March 22, 2022

Wizard Spider’s Naver Phishing Campaign

Industry: N/A | Level: Tactical | Source: Prevailion

Analysis of a large-scale phishing campaign was observed by Prevailion’s Adversarial Counterintelligence Team (PACT), took place in late January 2022, with the goal to collect Naver credentials. Naver services are operated in South Korea, providing a variety of services for search, email, news, etc. and is a comparable service to  Google and Yahoo. From investigating the threat campaign’s infrastructure, an overlap was identified with threat group “WIZARD SPIDER [a.k.a. TrickBot] infrastructure.” The infrastructure used is very large as from PACT’s review “542 unique domains had been identified as part of this malicious cluster of web infrastructure, 532 of which were assessed with high confidence to be part of the ongoing phishing campaign targeting Naver logins; the oldest domain identified by PACT was registered in August of 2021, other registrations are as recent as February of 2022.” A particular phishing domain has a strong association to TrickBot, as the IP used for the Naver phishing campaign was also tied to a Cobalt Strike beacon sample that had been analyzed on VirusTotal. The Cobalt Strike sample was used in a threat campaign that abused CVE-2021-40444 to ultimately deploy Conti ransomware.

  • Anvilogic Use Case: Malicious Document Execution