Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fake Emails. Show all posts
Malwares
Booking.com Booking.com scam Cyber Attacks Cyber Phishing Fake Emails Malware attacks Malwares

PHALT#BLYX Malware Campaign Targets European Hotels With Fake Booking Emails

 

A fresh wave of digital threats emerged just after Christmas 2025, aimed squarely at European lodging spots. Instead of random attacks, it used clever email tricks made to look like they came from Booking.com. Staff members got messages that seemed urgent, nudging them to click without thinking twice. Once opened, hidden code slipped inside their systems quietly. That backdoor let attackers take control through software called DCRat. Behind the scenes, the whole scheme ran under the name PHALTBLYX. 

Research from Securonix shows the attack kicks off using fake emails made to look like Booking.com alerts. A supposed booking cancellation triggers the alert. Displayed boldly is a charge in euros - frequently more than €1,000. That sum aims straight at emotions, sparking alarm. Fear takes over, nudging people toward clicking before checking details. 

Clicking the “See Details” button sends people nowhere near Booking.com. A hidden detour happens first - through another web address entirely. Then comes a counterfeit site built to trick. There, a phony CAPTCHA pops up out of nowhere. After that, a fake Blue Screen appears like it is urgent. Words flash: fix this now by clicking here. Those clicks run harmful PowerShell scripts without warning. The whole chain relies on looking real until it is too late. 

Something begins before the main event - stages unfold slowly, one after another. A hidden rhythm runs through it all, tied to familiar parts of Windows, used in ways they were never meant to be. An XML file shows up without notice, slipped into place while no one watches. It looks harmless, built like a regular project for MSBuild.exe, which itself is real software from Microsoft. Instead of old tricks involving clunky HTML apps, attackers now twist everyday tools into something else. 

What seems ordinary might already be working against you. Normal actions become cover, hiding intent inside routine noise. A hidden DCRat program gets activated during execution. At the last step, a compressed .NET tool called staxs.exe unlocks its internal settings through advanced encryption like AES-256 paired with PBKDF2. To stay active across restarts, it drops a misleading Internet Shortcut into the Startup directory on Windows. After turning on, DCRat reaches out to several hidden servers, then checks what kind of machine it has landed on. Information about the software, settings, and person using the device gets gathered piece by piece. 

Remote operators gain complete control right after. Instead of running openly, it sneaks inside normal system tasks by reshaping them from within. That trick helps it stay put without drawing attention. Noticing clues in the code, experts link the operation to hackers who speak Russian. 

Built into everyday tools users trust, this malware plays on emotions while slipping past alarms. What stands out is how each step connects - carefully strung - to avoid detection. Staying hidden matters most, especially where guest data flows through open networks.
Read more »
Users
Amazon Cyber Security Fake Emails Federal Trade Commission FTC phishing Users

Amazon Accounts Targeted by New Phishing Scam — Here’s How to Stay Safe



A wave of phishing scams is currently targeting Amazon users, putting millions of accounts at risk. Criminals are sending fake emails and text messages that appear to come from Amazon, tricking users into clicking on links that lead to fraudulent login pages. If you enter your details on these fake pages, your account can be hijacked.

Amazon has confirmed that some of these phishing messages claim your Prime subscription is being renewed at a suspicious price. The messages often include personal information to make them look more believable. In some cases, users are sent text messages about fake refunds or order issues, further increasing the chances of someone falling for the scam.

Cybersecurity firm Guardio recently reported a dramatic rise in such attacks, noting a 5000% increase in fake Amazon texts over just two weeks. These messages aim to trick users into entering their Amazon credentials, which the attackers can then use to take over accounts.

While Amazon has removed tens of thousands of fake websites and phone numbers used in these scams, the attacks continue to spread. The U.S. Federal Trade Commission (FTC) has also issued warnings, reminding consumers that Amazon will never ask for sensitive information over email or text.

To help protect users, Amazon is urging everyone to update their security settings. Here’s what you should do right away:

1. Turn on Two-Step Verification (2SV)

This adds an extra layer of protection to your account. Once enabled, you’ll need both your password and a one-time code to sign in.

• Avoid using SMS for 2SV — it’s less secure.

• Instead, use an authentication app like Google Authenticator or Apple’s Passwords.

