Apr 11, 2024NewsroomEndpoint Security / Ransomware

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign.

“This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors,” Proofpoint said. “Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM).”

TA547 is a prolific, financially motivated threat actor that’s known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware.

In recent years, the group has evolved into an initial access broker (IAB) for ransomware attacks. It has also been observed employing geofencing tricks to restrict payloads to specific regions.

The email messages observed as part of the latest campaign impersonate the German company Metro AG and contain a password-protected ZIP file containing a ZIP archive that, when opened, initiates the execution of a remote PowerShell script to launch the Rhadamanthys stealer directly in memory.

Interestingly, the PowerShell script used to load Rhadamanthys includes “grammatically correct and hyper specific comments” for each instruction in the program, raising the possibility that it may have been generated (or rewritten) using an LLM.

The alternate hypothesis is that TA547 copied the script from another source that had used generative AI technology to create it.

“This campaign represents an example of some technique shifts from TA547 including the use of compressed LNKs and previously unobserved Rhadamanthys stealer,” Proofpoint said. “It also provides insight into how threat actors are leveraging likely LLM-generated content in malware campaigns.”

The development comes as phishing campaigns have also been banking on uncommon tactics to facilitate credential-harvesting attacks. In these emails, recipients are notified of a voice message and are directed to click on a link to access it.

The payload retrieved from the URL is heavily obfuscated HTML content that runs JavaScript code embedded within an SVG image when the page is rendered on the target system.

Present within the SVG data is “encrypted data containing a second stage page prompting the target to enter their credentials to access the voice message,” Binary Defense said, adding the page is encrypted using CryptoJS.

Other email-based attacks have paved the way for Agent Tesla, which has emerged as an attractive option for threat actors due to it “being an affordable malware service with multiple capabilities to exfiltrate and steal users’ data,” according to Cofense.

Social engineering campaigns have also taken the form of malicious ads served on search engines like Google that lure unsuspecting users into downloading bogus installers for popular software like PuTTY, FileZilla, and Room Planner to ultimately deploy Nitrogen and IDAT Loader.

The infection chain associated with IDAT Loader is noteworthy for the fact that the MSIX installer is used to launch a PowerShell script that, in turn, contacts a Telegram bot to fetch a second PowerShell script hosted on the bot.

This PowerShell script then acts as a conduit to deliver another PowerShell script that’s used to bypass Windows Antimalware Scan Interface (AMSI) protections as well as trigger the execution of the loader, which subsequently proceeds to load the SectopRAT trojan.

“Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks,” Jérôme Segura, principal threat researcher at Malwarebytes, said.

Apr 09, 2024NewsroomMalware / Cryptojacking

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.

The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet FortiGuard Labs said in a technical report.

The modus operandi is notable for the use of the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts.

BatCloak, offered for sale to other threat actors since late 2022, has its foundations in another tool called Jlaive. Its primary feature is to load a next-stage payload in a manner that circumvents traditional detection mechanisms.

ScrubCrypt, a crypter that was first documented by Fortinet in March 2023 in connection with a cryptojacking campaign orchestrated by the 8220 Gang, is assessed to be one of the iterations of BatCloak, according to research from Trend Micro last year.

In the latest campaign analyzed by the cybersecurity firm, the SVG file serves as a conduit to drop a ZIP archive that contains a batch script likely created using BatCloak, which then unpacks the ScrubCrypt batch file to ultimately execute Venom RAT, but not before setting up persistence on the host and taking steps to bypass AMSI and ETW protections.

A fork of Quasar RAT, Venom RAT allows attackers to seize control of the compromised systems, gather sensitive information, and execute commands received from a command-and-control (C2) server.

“While Venom RAT’s primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities,” security researcher Cara Lin said. This includes Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.

“This [Remcos RAT] plugin was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and Guloader PowerShell,” Lin added.

Also delivered using the plugin system is a stealer that gathers information about the system and exfiltrates data from folders associated with wallets and applications like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (retired as of March 2023), Zcash, Foxmail, and Telegram to a remote server.

“This analysis reveals a sophisticated attack leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt,” Lin said.

“The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.”

Apr 08, 2024NewsroomCybersecurity / Malvertising

A new phishing campaign has set its eyes on the Latin American region to deliver malicious payloads to Windows systems.

