Phishing Threat Intelligence April 2024
Exploring phishing threat intelligence from April 2024 - Image created by ChatGPT
These are the phishing related stories I paid attention to in April 2024. Feel free to use these and share them with your own security teams.
The NaurLegal Campaign Unveiled
BlueVoyant's Threat Fusion Cell has exposed a new cyber attack campaign, dubbed ‘NaurLegal’, led by the notorious eCrime group Narwhal Spider. This campaign ingeniously exploits the trust in legal transactions by distributing malicious PDF files posing as invoices from reputable law firms. With filenames like "Invoice_[number]from[law firm name].pdf," these documents are crafted to bypass casual scrutiny and initiate malware infections.
Key Insights:
Tactic Exploitation: NaurLegal leverages the routine nature of legal document exchanges, using this as a vector to deploy malware, including sophisticated threats like WikiLoader and potentially IcedID.
Infrastructure: The campaign operates through compromised WordPress sites for command and control (C2), a hallmark of Narwhal Spider’s modus operandi.
Evolving Threat: Unlike previous attacks primarily targeting Italian entities, NaurLegal broadens its focus, indicating a strategic shift towards exploiting a wider array of organizational vulnerabilities.
Google Ads Malware Alert for Security Professionals
In a recent discovery by AhnLab Security Intelligence Center (ASEC), a sophisticated malware distribution campaign has been identified exploiting Google Ads' tracking feature. Dubbed by ASEC, this campaign cleverly disguises malware as popular groupware installers like Notion, Slack, and Trello, leveraging Google Ads to reach a broad audience. The exploitation of the Ads platform's vast user base and complex targeting options presents a notable security concern, highlighting the innovative strategies of cybercriminals to breach defenses.
Key Campaign Insights:
Malware Distribution: Attackers create or hijack Google Ads to distribute malware through tracking URLs hidden in legitimate-looking ads, leading unsuspecting users to download harmful executables.
Targeted Malware: The campaign specifically uses malware-laden files with names mimicking reputable software installers to trick users into initiating downloads.
Sophisticated Evasion Techniques: Upon execution, the malware contacts attacker-controlled servers to fetch additional malicious payloads, utilizing compromised domains and text-sharing sites for hosting.
Payloads and Execution: The Rhadamanthys infostealer malware, fetched from these links, is then injected into legitimate Windows system files, enabling it to steal private data while avoiding detection.
Security Alert: New Loader and Agent Tesla Campaign Detected
SpiderLabs has identified a phishing campaign deploying Agent Tesla via a sophisticated new loader. Initiated via email attachments disguised as bank payment receipts, this campaign utilizes advanced obfuscation and encryption to deliver its malicious payload while evading detection.
Key Insights:
Attack Vector: Phishing emails with attachments that trigger a complex infection chain to deploy Agent Tesla.
Evasion Tactics: The loader showcases advanced evasion, including polymorphism and AMSI bypass techniques, to execute the payload stealthily.
Agent Tesla Execution: Executes entirely in memory, focusing on data theft and utilizing SMTP for data exfiltration through compromised accounts.
AI-Powered Malware Spreads Through Social Media Malvertising Campaigns
This article from Bitdefender highlights a recent surge in information-stealing malware campaigns targeting social media users.
Key Points:
Attackers Exploit Popularity of AI Software: Cybercriminals are leveraging the rising interest in AI-powered image and video generators to distribute malware.
Malicious Ads Impersonate Legitimate Software: Fake social media pages and sponsored ads mimic popular AI tools like Midjourney, Sora, and CapCut.
Ads Trick Users into Downloading Malware: Clicking on these ads leads users to download malicious software disguised as official installers.
Malware Steals Sensitive Information: The malware steals login credentials, browsing history, cookies, and even crypto wallet information.
Rilide V4, Vidar, IceRAT, and Nova Stealer Used: The report identifies various information stealers used in these campaigns, including Rilide V4, Vidar, IceRAT, and Nova Stealer.
