Tag Archive for: Phishing

Hackers using Microsoft Teams for phishing attacks to spread malware: Report

/in


Cybercriminals are leveraging Microsoft Teams for a new malware campaign, using group chat requests to push DarkGate malware paylo…
Read More
Cybercriminals are using Microsoft’s video conferencing platform Teams for a new malware campaign. According to a report by AT&T Cybersecurity research, hackers are using Microsoft Teams group chat requests as new phishing attacks to push malicious attachments that can install DarkGate malware payloads on victims’ systems. Researchers claim that the attackers may have used a compromised Teams user (or domain) to send over 1,000 malicious Teams group chat invites.

How these Microsoft Teams group chat requests can be harmfulThe report claims that once the malware is installed on a victim’s system, it will reach out to its command-and-control server. This server has already been identified as part of DarkGate malware infrastructure by Palo Alto Networks, report Bleeping Computer.

As per the report, the hackers were able to push this phishing campaign as Microsoft allows Teams users to message other users by default.

AT&T Cybersecurity network security engineer Peter Boyle has warned: “Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel. As always, end users should be trained to pay attention to…

Source…

Russia’s APT28 used new malware in a recent phishing campaign

/in


Russia-linked APT28 used new malware in a recent phishing campaign

Pierluigi Paganini
December 29, 2023

Ukraine’s CERT (CERT-UA) warned of a new phishing campaign by the APT28 group to deploy previously undocumented malware strains.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new cyber espionage campaign carried out by the Russia-linked group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”).

The group employed previously undetected malware such as OCEANMAP, MASEPIE, and STEELHOOK to steal sensitive information from target networks.

APT28

CERT-UA discovered multiple phishing attacks aimed at government organizations between December 15 and December 25. The phishing emails attempt to trick recipients into clicking on an embedded link to view a document.

Upon clicking the links, the victims are redirected to a web resource where, with the help of JavaScript and features of the application protocol “search” (“ms-search”) [1], a shortcut file (LNK) is downloaded.

Once the file is opened, a PowerShell command downloads a decoy document from a remote server, along with the Python programming language interpreter and the Client.py file classified as MASEPIE.

MASEPIE is a Python tool used to upload/unload files and execute commands. The malware communicated with C2 infrastructure via TCP, it use the AES-128-CBC algorithm to encrypt the traffic. The 16-byte key is generated during the initial connection setup. The backdoor maintains persistence by setting the ‘SysUpdate’ key in the OS registry and storing the LNK file ‘SystemUpdate.lnk’ in the startup directory.

Threat actors also used the MASEPIE malware to load and execute OPENSSH (for building a tunnel), STEELHOOK PowerShell scripts (stealing data from Chrome/Edge Internet browsers), and the OCEANMAP backdoor. 

“In addition, IMPACKET, SMBEXEC, etc. are created on the computer within an hour from the moment of the initial compromise, with the help of which network reconnaissance and attempts at further horizontal movement are carried out.” reads the advisory published by CERT-UA. “According to the combination of tactics, techniques, procedures and tools, the…

Source…

New QakBot phishing campaign appears, months after FBI takedown

/in


Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered.

QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was one of the most deployed malware loaders in 2023 until an FBI-led takedown in August took the operation offline and untethered 700,000 compromised machines from the botnet.

In a Dec. 15 posted on X (previously Twitter), Microsoft’s Threat Intelligence team said they had identified a new QakBot phishing campaign.

“The campaign began on December 11, was low in volume, and targeted the hospitality industry,” the researchers said.

Targets of the new campaign received an email purporting to be from a U.S. Internal Revenue Service (IRS) employee. The email included a PDF attachment containing a URL that downloaded a digitally signed Windows Installer (.MSI) file.

If victims executed the MSI file, it launched QakBot malware. The payload was configured with a previously unseen version of the malware, 0x500, the Microsoft researchers said.

While the unique versioning suggested updates may have been introduced over the past few months, another researcher said on X: ““All in all, this new Qbot version feels basically the same as the old stuff just with some minor tweaks.”

The ‘duck hunt’ is set to resume

As well as dismantling the botnet in August – in what was dubbed “Operation Duck Hunt” – authorities also seized infrastructure and $8.6 million in cryptocurrency belonging to the gang responsible for QakBot.

While taking out such a major botnet that had taken years to build was considered a significant victory, researchers warned at the time that because arrests were not made, there was a possibility the threat actors responsible for QakBot could regroup.

In October, Cisco Talos said it believed the same gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the QakBot takedown. Talos researchers said while the August raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.

QakBot was first observed in 2008…

Source…

Russian hackers targeted US intel officers in ‘sophisticated spear phishing campaign,’ DOJ says

/in


Hackers acting on behalf of the Russian government targeted U.S. intelligence officers in a “sophisticated spear phishing campaign” designed to influence elections in the United Kingdom, the Justice Department (DOJ) alleged Thursday.

The operation successfully hacked into computer networks in the U.S., the U.K., Ukraine and other NATO member countries and “stole information used in foreign malign influence operations designed to influence the U.K.’s 2019 elections,” the DOJ said.

The DOJ unsealed a federal indictment Thursday against two individuals connected to the plot, after a federal grand jury in San Francisco returned an indictment Tuesday.

The two individuals charged are Ruslan Aleksandrovich Peretyatko, an officer in Russia’s Federal Security Service (FSB), the DOJ claimed, and Andrey Stanislavovich Korinets. They are each charged with one count of conspiracy to commit an offense against the United States and one count of conspiracy to commit wire fraud.

Along with other unindicted co-conspirators, the defendants were part of the so-called “Callisto Group,” the DOJ said.

The indictment alleges that the hacking campaign took place between at least October 2016 and October 2022 and targeted current and former employees of the U.S. Intelligence Community, Department of Defense, Department of State, defense contractors, and Department of Energy facilities.

The spear phishing campaign often was carried out by sending “sophisticated looking emails” that tricked the targets into providing their log-in credentials, thereby allowing the hackers to access the victims’ email accounts whenever they wanted to, the DOJ said.

Some of the emails were sent from “spoofed” accounts designed to look like other personal and work-related emails the victims would receive, the DOJ said. Sometimes, the emails claimed the users had violated terms of service on an account and had to log in via a provided link. When the users thought they were signing into their accounts, they were actually providing the account credentials to hackers, the DOJ said.

U.S. officials pointed to the indictments as evidence that Russia still is trying to target democratic elections, and they pledged to…

Source…