When it comes to threat investigations, we often treat the malicious binary as the smoking gun or the crown jewel of the investigation. However, examining the other components can produce the bigger picture that will be far more detailed than simply focusing on the binary.

By looking beyond one malicious file, we were able to determine that a slew of seemingly unrelated phishing emails were in fact, part of a campaign targeting banks and financial institutions across the globe. The attackers used other banks’ email accounts to send the phishing emails to their targeted banks in order to gain access and remotely control their computers. We are calling this campaign “Cuckoo Miner.” The attackers’ method of taking over legitimate inboxes to prey on victims echoes the cuckoo’s distinct act of tricking other birds into raising its chick by taking over their nests.