If you’ve already set up 2SV through SMS, switch to an app by turning off the current method, clearing your 2SV settings, and enabling it again using your preferred app.


2. Use a Passkey for Sign-In

Passkeys are a newer, more secure login method that links your Amazon account to your device’s fingerprint or face unlock feature. Unlike passwords, passkeys cannot be phished.

• Even if someone tricks you with a fake login page, they won’t be able to access your account without your physical device.

These two simple steps can greatly reduce your risk of being hacked. With phishing scams on the rise, now is the time to update your settings before it’s too late.

Read more »
phishing
Amazon Prime Cyber Security Fake Emails PDF Files phishing

New Phishing Scam Targets Amazon Prime Subscribers

 


A new cyber attack is putting Amazon Prime subscribers at risk. Hackers are sending malicious emails warning users that their Prime membership is about to expire. These emails contain attachments with dangerous links that redirect users to fake websites designed to steal personal and financial information. Security experts warn that this is the latest example of cybercriminals using PDFs for phishing scams, exploiting the trust people place in these file types.

How the Scam Works

Researchers from Palo Alto's Unit 42 have identified this new scam, which relies on deceptive emails that appear to be from Amazon. The emails claim that the user’s Prime membership is expiring soon, urging them to take immediate action. Attached to the email is a PDF file containing a link that redirects users through multiple sites before landing on a fake login page. This page is designed to capture the user’s credentials, including passwords and credit card information.

The phishing websites are meticulously crafted to resemble Amazon’s official login page, making it difficult for users to distinguish them from the real site. Since June 2024, attackers have registered over 1,000 fake domains that closely mimic Amazon’s official domain, further complicating detection.

This type of attack is particularly dangerous because it exploits the perception that PDF files are safe. Hackers use this trust to bypass email filters and deliver malicious content. Javvad Malik, a security advocate at KnowBe4, warns that opening unexpected email attachments is risky. Many users fail to verify the sender’s email address before clicking on links, making them easy targets for cybercriminals.

Dray Agha, senior security manager at Huntress, explains that phishing techniques are constantly evolving. Cybercriminals are now using redirection techniques within PDF files to evade traditional security measures, making even cautious users vulnerable to these scams.

How to Protect Yourself

While Amazon is actively working to shut down these fraudulent websites, new ones continue to emerge. To stay safe, experts recommend the following steps:

  1. Avoid Opening Unexpected Attachments: Even if the email appears to be from Amazon, verify its authenticity before clicking on any links or opening attachments.
  2. Verify the Sender’s Email Address: Scammers often use email addresses that resemble official ones but contain minor spelling errors or inconsistencies.
  3. Ignore Urgent Emails: Hackers use urgency to pressure users into acting without thinking. If you receive an email claiming your account is at risk, log in directly through Amazon’s official website to verify the information.
  4. Access Amazon Directly: Instead of clicking on links in emails, type www.amazon.com directly into your browser to check your account status.

Amazon’s Response to the Threat

Amazon has acknowledged the scam and is actively working to take down fraudulent sites. The company encourages users to report suspicious emails or scams through its official support page. An Amazon spokesperson stated: “Scammers pretending to be Amazon put customers at risk. We urge customers to report suspicious emails to help protect accounts and take action against bad actors.”

Cybercriminals are constantly devising new ways to deceive users, but with awareness and caution, individuals can protect themselves from falling victim to these scams. By staying informed and following best practices, users can safeguard their personal and financial information from phishing attacks.

The new phishing scam targeting Amazon Prime subscribers highlights the evolving tactics of cybercriminals. By exploiting trusted file types like PDFs and creating convincing fake websites, attackers are able to bypass traditional security measures. Users must remain vigilant, verify the authenticity of emails, and avoid clicking on suspicious links. As Amazon continues to combat these fraudulent activities, awareness and proactive measures are key to staying safe in an increasingly complex digital landscape.

