Cybercriminals are increasingly leveraging personalization tactics to enhance the effectiveness of their malware-delivery phishing campaigns, with threat actors customizing subject lines, attachment names, and embedded links to create a false sense of authenticity and urgency.
This sophisticated approach represents a significant evolution in social engineering techniques, as attackers craft emails that appear legitimate by incorporating recipient-specific information, company details, and contextually relevant content that mirrors typical business communications.
Finance-themed email with subject customization using the recipient’s company which delivers ConnectWise RAT via an embedded URL (Source – Cofense)
The personalization strategy extends beyond mere subject line customization to encompass the entire email ecosystem, including message body content, file attachments, and download links.
By embedding personally identifiable information (PII) throughout these communications, threat actors dramatically increase the likelihood of successful victim engagement and subsequent malware deployment.
These campaigns particularly target sectors where personalized communications are commonplace, such as finance, travel, and business operations.
Recent analysis by Cofense analysts identified five primary themes dominating personalized malware campaigns: Travel Assistance (36.78%), Response (30.58%), Finance (21.90%), Taxes (3.72%), and Notification (3.72%).
Travel Assistance-themed emails emerged as the most prevalent vector, often featuring Vidar Stealer malware capable of harvesting login credentials, banking information, cryptocurrency wallet data, and browser cookies.
These campaigns typically peak during Q4 due to increased holiday travel, making recipients more susceptible to travel-related communications.
The research, spanning Q3 2023 to Q3 2024, revealed that Finance-themed campaigns predominantly deliver jRAT, a cross-platform Remote Access Trojan written in Java that enables multi-operating system compatibility.
Response-themed emails frequently contain PikaBot malware, which incorporates advanced sandbox evasion techniques and serves as a delivery mechanism for additional malicious payloads.
Advanced File Name Customization Tactics
A particularly sophisticated aspect of these personalized attacks involves the strategic customization of downloaded file names to match recipient information.
Cofense researchers noted a direct correlation between specific malware families and file name personalization practices, with jRAT and Remcos RAT campaigns consistently implementing this technique in Finance-themed emails.
When jRAT serves as the payload, threat actors invariably personalize both email subjects and downloaded file names, with examples including “Payment_Summary_[RecipientName].pdf” and similar variations.
Remcos RAT campaigns follow similar patterns, featuring file names such as “[RecipientName]TAX_DOCUMENTS.zip” and “BOQ_47864594[RecipientName]_Project_2024_05_13.cmd”.
This dual-layer personalization creates multiple touchpoints of familiarity, significantly increasing the probability of successful malware execution.
This trend represents a concerning evolution in cyber attack methodology, as personalized malware delivery campaigns can provide threat actors with remote access credentials that are subsequently brokered to ransomware operators, amplifying the potential organizational impact beyond initial compromise.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
