Finance Leaders Targeted in Global Phishing Operation Delivering NetBird

A spear-phishing campaign distributing the NetBird remote access tool has been observed by Trellix, targeting high-level financial personnel across multiple sectors. "On May 15th, Trellix's email security products alerted on a highly targeted spear-phishing operation aimed at CFOs and finance executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia." The campaign uses recruiter-themed lures referencing a leadership role at an investment banking company, with emails delivering Firebase-hosted links. Victims are presented with a custom CAPTCHA that must be solved before receiving a malicious ZIP archive. Trellix has not attributed the activity to a known threat actor, though it notes elements of the infrastructure overlap with past nation-state operations.

The attack begins with a phishing email containing a link disguised as a PDF file. After solving the CAPTCHA on the Firebase-hosted phishing page, users receive a ZIP archive containing a VBS script. When executed, the script creates a working directory at "C:\temper" and retrieves a second-stage file using PowerShell in hidden mode. This secondary script downloads a payload labeled "trm," renames it to a ZIP, and extracts two MSI packages: NetBird and OpenSSH. Using msiexec, both packages are silently installed, followed by service configuration using "sc.exe" to ensure automatic startup of SSHD and NetBird.

The attack continues with privilege escalation and persistence mechanisms. The script creates a local admin user named "user," sets its password to never expire using WMIC, and hides the account from the login screen via a registry modification. Remote Desktop is enabled by altering registry settings and firewall rules, and a scheduled task ensures NetBird starts on system boot. To minimize visibility, the script removes NetBird shortcut files from user desktops. All of this occurs without user interaction and relies on legitimate binaries to maintain a low profile.

Trellix also identified related activity dating back nearly a year, including other phishing lures and CAPTCHA-gated phishing pages delivering identical VBS payloads. Indicators shared by the French financial regulator, AMF, suggest overlap with this campaign, though with different social engineering themes. "This attack isn't your typical phishing scam. It's well-crafted, targeted, subtle, and designed to slip past technology and people," Trellix stated in their report.