentioned in an article.

How REMCOS RAT is delivered and how does it affect the victims:

The malicious file is the final payload, delivered via an email attachment, that once clicked and opened, downloads a .IMG file containing a .ISO image and then finally loads a PDF document on the victim’s device.

The loaded PDF file then executes a VBS script that installs and launches the REMCOS RAT. The infected file is saved on the device as “Brystbenene6.exe.

Once the malicious file is successfully installed on the device, the hackers then have access over the device allowing them to invade and steal the victim’s sensitive information like important credentials and internet cookies creating a pathway to disaster.

The cybercrime operators behind this campaign can also download, upload and launch malicious codes, steal vital information, take screenshots.

The mindblowing truth about this process is that this is all happening in the background while the business owner might be struggling to make ends meet due to the COVID-19 crisis.