“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado said.

The email message, the company said, originates from an email address format that uses the domain “temporary[.]link” and has Roundcube Webmail listed as the User-Agent string.

The HTML file points containing a link (“facturasmex[.]cloud”) that displays an error message saying “this account has been suspended,” but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.

This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well as checks for the presence of antivirus software in the compromised machine.

It also incorporates several Base64-encoded strings that are designed to run PHP scripts to determine the user’s country and retrieve a ZIP file from Dropbox containing “many highly suspicious files.”

Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.

“Understandably, from the threat actors’ point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection,” Agregado said.

“Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.”

The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with bogus ads for NordVPN that lead to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a phony website (“besthord-vpn[.]com”).

“Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads,” security researcher Jérôme Segura said. “Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.”

It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.

The network security company said it also discovered a Golang malware that “uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server].”

Apr 04, 2024NewsroomPhishing Attack / Malware

An updated version of an information-stealing malware called Rhadamanthys is being used in phishing campaigns targeting the oil and gas sector.

“The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident,” Cofense researcher Dylan Duncan said.

The email message comes with a malicious link that leverages an open redirect flaw to take the recipients to a link hosting a supposed PDF document, but, in reality, is an image that, upon clicking, downloads a ZIP archive with the stealer payload.

Written in C++, Rhadamanthys is designed to establish connections with a command-and-control (C2) server in order to harvest sensitive data from the compromised hosts.

“This campaign appeared within days of the law enforcement takedown of the LockBit ransomware group,” Duncan said. “While this could be a coincidence, Trend Micro revealed in August 2023 a Rhadamanthys variant that came bundled with a leaked LockBit payload, alongside a clipper malware and cryptocurrency miner.

“The threat actors added a combination of an information stealer and a LockBit ransomware variant in a single Rhadamanthys bundle, possibly indicating the continued evolution of the malware,” the company noted.

The development comes amid a steady stream of new stealer malware families like Sync-Scheduler and Mighty Stealer, even as existing strains like StrelaStealer are evolving with improved obfuscation and anti-analysis techniques.

It also follows the emergence of a malspam campaign targeting Indonesia that employs banking-related lures to propagate the Agent Tesla malware to plunder sensitive information such as login credentials, financial data, and personal documents.

Agent Tesla phishing campaigns observed in November 2023 have also set their sights on Australia and the U.S., according to Check Point, which attributed the operations to two African-origin threat actors tracked as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom works as a web designer.

“The main actor [Bignosa] appears to be a part of a group operating malware and phishing campaigns, targeting organizations, which is testified by the US and Australian email business databases, as well as individuals,” the Israeli cybersecurity company said.

The Agent Tesla malware distributed via these attack chains have been found to be secured by the Cassandra Protector, which helps protect software programs against reverse-engineering or modification efforts. The messages are sent via an open-source webmail tool called RoundCube.

“As seen from the description of these threat actors’ actions, no rocket science degree is required to conduct the cyber crime operations behind one of the most prevalent malware families in the last several years,” Check Point said.

“It’s an unfortunate course of events caused by the low-entry level threshold so that anyone willing to provoke victims to launch the malware via spam campaigns can do so.”

A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale.

“Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries,” Netcraft said.

Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS.

A Chinese-language PhaaS, Darcula is advertised on Telegram and offers support for about 200 templates impersonating legitimate brands that customers can avail for a monthly fee to set up phishing sites and carry out their malicious activities.

A majority of the templates are designed to mimic postal services, but they also include public and private utilities, financial institutions, government bodies (e.g., tax departments), airlines, and telecommunication organizations.

The phishing sites are hosted on purpose-registered domains that spoof the respective brand names to add a veneer of legitimacy. These domains are backed by Cloudflare, Tencent, Quadranet, and Multacom.

In all, more than 20,000 Darcula-related domains across 11,000 IP addresses have been detected, with an average of 120 new domains identified per day since the start of 2024. Some aspects of the PhaaS service were revealed in July 2023 by Israeli security researcher Oshri Kalfon.

One of the interesting additions to Darcula is its capability to update phishing sites with new features and anti-detection measures without having to remove and reinstall the phishing kit.