Read more »
Scammer
AWS Crypto Phishing cryptocurrency cryptocurrency theft Cyber Attacks Fake Emails Ledger Phishing scam Scammer

Ledger Phishing Scam Targets Cryptocurrency Wallets

 


A sophisticated phishing email campaign has emerged, targeting cryptocurrency users by impersonating Ledger, a prominent hardware wallet provider. These fraudulent emails claim that the recipient’s Ledger wallet seed phrase — also known as a recovery or mnemonic seed — has been compromised. In an attempt to secure their funds, users are directed to a so-called “secure verification tool” where they are asked to confirm their seed phrase. The phishing emails appear convincing, offering a “Verify my recovery phrase” button. Clicking this button redirects victims through an Amazon Web Services (AWS) website to a fake domain, “ledger-recovery[.]info.”

Once users enter their seed phrase on this page, the attackers capture the information, granting them full access to the victims’ cryptocurrency wallets. A recovery phrase, typically consisting of 12 or 24 random words, acts as the key to accessing a wallet’s funds. The importance of keeping this phrase private and offline cannot be overstated. By stealing these phrases, the attackers gain control of the wallets and can siphon all funds, leaving victims with no recourse.

To increase the scam’s credibility, the phishing site includes several deceptive features. For example, it accepts only valid seed phrase words from a predetermined list of 2,048 options. Regardless of the entered data, the site falsely informs users that their phrase is incorrect, encouraging them to re-enter their information multiple times and ensuring the attackers receive accurate details.

The Evolving Nature of Phishing Scams

This phishing attempt highlights the evolving sophistication of such scams. In the past, phishing emails were often marred by poor grammar or clumsy wording, making them easier to spot. However, with advancements in generative artificial intelligence, scammers can now produce polished and professional-looking messages. In this instance, one of the few red flags was the use of the SendGrid email marketing platform and the redirection through an AWS website, which sharp-eyed recipients might notice.

While it remains unclear how many individuals fell victim to this scheme, any user who shared their seed phrase likely lost their funds permanently. This incident underscores the importance of exercising caution and maintaining strict security protocols when handling sensitive information like recovery phrases.

How to Protect Your Cryptocurrency Wallet

Cryptocurrency users are advised to verify communications directly through official sources and avoid clicking on links in unsolicited emails. Recovery phrases should never be shared online, as doing so compromises the entire wallet’s security. With scams becoming increasingly sophisticated, vigilance and education are crucial in safeguarding digital assets.

Read more »
USA
cyber attack Email Attacks email spam Fake Emails FBI USA

FBI Investigates Thousands of Fake Emails Warning of Cyber Threat You Must Do 1 Thing

 

Over the weekend, an alarming incident unfolded as thousands of fake emails flooded in, purportedly from the US Department of Homeland Security. The messages, titled "Urgent: Threat actor in systems," raised concerns about a cyber threat allegedly posed by a group called the Dark Overlord. According to reports, recipients were warned of a sophisticated chain attack targeting them, adding to the sense of urgency and anxiety. 

What made matters worse was the apparent authenticity of these emails, originating from FBI infrastructure. The scale of the operation was staggering, with over 100,000 of these deceptive emails sent out, causing widespread disruption and confusion among recipients. 

Additionally, it was discovered that the North Korean military intelligence agency, along with a hacking group called APT43 or Kimsuky, carried out a sophisticated cyber attack. They tricked people into giving away important information by pretending to be journalists, researchers, or academics through fake emails. To protect against this, experts suggest updating email security settings, like DMARC, which can help prevent such attacks. 

Let’s Understand Everything About DMARC

DMARC, DKIM, and SPF are like a triple defense system for emails. They work together to stop bad guys from pretending to send emails from places they should not. It is like having three guards at the gate, making sure only the right people get through. Picture your email as a package you are sending out into the world. DKIM and SPF are like seals of approval on the package, showing it is genuine and not tampered with. 

Now, DMARC is your extra security measure. It is like a set of instructions you attach to your package, telling the delivery person what to do if something seems fishy. "If the seal is broken, handle with care!" If you do not have DKIM, SPF, and DMARC set up properly, it is like sending out your package without those stamps and instructions. It might get lost, or worse, someone might try to copy your package and send out fake ones. 

So, by having these protections in place, you ensure your emails are delivered safely and are not mistaken for spam. This warning is a way to stop APT43 from stealing more data and giving it to North Korea. It is important for everyone to act fast and secure their email systems. These steps are crucial because cyber threats like this are always changing and can be really damaging. So, it is essential to stay alert and protect yourself from these kinds of attacks. 

