A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment

The spear-phishing campaign detailed by Trellix targets CFOs and financial executives across various regions. Attackers impersonate Rothschild & Co recruiters, sending emails that entice recipients with a "leadership opportunity." These emails contain links to Firebase-hosted pages featuring custom CAPTCHA challenges. Upon completion, victims are redirected to download a ZIP file containing a VBS script. Executing this script leads to the silent installation of legitimate tools like NetBird and OpenSSH, establishment of a hidden local admin account, and activation of Remote Desktop Protocol (RDP), granting attackers persistent remote access. Notably, NetBird, an open-source WireGuard-based remote access tool, was misused in this campaign without exploiting any inherent vulnerabilities. While some infrastructure overlaps with known nation-state operations, Trellix has not attributed this activity to any specific threat group. Organizations should monitor for similar phishing tactics, especially those leveraging legitimate tools for unauthorized access, and educate stakeholders on recognizing such sophisticated social engineering attempts