“On the front page, Darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts,” the U.K.-based company said. “In previous iterations, Darcula’s anti-monitoring mechanism would redirect visitors that are believed to be bots (rather than potential victims) to Google searches for various cat breeds.”

Darcula’s smishing tactics also warrant special attention as they primarily leverage Apple iMessage and the RCS (Rich Communication Services) protocol used in Google Messages instead of SMS, thereby evading some filters put in place by network operators to prevent scammy messages from being delivered to prospective victims.

“While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by this legislation by making the content of messages impossible for network operators to examine, leaving Google and Apple’s on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims,” Netcraft added.

“Additionally, they do not incur any per-message charges, which are typical for SMS, reducing the cost of delivery.”

The departure from traditional SMS-based phishing aside, another noteworthy aspect of Darcula’s smishing messages is their sneaky attempt to get around a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender.

This entails instructing the victim to reply with a “Y” or “1” message and then reopen the conversation to follow the link. One such message posted on r/phishing subreddit shows that users are persuaded to click on the URL by claiming that they have provided an incomplete delivery address for the USPS package.

These iMessages are sent from email addresses such as pl4396@gongmiaq.com and mb6367587@gmail.com, indicating that the threat actors behind the operation are creating bogus email accounts and registering them with Apple to send the messages.

Google, for its part, recently said it’s blocking the ability to send messages using RCS on rooted Android devices to cut down on spam and abuse.

The end goal of these attacks is to trick the recipients into visiting bogus sites and handing over their personal and financial information to the fraudsters. There is evidence to suggest that Darcula is geared towards Chinese-speaking e-crime groups.

Phishing kits can have serious consequences as it permits less-skilled criminals to automate many of the steps needed to conduct an attack, thus lowering barriers to entry.

The development comes amid a new wave of phishing attacks that take advantage of Apple’s password reset feature, bombarding users with what’s called a prompt bombing (aka MFA fatigue) attack in hopes of hijacking their accounts.

Assuming a user manages to deny all the requests, “the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to ‘verify’ a one-time code,” security journalist Brian Krebs said.

The voice phishers have been found to use information about victims obtained from people search websites to increase the likelihood of success, and ultimately “trigger an Apple ID reset code to be sent to the user’s device,” which, if supplied, allows the attackers to reset the password on the account and lock the user out.

It’s being suspected that the perpetrators are abusing a shortcoming in the password reset page at iforgot.apple[.]com to send dozens of requests for a password change in a manner that bypasses rate limiting protections.

The findings also follow research from F.A.C.C.T. that SIM swappers are transferring a target user’s phone number to their own device with an embedded SIM (eSIM) in order to gain unauthorized access to the victim’s online services. The practice is said to have been employed in the wild for at least a year.

This is accomplished by initiating an application on the operator’s website or application to transfer the number from a physical SIM card to an eSIM by masquerading as the victim, causing the legitimate owner to lose access to the number as soon as the eSIM QR Code is generated and activated.

“Having gained access to the victim’s mobile phone number, cybercriminals can obtain access codes and two-factor authentication to various services, including banks and messengers, opening up a mass of opportunities for criminals to implement fraudulent schemes,” security researcher Dmitry Dudkov said.

Mar 27, 2024NewsroomVulnerability / Cybercrime

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla.

Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment notification, urging the user to open an archive file attachment.

The archive (“Bank Handlowy w Warszawie – dowód wpłaty_pdf.tar.gz”) conceals a malicious loader that activates the procedure to deploy Agent Tesla on the compromised host.

“This loader then used obfuscation to evade detection and leveraged polymorphic behavior with complex decryption methods,” security researcher Bernard Bautista said in a Tuesday analysis.

“The loader also exhibited the capability to bypass antivirus defenses and retrieved its payload using specific URLs and user agents leveraging proxies to further obfuscate traffic.”

The tactic of embedding malware within seemingly benign files is a tactic that has been repeatedly employed by threat actors to trick unsuspecting victims into triggering the infection sequence.

The loader used in the attack is written in .NET, with Trustwave discovering two distinct variants that each make use of a different decryption routine to access its configuration and ultimately retrieve the XOR-encoded Agent Tesla payload from a remote server.