Despite the gravity of the situation, the FBI has remained tight-lipped about further details, leaving many questions unanswered. As investigations unfold, concerns persist about the potential ramifications of such a large-scale deception. The incident serves as a stark reminder of the ever-present threat of cyber attacks and the importance of remaining vigilant in the face of such challenges. Stay tuned for updates as the investigation progresses.
Read more »
User Privacy
Data Safety Fake Emails Infostealer malware RedLine Stealer User Privacy

Threat Actors Exploit Adobe Acrobat Sign to Propagate Redline Info-Stealing Malware

 

Cybercriminals are exploiting Adobe Acrobat Sign, an online document signing service, to trick users into downloading malware that steals their personal information. 

In order to get around security measures and dupe users into believing the email they got is legitimate, the service is being misused to send malicious emails that appear to come from the software business. 

The practice of misusing legal services is not new. Abuse of Google Documents comments, PayPal invoicing, and other platforms are current examples of situations similar to this. Researchers at Avast alerted the public to this new cybercrime trend and cautioned against its efficiency in evading security measures and deceiving targets. 

Exploiting legal services 

Adobe Acrobat Sign is a cloud-based e-signature service that allows users to send, sign, track, and manage electronic signatures for free. Threat actors register with the service and use it to send messages to certain email addresses that contain a link to a document published on Adobe's servers ("eu1.documents.adobe.com/public/"). 

The documents include a link to a website that asks visitors to complete a CAPTCHA in order to add authenticity before serving them a ZIP archive containing a copy of the Redline information stealer. Redline is a dangerous spyware that can steal account credentials, cryptocurrency wallets, credit cards, and other data from a compromised device. 

Avast has also detected highly targeted attacks using this strategy, such as one in which the victim had a popular YouTube channel with a large number of subscribers. 

The victim was taken to a document claiming music copyright infringement after clicking on the link in the specially-crafted letter sent via Adobe Acrobat Sign, a popular and credible theme for YouTube channel owners. 

This time, the document was stored on dochub.com, a renowned website for online document signing. The document's link points to the same CAPTCHA-protected website where a download of Redline is made available. The ZIP file in this instance, however, also included a number of executables from the GTA V game that weren't harmful, probably in an effort to confuse antivirus software programmes. 

Additionally, according to Avast, the Redline payload in both instances was artificially inflated to 400MB, aiding in the prevention of anti-virus scans. Recent phishing attacks utilising the Emotet malware employed this same technique. Phishing actors are continually looking for genuine services that may be misused to advertise their malicious emails, as these services enhance their mailbox delivery and phishing success rates. 

Adobe and Dochub.com have been given full access to Avast's findings, and it is hoped that these two services will discover a means to deter malware operators from abusing their services.
Read more »
WhatsApp
Android Backdoor Cyber Fraud Devices Fake Emails Hackers Spam WhatsApp

Researchers Discovered Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

 

Budget Android device models that are replicas of popular smartphone brands are infected with numerous trojans devised to target the WhatsApp and WhatsApp Business messaging apps. Doctor Web discovered the malware in the system partitions of at least four different smartphones in July 2022: P48pro, redmi note 8, Note30u, and Mate40. 

The cybersecurity firm said in a report published, "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version."

The tampering specifically affects two files, "/system/lib/libcutils.so" and "/system/lib/libmtd.so," which have been modified in such a way that when the libcutils.so system library is used by any app, it activates the execution of a trojan embedded in libmtd.so. If the apps that use the libraries are WhatsApp and WhatsApp Business, libmtd.so launches a third backdoor whose primary function is to download and install additional plugins from a remote location.

The researchers stated, "The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps' files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules."

Libmtd.so is configured to start a local server that enables connections from a remote or local client via the "mysh" console if the app using the libraries turns out to be wpa supplicant - a system daemon used to manage network connections.

Potential Risks

Based on the discovery of another trojan embedded in the system application responsible for over-the-air (OTA) firmware updates, Doctor Web hypothesised that the system partition implants could be part of the FakeUpdates (aka SocGholish) malware family.

