A significant authentication bypass vulnerability in F5’s BIG-IP, which was made public in late October, serves as the attack’s bait. At the time, F5 stated that downloading and running a unique shell script file on the BIG-IP system was one method to fix the vulnerability.
The attacker took advantage of this in the communication by telling the recipient that the vulnerability update is contained in a file that is attached. The file has the generic name “update.zip,” and the emails are sent from “cert @ f5.support.” According to the agency’s advisory, the download actually includes a wiper that wipes any F5 servers that administrators run it on. The malware cannot travel laterally from server to server, which is good news.