In an effort to evade detection, the loader is also designed to bypass the Windows Antimalware Scan Interface (AMSI), which offers the ability for security software to scan files, memory, and other data for threats.

It achieves this by “patching the AmsiScanBuffer function to evade malware scanning of in-memory content,” Bautista explained.

The last phase involves decoding and executing Agent Tesla in memory, allowing the threat actors to stealthily exfiltrate sensitive data via SMTP using a compromised email account associated with a legitimate security system supplier in Turkey (“merve@temikan[.]com[.]tr”).

The approach, Trustwave said, not only does not raise any red flags, but also affords a layer of anonymity that makes it harder to trace the attack back to the adversary, not to mention save the effort of having to set up dedicated exfiltration channels.

“[The loader] employs methods like patching to bypass Antimalware Scan Interface (AMSI) detection and dynamically load payloads, ensuring stealthy execution and minimizing traces on disk,” Bautista said. “This loader marks a notable evolution in the deployment tactics of Agent Tesla.”

The disclosure comes as BlueVoyant uncovered another phishing activity conducted by a cybercrime group called TA544 that leverages PDFs dressed up as legal invoices to propagate WikiLoader (aka WailingCrab) and establish connections with command-and-control (C2) server that almost exclusively encompasses hacked WordPress sites.

It’s worth noting that TA544 also weaponized a Windows security bypass flaw tracked as CVE-2023-36025 in November 2023 to distribute Remcos RAT via a different loader family dubbed IDAT Loader, allowing it to seize control of infected systems.

The findings also follow a surge in the use of a phishing kit called Tycoon, which Sekoia said has “become one of the most widespread [adversary-in-the-middle] phishing kits over the last few months, with more than 1,100 domain names detected between late October 2023 and late February 2024.”

Tycoon, publicly documented by Trustwave last month, permits cyber criminals to target users of Microsoft 365 with phony login pages to capture their credentials, session cookies, and two-factor authentication (2FA) codes. It’s known to be active since at least August 2023, with the service offered via private Telegram channels.

The phishing kit is notable for incorporating extensive traffic filtering methods to thwart bot activity and analysis attempts, requiring site visitors to complete a Cloudflare Turnstile challenge before redirecting users to a credential harvesting page.

Tycoon also shares operational and design-level similarities with the Dadsec OTT phishing kit, raising the possibility that the developers had access to and tweaked the source code of the latter to suit their needs. This is supported by the fact that Dadsec OTT had its source code leaked in October 2023.

“The developer enhanced stealth capabilities in the most recent version of the phishing kit,” Sekoia said. “The recent updates could reduce the detection rate by security products of the Tycoon 2FA phishing pages and the infrastructure. Additionally, its ease of use and its relatively low price make it quite popular among threat actors.”

Mar 25, 2024NewsroomCyber Espionage / Email Security

The Iran-affiliated threat actor tracked as MuddyWater (aka Mango Sandstorm or TA450) has been linked to a new phishing campaign in March 2024 that aims to deliver a legitimate Remote Monitoring and Management (RMM) solution called Atera.

The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and information security sectors, Proofpoint said.

“TA450 sent emails with PDF attachments that contained malicious links,” the enterprise security firm said. “While this method is not foreign to TA450, the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step.”

MuddyWater has been attributed to attacks directed against Israeli organizations since late October 2023, with prior findings from Deep Instinct uncovering the threat actor’s use of another remote administration tool from N-able.

This is not the first time the adversary – assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) – has come under the spotlight for its reliance on legitimate remote desktop software to meet its strategic goals. It has also been observed utilizing ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

The latest attack chains involve MuddyWater embedding links to files hosted on file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. Some of the pay-themed phishing messages are said to have been sent from a likely compromised email account associated with the “co.il” (Israel) domain.

In the next stage, clicking on the link present within the PDF lure document leads to the retrieval of a ZIP archive containing an MSI installer file that ultimately installs the Atera Agent on the compromised system. MuddyWater’s use of Atera Agent dates back to July 2022.

The shift in MuddyWater’s tactics comes as an Iranian hacktivist group dubbed Lord Nemesis has targeted the Israeli academic sector by breaching a software services provider named Rashim Software in what’s case of a software supply chain attack.