The malicious app, on the other hand, is designed to exfiltrate detailed metadata concerning the infected device as well as download and install other software without the user's knowledge using Lua scripts.
Read more »
User Security
Copyright Emails Fake Emails malware Ransomware User Security

Phony Copyright Emails Employed to Install LockBit Ransomware

 

LockBit ransomware operators are employing a unique strategy to lure victims into infecting their devices with malware by portraying it as copyright claims. 

The ransomware hackers target victims by sending an email regarding a copyright violation for allegedly using media files without the creator’s license. It also urges the victim to remove the content from their websites immediately or face legal action. 

The emails, identified by analysts at AhnLab in Korea, do not determine which files were inappropriately employed in the body of the text; rather, they instruct the receiver to download and open the attached file in order to view the infringing content. 

The attachment is a ZIP file that has been encrypted with a password and contains a compressed file. The archive contains a compressed file, an executable file posing as a PDF document. The executable is an NSIS installer, loading the LockBit 2.0 ransomware which, in turn, encrypts all of the files on the endpoint. 

As BleepingComputer reports, copyright claims are not exactly a novelty when it comes to distributing malware. Earlier this year, there had been “numerous” emails of this sort, distributing the likes of BazarLoader, or the Bumblebee malware loader. 

Bumblebee is employed for deploying second-stage payloads, including ransomware, so opening one of those files on your computer may lead to rapid and disastrous assaults. Copyright claims are a matter that publishers of content should take into serious consideration, but if the claim isn't straightforward but instead requests you to open attached files to view the violation details, it's improbable for it to be a genuine takedown notice. 

LockBit 2.0 is by far the most widespread ransomware variant, security analysts from the NCC group have said. Allegedly, LockBit 2.0 accounted for 40% of all ransomware attacks that occurred in May this year. The notorious ransomware operation recorded a whopping 95 victims in May alone, whereas Conti, BlackBasta, Hive, and BlackCat collectively had 65. 

To mitigate the risks, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.
Read more »
Security
Cyber Fraud Fake Emails Fraud Google phishing Scam Scammers Security

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.
Read more »
Trojan
Bogus Mails Dridex Employees Fake Emails malware phishing Phony Mails Ransomware Trojan

Dridex Targeted Employees with Fake Job Termination Emails

 

A new Dridex malware phishing campaign is using fake employee termination as a lure to open a malicious Excel document, which then trolls them with a season's greeting message.

TheAnalyst, a threat researcher, shared a screenshot of the false employment termination notice on December 22, linking it to a Dridex affiliate. The suspicious email informed the target that their employment will end on December 24, and also that the decision could not be reversed. A password-protected Excel file attached offered further information. 

When a receiver accessed the file, a blurred form with a button to "Enable Content" appeared, allowing the file to run an automated script through its macros function, a technology designed to aid automation that has been misused for years for harmful purposes. After clicking the button, a pop-up window displayed with the words "Merry X-Mas Dear Employees!" 

Dridex is a trojan that was first discovered in 2014 and is related to credential theft. It spreads via email phishing campaigns. According to the US Treasury Department, it has been used to steal more than $100 million from banking institutions in 40 nations. 

Dridex is thought to have been created by Evil Corp., a Russian hacker gang that has become one of the most notorious and prolific cybercrime organizations in recent years. In December 2019, the US government sanctioned the organization and indicted its alleged founders, Maksim Yakubets and Igor Turashev, for their roles in developing Bugat, the predecessor malware to Dridex. 

A response to TheAnalyst's tweet including the false termination notice observed that in some copies of the email, the "Merry X-Mas" pop-up replaced the word "Employees" with racial insults. The racist content with this particular Dridex campaign extends back to a few months, according to TheAnalyst. 

For example, a phishing email sent out to targets during Black Friday mentioned shooting "black protesters" with a license. "If you find this message to be inappropriate or offensive, please click the complaint button in the attached document and we will never contact you again," the message stated. 

According to TheAnalyst, cybercriminals frequently insert racist email addresses inside the malware payloads to insult researchers. This element of the campaign is not visible to the campaign's targets, but it is visible to researchers who seek out, study, and expose phishing campaigns.
Read more »
phishing
Antivirus Cyber Data Cyber Fraud Excel File Fake Emails Financial Sector Fraud Website Malware Distribution MirrorBlast phishing

This New Phishing Attack Uses a Weaponized Excel File

 

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals." 
Read more »
Subscribe to: Comments (Atom)