'Salfram' Email Campaign Spreads Malware to Businesses

A recently uncovered malicious email campaign is delivering to businesses multiple types of malware, including a Trojan designed to steal banking credentials and other financial information, according to a research report from Cisco Talos.

The campaign uses a crypter that's designed to alter the malicious code to make it more difficult for security tools to detect. The threat actors behind this campaign are taking advantage of legitimate hosting platforms, such as Google Drive, to obscure malicious files designed to deliver malware to compromised devices.

The analysts called it Salfram. In this campaign all malware variants contained the same string value in the code which enabled the researchers to track the attacks.

The emails are used to deliver several types of malware, including Gozi ISFB, ZLoader, SmokeLoader, Oski, and AveMaria. It also includes Trojans designed to steal banking credentials.

Email Campaign

The threat actors initially target organizations by leveraging the contact forms that are typically present on websites.

In their initial emails submitted via those forms, the threat actors raise concerns about copyright violations related to certain images posted on the victim organization's website. The attackers then embed a URL within this message and urge the targeted victim to click on it.

When the victim clicks this link, they are directed to a malicious Microsoft Word document that is hosted on Google Drive.  When opened, this document enables macros that then download the malware to the compromised device.

The web platform that is used for hosting malicious content may provide another way for the attacker to evade various protections.

In this campaign, the types of malware vary, but it appears the threat actors always add the same crypter into the payload to help obfuscate the malicious content and make analysis more difficult.

The crypter used in these campaigns is undergoing active development and improvements to obfuscate the contents of malware payloads.

Attacks Using Malware

According to the report, in this campaign, ZLoader and Gozi ISFB malwares are the most widely distributed.

ZLoader, a descendant of Zeus banking malware, included in emails sent by various criminal groups that try to lure victims by using a variety of themes, including COVID-19 testing and pandemic-related scam prevention.

Gozi ISFB, also known as Ursnif and Dreambot, is designed to steal passwords and credentials from victims with a particular focus on the banking and financial sectors.


  • It is highly recommended to not open any suspicious email, not to click on any links which is not trusted, or download any attachment from untrusted source.
  • Use strong password for accounts, log out accounts after use and change passwords periodically.
  • Never use public networks to access confidential accounts and data.
  • Protect your device with good quality antivirus and network security firewall.
  • Organizations are advised to provide training on phishing protection and detection to their employees.