Proofpoint has discovered a new and “highly functional” cybercriminal group that is impersonating many departments of the Philippine government and businesses to spread Trojan malware. The group dubbed "Balikbayan Foxes" and tracked as TA2722, is mainly targeting Shipping/Logistics, Business Services, Manufacturing, Finance, Pharmaceutical, and Energy entities across the region. Alongside, the group is also targeting other countries including North America, Europe, and Southeast Asia.
The threat actors have conducted a series of campaigns throughout 2021 in which the group impersonated various Philippine government bodies including the Philippine Overseas Employment Administration (POEA), the Department of Health, and the Bureau of Customs to send phishing emails. The other campaigns were personated by the group named the Manila embassy for the Kingdom of Saudi Arabia (KSA) and DHL Philippines.
According to the research, seeing the continuous pattern of spoofing email addresses and delivering lures designed to impersonate government bodies, it's clear that the threat actors are targeting the organizations that are directly or indirectly connected to the Philippine government. Besides, threat actors used themes related to COVID-19 infection information, invoicing, billing, and industry advisories. Some of the targets are involved in a very large supply chain, so if it gets compromised, it could have a far-reaching impact.
Research conducted at Proofpoint identified that in every campaign the threat actors distributed either Remcos or NanoCore remote access trojans (RATs). Remcos and NanoCore Trojans are mainly used for surveillance, information gathering, monitoring data theft operations, and control of compromised computers.
It has been observed that in a series of campaigns, different mechanisms have been used in some cases, phishing emails were sent containing OneDrive URLs linking to RAR files with embedded UUE files, whereas in others, crafted.PDFs were attached containing embedded URLs leading to compressed executables (.iso files) that download and run malware. The group has also used another common malware payload deployment method that involved MS Excel documents containing macros which if activated will execute Trojan.
The reports also showed that Balikbayan Foxes is expanding and advancing its tactics. The group is highly activated at present time, the research added.