Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Camapign. Show all posts
URL
APT Cyber Attacks fake Iranian Malicious Camapign Proofpoint Threat actor URL

Iranian Threat Actor TA453 Targets Jewish Figure with Fake Podcast Invite in Malicious Campaign

 

A recent cyber campaign by the Iranian threat actor TA453 has drawn significant attention following their targeting of a prominent Jewish religious figure with a fake podcast interview invitation. The campaign, which began in July 2024, involved a series of deceptive emails promoting a supposed podcast titled “Exploring Jewish Life in the Muslim World.” The attackers masqueraded as representatives of the Institute for the Study of War (ISW), a legitimate American non-profit think tank focused on military and foreign affairs research. 

On July 22, 2024, TA453 initiated contact with the target by sending an email from an address claiming to represent ISW’s Research Director. The email invited the recipient to participate in the podcast, a lure that successfully engaged the target. After initial correspondence, TA453 sent a DocSend URL containing a password-protected text file with a legitimate ISW podcast link. Researchers from Proofpoint believe this initial interaction was intended to build trust with the target, making them more likely to click on malicious links in future communications. 

Following the initial lure, TA453 escalated their attack by sending a Google Drive URL that led to a ZIP archive. This archive contained a malicious LNK file, which, when opened, deployed the BlackSmith toolset, including the AnvilEcho PowerShell trojan. AnvilEcho is a sophisticated malware capable of intelligence gathering and data exfiltration. It employs encryption and network communication techniques to evade detection, integrating multiple capabilities within a single PowerShell script. The trojan’s command-and-control (C2) infrastructure is hosted on a domain linked to previous TA453 operations. 

AnvilEcho continuously fetches and executes commands from the remote server via its “Do-It” function, which handles various tasks, including network connectivity, file manipulation, screenshot capture, and audio recording. The “Redo-It” function, located at the end of the malware’s code, orchestrates these commands while also collecting system reconnaissance data such as antivirus status, operating system details, and user information. According to researchers, the activities of TA453 are likely aimed at supporting intelligence collection for the Iranian government, specifically the Islamic Revolutionary Guard Corps’ Intelligence Organization. 

The tactics employed in this campaign bear a strong resemblance to those used by the Charming Kitten advanced persistent threat (APT) group, another Iranian cyber espionage unit. This operation is a classic example of multi-persona impersonation, where threat actors leverage legitimate links to build trust with victims before launching more harmful attacks.
Read more »
RCEs
Botnet Evil Corp Malicious Camapign malware RCEs

Evil Corp-Affiliated Truebot Malware Changes its Strategy to Target RCEs and USBs

 

A growing number of devices are being infected by the threat group Silence with the Truebot malware. The information was discovered by Cisco Talos analysts, who also hypothesized a link between Silence and notorious hacker outfit Evil Corp (tracked by Cisco as TA505). 

In an advisory released last week, the security firm claims that the campaign it tracked led to the development of two botnets, one with infections spread over the globe (especially in Mexico and Brazil), and the other more recently targeted at the US. 

"We detected a number of compromised education sector organizations, albeit we do not have enough information to determine that there is a specific concentration on a sector,” the advisory reads. 

Tiago Pereira, a security researcher with Cisco Talos, thinks that Truebot is a precursor to other dangers that are known to have been behind attacks that resulted in significant losses. 

The attackers show agility in adopting new delivery methods, so readers should think of this as the first phase of what might be a severe attack, Pereira advised. 

Additionally, Cisco Talos added that Silence is moving away from utilizing infected emails as its main mode of delivery and toward new approaches. This is in addition to increasing its targets. 

"A greater percentage of attacks used Raspberry Robin, contemporary malware disseminated via USB devices, as a delivery mechanism in October. We have a mediocre degree of confidence that the attackers began using yet another method to spread the virus in November " the researchers added.

Additionally, according to the technical write-up, post-compromise activities involved data theft and the deployment of the Clop ransomware. 

We discovered what appears to be a completely functional proprietary data exfiltration tool, which we are calling "Teleport," that was heavily used to steal information during one of these attacks while we were studying it. 

The data exfiltration process was made better by Teleport's many capabilities, which included limiting upload speed and file size, encrypting connections with a unique protocol, and having the ability to erase itself after use. Teleport was created in C++. 

A very recent Netwrix vulnerability was also exploited by Silence while Cisco Talos was conducting its study (tracked CVE-2022-31199). 

“This vulnerability had just recently been published, only a few weeks before the attacks, and the number of systems exposed via the internet is believed to be fairly modest," the researchers concluded.

This implies that the attackers are quick to test new infection vectors and incorporate them into their workflow in addition to being on the watch for them. The malware tools mentioned above were not first used by the Silence threat organization. Raspberry Robin was connected to the Clop and LockBit ransomware organizations, according to a Microsoft advisory from October.
Read more »
Subscribe to: Posts (Atom)