Midjourney Most Targeted Platform: Midjourney, a popular AI image generation tool, was the most impersonated platform in this campaign.
Attention Security Teams: Malware Spreads Through YouTube Video Game Cracks
Threat actors are leveraging compromised YouTube accounts to distribute information stealers disguised as popular video game cracks. This campaign, detailed in a recent Proofpoint report, targets unsuspecting gamers, particularly younger audiences.
Compromised Accounts: Legitimate and newly created YouTube accounts are being used to upload malicious videos.
Deceptive Content: Videos advertise access to pirated software or game upgrades. Descriptions contain links that download malware upon clicking.
Targeted Audience: The campaign exploits the desire to bypass paid features, likely appealing to younger gamers.
Security Implications:
Information stealers like Vidar, StealC, and Lumma Stealer can compromise user credentials and other sensitive data.
Compromised accounts can be used to further distribute malware or host phishing attacks.
Younger audiences may be less familiar with online safety best practices, increasing susceptibility.
For further investigation: The Proofpoint report provides Indicators of Compromise (IOCs) to assist in identifying these malicious videos.
ReliaQuest’s Annual Cyber-Threat Report: 2024
According to the report:
Phishing links or attachments were involved in 71% of all initial access phases of cyber attacks
The top three MITRE ATT&CK techniques in attacks involved phishing or spear phishing
Drive-by-compromise was used in 29% of attack
QR code phishing saw a 51% increase in just one month – September – over the previous 8 months combined
Android Malware Vultur Expands Its Capabilities
A recent report by Fox-IT details the evolving capabilities of the Android malware Vultur. Key takeaways:
New Functionality: Vultur now possesses features that enable remote interaction with a device's screen through Accessibility Services.
Enhanced File Management: The malware can now download, upload, delete, install, and locate files on infected devices.
Evasion Techniques: Vultur employs app impersonation and communication encryption to evade detection.
These expanded capabilities pose a significant threat to Android users, as Vultur can now perform a wider range of malicious activities.
Agent Tesla Targets US and AU Organizations: A Newsletter for Security Professionals
A recent campaign by cyberespionage actors, nicknamed "Bignosa" and "Gods", has been targeting organizations in the United States and Australia. The attackers use phishing emails with topics related to purchasing goods and order delivery to distribute the Agent Tesla malware. Once installed, Agent Tesla can steal keystrokes and login credentials.
Key takeaways:
Malicious Mails: Phishing emails with seemingly legitimate topics are being used to lure unsuspecting victims.
Agent Tesla: This malware steals keystrokes and login credentials, posing a significant threat to compromised systems.
Stay Vigilant: Keeping software updated and exercising caution regarding unexpected emails are crucial for mitigating such attacks.
New Download Threat: Latrodectus Emerges
A new downloader malware called Latrodectus has emerged, posing a threat to system security. Two threat actors, TA577 and TA578, have been distributing Latrodectus, raising concerns about its potential reach.
This malware functions as a downloader, capable of not only information theft but also installing additional malware, potentially escalating the attack. Security experts believe Latrodectus might be linked to the creators of IcedID, another malicious software. Key takeaways:
Latrodectus's Reach: The involvement of multiple threat actors (TA577 and TA578) indicates a wider distribution network, increasing the potential for encountering this malware.
Multi-faceted Threat: Latrodectus goes beyond information theft; its ability to install additional malware poses a serious risk of system compromise.
Possible Connection to IcedID: The link to IcedID suggests a potentially sophisticated threat actor behind Latrodectus.
New Malware Delivery Techniques on the Rise
New research from Check Point reveals that cybercriminals are developing new methods to deliver malware. These techniques involve novel infection chains designed to bypass common security measures and deliver Remcos, a powerful Remote Access Trojan (RAT).
The report also highlights the evolving tactics employed by attackers to exploit vulnerabilities. While Lockbit3 remains the most prevalent ransomware, Blackbasta has worryingly climbed the ranks, entering the top three.