“Lord Nemesis allegedly used the credentials obtained from the Rashim breach to infiltrate several of the company’s clients, including numerous academic institutes,” Op Innovate said. “The group claims to have obtained sensitive information during the breach, which they may use for further attacks or to exert pressure on the affected organizations.”

Lord Nemesis is believed to have used the unauthorized access it gained to Rashim’s infrastructure by hijacking the admin account and leveraging the company’s inadequate multi-factor authentication (MFA) protections to harvest personal data of interest.

It also sent email messages to over 200 of its customers on March 4, 2024, four months after the initial breach took place, detailing the extent of the incident. The exact method by which the threat actor gained access to Rashim’s systems was not disclosed.

“The incident highlights the significant risks posed by third-party vendors and partners (supply chain attack),” security researcher Roy Golombick said. “This attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies as a means to further their geo-political agendas.”

“By successfully compromising Rashim’s admin account, the Lord Nemesis group effectively circumvented the security measures put in place by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data.”

Cybersecurity researchers have detected a new wave of phishing attacks that aim to deliver an ever-evolving information stealer referred to as StrelaStealer.

The campaigns impact more than 100 organizations in the E.U. and the U.S., Palo Alto Networks Unit 42 researchers said in a new report published today.

“These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer’s DLL payload,” the company said in a report published today.

“In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns.”

First disclosed in November 2022, StrelaStealer is equipped to siphon email login data from well-known email clients and exfiltrate them to an attacker-controlled server.

Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 targeting high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the E.U. and the U.S.

These attacks also aim to deliver a new variant of the stealer that packs in better obfuscation and anti-analysis techniques, while being propagated via invoice-themed emails bearing ZIP attachments, marking a shift from ISO files.

Present within the ZIP archives is a JavaScript file that drops a batch file, which, in turn, launches the stealer DLL payload using rundll32.exe, a legitimate Windows component responsible for running 32-bit dynamic-link libraries.

The stealer malware also relies on a bag of obfuscation tricks to render analysis difficult in sandboxed environments.

“With each new wave of email campaigns, threat actors update both the email attachment, which initiates the infection chain, and the DLL payload itself,” the researchers said.

The disclosure comes as Broadcom-owned Symantec revealed that fake installers for well known applications or cracked software hosted on GitHub, Mega or Dropbox are serving as a conduit for a stealer malware known as Stealc.

Phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT (aka Rescoms), with the latter delivered by means of a cryptors-as-a-service (CaaS) called AceCryptor, per ESET.

“During the second half of [2023], Rescoms became the most prevalent malware family packed by AceCryptor,” the cybersecurity firm said, citing telemetry data. “Over half of these attempts happened in Poland, followed by Serbia, Spain, Bulgaria, and Slovakia.”

Other prominent off-the-shelf malware packed inside AceCryptor in H2 2023 include SmokeLoader, STOP ransomware, RanumBot, Vidar, RedLine, Tofsee, Fareit, Pitou, and Stealc. It’s worth noting that many of these malware strains have also been disseminated via PrivateLoader.

Another social engineering scam observed by Secureworks Counter Threat Unit (CTU) has been found to target individuals seeking information about recently deceased individuals on search engines with fake obituary notices hosted on bogus websites, driving traffic to the sites through search engine optimization (SEO) poisoning in order to ultimately push adware and other unwanted programs.

“Visitors to these sites are redirected to e-dating or adult entertainment websites or are immediately presented with CAPTCHA prompts that install web push notifications or popup ads when clicked,” the company said.

“The notifications display false virus alert warnings from well-known antivirus applications like McAfee and Windows Defender, and they persist in the browser even if the victim clicks one of the buttons.”

“The buttons link to legitimate landing pages for subscription-based antivirus software programs, and an affiliate ID embedded in the hyperlink rewards threat actors for new subscriptions or renewals.”

While the activity is currently limited to filling fraudsters’ coffers via affiliate programs, the attack chains could be easily repurposed to deliver information stealers and other malicious programs.

The development also follows the discovery a new activity cluster tracked as Fluffy Wolf that’s capitalizing on phishing emails containing an executable attachment to deliver a cocktail of threats, such as MetaStealer, Warzone RAT, XMRig miner, and a legitimate remote desktop tool called Remote Utilities.

