Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing email posing as DHL directed the recipient to a PDF attachment that instructed them to click a button. That button led to the download of a malicious .scr file from a compromised Vietnamese logistics website. Once executed, the file installed a signed SimpleHelp remote access tool, allowing the attacker to establish persistent remote access to the victim’s machine.
Investigation
The report explains that the phishing email used images hosted on a legitimate Yahoo service to appear more convincing and relied on a spoofed sender address to imitate a trusted source. The downloaded .scr file was identified as a modified SimpleHelp remote management installer that triggered a UAC prompt before running. After installation, the software initiated outbound communication with attacker-controlled infrastructure to receive commands and maintain control of the compromised system.
Mitigation
Organizations should train users to verify sender addresses carefully and pay close attention to suspicious file extensions before opening attachments or downloads. Multi-factor authentication should be enabled wherever possible, and endpoint protection with current web-filtering capabilities should be deployed to block malicious content. Defenders should also block the identified malicious domain and monitor for unauthorized SimpleHelp activity across the environment.
Response
If this activity is detected, isolate the affected endpoint immediately, terminate the SimpleHelp process, and remove the malicious .scr file from the host. Investigators should then perform forensic analysis to identify any additional artifacts or follow-on activity tied to the intrusion. Any credentials used on the compromised system should be reset, and email security rules should be strengthened to reduce exposure to similar phishing lures in the future.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef file fill:#ccffcc classDef malware fill:#ff9999 classDef protocol fill:#ccccff %% Nodes action_phishing["<b>Action</b> – Phishing Campaign"] class action_phishing action tech_T1566_001["<b>Technique</b> – T1566.001 Phishing: Spearphishing Attachment<br/><b>Description</b>: Targeted phishing emails that contain malicious attachments."] class tech_T1566_001 technique file_pdf["<b>File</b> – Malicious PDF attachment (impersonating DHL)"] class file_pdf file action_user_exec["<b>Action</b> – User Execution of Malicious File"] class action_user_exec action tech_T1204_002["<b>Technique</b> – T1204.002 User Execution: Malicious File<br/><b>Description</b>: User is tricked into opening or executing a malicious file."] class tech_T1204_002 technique file_scr["<b>File</b> – AWB-Doc0921.scr downloaded and run"] class file_scr file tech_T1553_002["<b>Technique</b> – T1553.002 Subvert Trust Controls: Code Signing<br/><b>Description</b>: Adversaries use stolen or forged code signing certificates to sign malicious files."] class tech_T1553_002 technique tech_T1036_008["<b>Technique</b> – T1036.008 Masquerading: Masquerade File Type<br/><b>Description</b>: Files are renamed or presented as a different type to bypass defenses."] class tech_T1036_008 technique malware_simplehelp["<b>Malware</b> – SimpleHelp Remote Access Tool"] class malware_simplehelp malware tech_T1219["<b>Technique</b> – T1219 Remote Access Tools<br/><b>Description</b>: Use of remoteu2011access tools to control compromised hosts."] class tech_T1219 technique tech_T1071_001["<b>Technique</b> – T1071.001 Application Layer Protocol: Web Protocols<br/><b>Description</b>: Use of HTTP/HTTPS for commandu2011andu2011control communications."] class tech_T1071_001 protocol tech_T1133["<b>Technique</b> – T1133 External Remote Services<br/><b>Description</b>: Use of legitimate remote services to access compromised systems."] class tech_T1133 technique %% Connections action_phishing –>|uses| tech_T1566_001 tech_T1566_001 –>|delivers| file_pdf file_pdf –>|triggers| action_user_exec action_user_exec –>|uses| tech_T1204_002 tech_T1206_002 –>|executes| file_scr file_scr –>|signed_with| tech_T1553_002 tech_T1553_002 –>|enables| tech_T1036_008 tech_T1036_008 –>|leads_to| malware_simplehelp malware_simplehelp –>|uses| tech_T1219 malware_simplehelp –>|communicates_via| tech_T1071_001 malware_simplehelp –>|accessed_via| tech_T1133 "