Key takeaways:
Cybercriminals are developing new methods to deliver malware, employing novel infection chains to bypass common security measures.
Remcos, a powerful Remote Access Trojan (RAT), is being delivered through these new techniques.
Lockbit3 remains the most prevalent ransomware, but Blackbasta has risen in prominence.
FakeUpdates is the most common malware encountered.
Tycoon 2FA: Phishing As A Service Evolving to Bypass MFA
MFA Fatigue? Tycoon 2FA Raises Concerns
A new variant of the Tycoon 2FA phishing kit is making waves for its effectiveness in bypassing multi-factor authentication (MFA). This phishing-as-a-service (PhishingaaS) tool targets Microsoft 365 credentials and utilizes a technique known as adversary-in-the-middle (AiTM) to steal session cookies, granting access even with MFA enabled.
Key Points for Security Teams:
Active Threat: First observed in August 2023, Tycoon 2FA has become a prevalent threat due to its ease of use and affordability.
MFA Bypass: The phishing kit steals Microsoft 365 session cookies, allowing attackers to bypass MFA and gain access to compromised accounts.
Stealthier Than Ever: Recent updates enhance the kit's stealth capabilities, potentially reducing detection by security products.
Widespread Impact: Sekoia has identified over 1200 domain names associated with Tycoon 2FA infrastructure since its release.
Alert: Cisco Duo's Multifactor Authentication Service Compromised
Cisco Duo has issued a warning to its customers following a breach involving a third-party telephony service provider. This incident, which unfolded on April 1, 2024, involved the unauthorized access of SMS logs due to a social engineering cyberattack.
Key Details:
Breach Dynamics: Threat actors gained access by using compromised employee credentials at a third-party provider that handles SMS and VOIP services for Cisco Duo's multifactor authentication (MFA).
Data Compromised: The breach resulted in the unauthorized download of message logs for SMS messages sent between March 1, 2024, and March 31, 2024. These logs included phone numbers, carriers, country and state data, and other metadata like the date, time, and type of messages.
No Message Content Exposed: It's important to note that the content of the messages was not exposed in the breach.
Customer Advisory: Cisco Duo has advised all impacted users to notify individuals whose information was compromised and to stay alert for potential phishing attacks leveraging the stolen data.
Tech Giants Lead Phishing Charge: Microsoft, Google Top Q1 Brand Impersonation
Phishing remains a top threat, with technology brands the most impersonated.
A recent report by Check Point Research (CPR) paints a concerning picture of the evolving phishing landscape. Their analysis of brand phishing attempts in Q1 2024 reveals a worrying trend: technology giants are the most targeted sectors.
Key Findings:
Microsoft Maintains Top Spot: Microsoft continues to be the most impersonated brand in phishing attacks, accounting for a staggering 38% of all attempts in Q1 2024.
Google Makes Gains: Google rose to the second-place position, capturing 11% of phishing attempts – a significant increase from its previous third-place ranking.
Tech Sector Dominates: Technology remains the most impersonated industry, likely due to its prevalence in corporate environments and the potential for lucrative access to company assets through stolen credentials.
Why Tech Brands?
Cybercriminals often target technology brands for several reasons:
Widespread Use: These brands are familiar and widely used, making them a believable target for phishing attempts.
Access to Sensitive Data: Gaining access to compromised accounts in these platforms can grant attackers access to sensitive corporate data or financial information.
Remote Work Reliance: The increased use of cloud-based services and remote work environments expands the potential attack surface for tech-focused phishing campaigns.
Beware of Sophisticated Phishing Attacks Targeting Help Desks!
Alert! A recent report from the Department of Health and Human Services (HHS) warns of a rise in sophisticated social engineering attacks targeting IT help desks within the healthcare sector.
Here's what you need to know:
Impersonation Tactics: Attackers are making phone calls to help desks, impersonating employees (often in financial roles) and claiming they require urgent assistance.
