Recently discovered a highly targeted phishing campaign against healthcare organizations that utilize Citrix Gateway. The attackers pull web resources directly from the target’s storefront page as you can see in the example landing page. The landing page is served from a previously compromised website with the format of hxxp://compromised[.]com/targetname/targetwebsite[.]com.html. The earliest known appearance of the healthcare specific campaign occurred on February 12th 2019.

Example email:

alt text

Example landing page:

alt text

Urlscan.io Reports:

https://urlscan.io/result/fcdb4a17-c04e-4c70-83fa-7594149e0102/

https://urlscan.io/result/a8324073-0762-4f8a-af4c-e63055a1f6e7/

https://urlscan.io/result/5556cb4f-aa0c-461d-bab3-466e7b7bb1b9/

https://urlscan.io/result/68f916d2-dc41-4968-9c5a-a22b98ba32ea/

https://urlscan.io/result/08dcd5cd-75a1-4f10-8c69-2492e0575c00/

IOCs:

Subject: IMPORTANT: Email Alert

northernmanagementdevelopment[.]com

yogaspacegoa[.]com

parsanpanels[.]com