The campaign is a sign that even unskilled threat actors can leverage malware-as-a-service (MaaS) schemes to conduct successful attacks at scale and plunder sensitive information, which can then be monetized further for profit.

“Although mediocre in terms of technical skills, these threat actors achieve their goals by using just two sets of tools: legitimate remote access services and inexpensive malware,” BI.ZONE said.

Mar 19, 2024NewsroomEmail Security / Social Engineering

Threat actors are leveraging digital document publishing (DDP) sites hosted on platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing, credential harvesting, and session token theft, once again underscoring how threat actors are repurposing legitimate services for malicious ends.

“Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate,” Cisco Talos researcher Craig Jackson said last week.

While adversaries have used popular cloud-based services such as Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow to host phishing documents in the past, the latest development marks an escalation designed to evade email security controls.

DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.

Threat actors have been found to abuse the free tier or a no-cost trial period offered by these services to create multiple accounts and publish malicious documents.

Besides exploiting their favorable domain reputation, the attackers take advantage of the fact that DDP sites facilitate transient file hosting, thereby allowing published content to automatically become unavailable after a predefined expiration date and time.

What’s more, productivity features baked into DDP sites like Publuu could act as a deterrent, preventing the extraction and detection of malicious links in phishing messages.

In the incidents analyzed by Cisco Talos, DDP sites are integrated into the attack chain in the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email.

The DDP-hosted document serves as a gateway to an external, adversary-controlled site either directly by clicking on a link included in the decoy file, or through a series of redirects that also require solving CAPTCHAs to thwart automated analysis efforts.

The final landing page is a bogus site mimicking the Microsoft 365 login page, thus allowing the attackers to steal credentials or session tokens.

“DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls,” Jackson said.

“DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack.”

Mar 19, 2024NewsroomSocial Engineering / Email Security

A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT.

Israeli cybersecurity company Perception Point is tracking the activity under the moniker Operation PhantomBlu.

“The PhantomBlu operation introduces a nuanced exploitation method, diverging from NetSupport RAT’s typical delivery mechanism by leveraging OLE (Object Linking and Embedding) template manipulation, exploiting Microsoft Office document templates to execute malicious code while evading detection,” security researcher Ariel Davidpur said.

NetSupport RAT is a malicious offshoot of a legitimate remote desktop tool known as NetSupport Manager, allowing threat actors to conduct a spectrum of data gathering actions on a compromised endpoint.

The starting point is a Salary-themed phishing email that purports to be from the accounting department and urges recipients to open the attached Microsoft Word document to view the “monthly salary report.”

A closer analysis of the email message headers – particularly the Return-Path and Message-ID fields – shows that the attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send the emails.

The Word document, upon opening, instructs the victim to enter a password provided in the email body and enable editing, followed by double-clicking a printer icon embedded in the doc to view the salary graph.

Doing so opens a ZIP archive file (“Chart20072007.zip”) containing one Windows shortcut file, which functions as a PowerShell dropper to retrieve and execute a NetSupport RAT binary from a remote server.

“By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” Davidpur said, adding the updated technique “showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”

Growing Abuse of Cloud Platforms and Popular CDNs

The development comes as Resecurity revealed that threat actors are increasingly abusing public cloud services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, as well as Web 3.0 data-hosting platforms built on the InterPlanetary File System (IPFS) protocol such as Pinata to generate fully undetectable (FUD) phishing URLs using phishing kits.

Such FUD links are offered on Telegram by underground vendors like BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX, and XPLOITRVERIFIER for prices starting at $200 per month as part of a subscription model. These links are further secured behind antibot barriers to filter incoming traffic and evade detection.

Also complementing these services are tools like HeartSender that make it possible to distribute the generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13,000 subscribers.

“FUD Links represent the next step in [phishing-as-a-service] and malware-deployment innovation,” the company said, noting attackers are “repurposing high-reputation infrastructure for malicious use cases.”

“One recent malicious campaign, which leveraged the Rhadamanthys Stealer to target the oil and gas sector, used an embedded URL that exploited an open redirect on legitimate domains, primarily Google Maps and Google Images. This domain-nesting technique makes malicious URLs less noticeable and more likely to entrap victims.”