Credentials at Risk: These imposters are armed with convincing details about the targeted employee, including the last four digits of their Social Security number and corporate ID. This information allows them to bypass initial security checks.
Potential for Data Breaches: The ultimate goal of these attacks is to steal login credentials or trick help desk personnel into granting access to sensitive systems and data.
Malvertising Campaign Targets IT Teams with "MadMxShell" Backdoor
Threat actors are leveraging malvertising campaigns to distribute a previously unseen backdoor dubbed "MadMxShell." This campaign targets IT security and network administration teams by spoofing legitimate IP scanner software websites.
Key Details:
Attack Chain: The threat actors register typosquatted domain names resembling popular IP scanner software.
Google Ads Abuse: They then exploit Google Ads to push these malicious websites to the top of search engine results pages (SERPs) for relevant keywords used by IT professionals searching for IP scanner tools.
Delivery of Backdoor: Unsuspecting victims who visit the spoofed websites are redirected to download links that deliver the MadMxShell backdoor.
Technical Analysis:
MadMxShell Backdoor: This backdoor offers remote access capabilities, allowing attackers to gain unauthorized control over compromised systems.
Limited Information: While details about MadMxShell's functionalities are scarce, the report suggests it possesses file system manipulation and process execution abilities.
Shift in Attack Tactics: Vulnerability Exploitation on the Rise
Phishing Declines, Zero-Days Soar
A recent report by Mandiant indicates a significant shift in cyberattacker tactics. Vulnerability exploitation has overtaken phishing as the primary method for gaining initial network access. Researchers found that in 2023, vulnerabilities were exploited in 38% of intrusions, a 6% increase over 2022. Phishing attempts, while still the second most common initial infection vector, dropped from 22% to 17% over the same period.
The report also highlights a sharp rise in the exploitation of zero-day vulnerabilities, previously unknown flaws in software, by 56% year-over-year. Chinese cyber espionage groups were found to be the most active users of zero-days, while financially motivated attackers continue to leverage these vulnerabilities to steal financial data.
Key Takeaways
Patching vulnerabilities promptly is crucial to preventing initial network access by attackers.
Organizations should prioritize vulnerability management and invest in threat detection solutions capable of identifying zero-day exploits.
While phishing remains a threat, user awareness training should be supplemented with additional security measures to mitigate the evolving tactics of cybercriminals.
Ransomware on the Rise: More Groups, More Victims
Ransomware is back with a vengeance. A GRIT report shows a worrying 20% increase in victims in Q1 2024 compared to the same period last year. This coincides with a surge in active ransomware groups, jumping from 29 to 45 (a 55% increase). BlackBasta and Play are new major players, joining the persistent LockBit.
Brutality and Distribution Mark New Era
These groups are targeting critical infrastructure like hospitals, highlighting a ruthless shift in tactics. Additionally, RaaS groups are recruiting affiliates, creating a more distributed threat landscape.
Key Takeaways:
Patching and Detection are Critical: Shore up defenses by patching vulnerabilities and implementing security solutions.
Beyond Phishing: Non-phishing attacks are the new norm, so vulnerability management is key.
Backups are Essential: Regular backups ensure a swift recovery from an attack.
Stay Ahead of the Curve: Keeping informed about the evolving threat landscape allows for proactive defense.
Phishing Attacks on the Rise: AI-powered Threat Landscape
A recent report by AI-ThreatLabz highlights a significant increase in phishing attacks, with a staggering 58% rise observed in 2024 compared to the previous year. This surge is attributed to the growing adoption of Artificial Intelligence (AI) by attackers, enabling them to craft highly personalized and believable phishing campaigns.
Key Takeaways
Phishing Attacks are Soaring: Phishing remains a major threat, with a sharp increase in incidents this year.
AI-powered Attacks: Attackers are leveraging AI to create more believable and personalized phishing emails, making them harder to detect.
Zero Trust Security is Key: Traditional security approaches may not be sufficient. Zero trust security principles can help mitigate the risk of phishing attacks by continuously verifying access requests.