Phishing Threat Intelligence June 2024
Little behind getting this out but still wanted to get it out. This is a newsletter of articles I thought might be valuable for our security team and helped me plan this months simulated phish. Created with help from ChatGPT
New Execution Technique in ClearFake Campaign
ReliaQuest has identified a new execution technique used in the ClearFake campaign, a variant of the SocGholish malware family. This sophisticated method involves using JavaScript to trick users into executing malicious PowerShell commands, representing a significant evolution in attack tactics.
Key Findings:
Malicious JavaScript Files: The campaign leverages malicious JavaScript files named “update.js,” tricking users into copying and executing encoded PowerShell commands.
Obfuscation and Execution: The PowerShell code is obfuscated using base64 encoding. Once decoded and executed, it performs various actions, including DNS cache clearing, displaying deceptive messages, and downloading additional payloads from malicious URLs.
Persistence via Python: In a novel approach, the campaign uses Python scripts for establishing persistence, signaling an evolution in tactics to evade detection.
Infection Chain:
Ingress: The malicious JavaScript downloads and extracts Python, then sets up a scheduled task for persistence.
Execution: The extracted Python script connects to command-and-control (C2) servers, facilitating further malicious activities.
Persistence: The scheduled task ensures the malware remains active on the infected system, making it harder to detect and remove.
Conclusion: The ClearFake campaign exemplifies the increasing sophistication of cyber threats, highlighting the need for robust security measures and continuous vigilance. By understanding and implementing the recommended defensive measures, organizations can better protect against these evolving threats.
For detailed information and technical analysis, visit ReliaQuest's blog on the ClearFake campaign. Stay informed and secure!
Phishing Campaigns Exploiting Cloudflare Workers
Netskope has identified sophisticated phishing campaigns leveraging Cloudflare Workers to deploy malicious content through two main techniques: HTML smuggling and transparent phishing. These methods are designed to evade detection and compromise user credentials.
Key Findings:
HTML Smuggling: This technique bypasses network controls by assembling the phishing page on the client side. Attackers embed the phishing page as a blob within a benign webpage, using JavaScript to decode and display the malicious content.
Transparent Phishing: In this approach, attackers use Cloudflare Workers as reverse proxies for legitimate login pages, intercepting credentials, cookies, and tokens as users attempt to log in.
Campaign Details:
Targeted Regions: Recent phishing campaigns have primarily targeted victims in Asia, North America, and Southern Europe, focusing on sectors such as technology, financial services, and banking.
Credential Theft: Most phishing pages aim to steal Microsoft login credentials, with other targets including Gmail, Yahoo Mail, and cPanel Webmail.
For detailed technical analysis and more information, visit Netskope's blog on the ClearFake campaign.
New Phishing Campaign Uses Malicious LNK Files
A sophisticated phishing campaign has been discovered, leveraging malicious LNK files to deliver malware. This technique bypasses traditional email security filters and lures victims into executing harmful payloads.
Phishing Lure:
Email Content: Cybercriminals craft emails that appear to come from legitimate sources, often including urgent or enticing messages.
Attachment: The email includes a seemingly harmless LNK file. When clicked, this file triggers the download and installation of malware.
For more details, visit The Hacker News.
New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers
A sophisticated phishing campaign has been identified, deploying the WARMCOOKIE backdoor to exploit job seekers. The attack involves sending fake job offers with malicious attachments or links, which, when executed, install the WARMCOOKIE backdoor. This malware provides attackers with remote access to compromised systems, allowing data exfiltration and further exploitation.
Attack Chain:
Initial Phishing Email: Victims receive fake job offer emails.
Malicious Attachment: The email contains a malicious attachment (e.g., .doc or .pdf).
Execution: Opening the attachment installs the WARMCOOKIE backdoor.
Backdoor Access: Attackers gain unauthorized access to the victim's system.
Data Exfiltration: Sensitive information is extracted and used for further attacks.
Key Indicators:
Fake job offer emails with .doc or .pdf attachments.
Unusual email addresses and domains.
Links redirecting to suspicious websites.
For further details, visit the Hacker News article.
RansomHub Strengthens Its Ransomware Arsenal with Scattered Spider Tactics
A recent alliance between RansomHub and Scattered Spider has significantly boosted RansomHub’s capabilities, making it one of the largest active Ransomware-as-a-Service (RaaS) operations.
Key Developments:
Evolution from Knight Ransomware: RansomHub emerged from the Knight ransomware group, using similar codebases and recruiting affiliates from other disbanded ransomware operations like LockBit and BlackCat (ALPHV).
Integration of Scattered Spider Techniques: Known for its sophisticated phishing campaigns, Scattered Spider has provided RansomHub with advanced phishing kits and data exfiltration techniques.
Indicators of Compromise (IOCs):
Use of .doc and .pdf attachments in phishing emails.
Deployment of remote access tools such as Atera and Splashtop.
Exploitation of the ZeroLogon vulnerability.
Recommendations:
Regularly update software and systems.
Implement advanced email filtering solutions.
Conduct security awareness training for employees.
Segment networks to limit ransomware spread.
Develop and test incident response plans.
For more details, visit Security Boulevard and Dark Reading.
Phorpiex Botnet and LockBit3 Ransomware Surge
In May 2024, the cybersecurity landscape was significantly impacted by two major threats: the Phorpiex botnet and the LockBit3 ransomware group.
Phorpiex Botnet's Phishing Campaign
Researchers identified a large-scale phishing campaign involving the Phorpiex botnet, which sent millions of emails containing ransomware. The Phorpiex botnet, which resurfaced as a variant called "Twizt" in December 2021, used deceptive .doc.scr files in ZIP attachments to trigger ransomware encryption. This campaign employed over 1,500 unique IP addresses, primarily from regions such as Kazakhstan, Uzbekistan, Iran, Russia, and China.
LockBit3 Ransomware Dominance
LockBit3, operating as a Ransomware-as-a-Service (RaaS), accounted for 33% of published ransomware attacks in May. Despite previous law enforcement actions that disrupted their operations, LockBit3 quickly rebounded. This group continues to target large enterprises and government entities, particularly in regions excluding Russia and the Commonwealth of Independent States (CIS).
Top Malware Families:
FakeUpdates (SocGholish): Downloader leading to further compromises.
Androxgh0st: Botnet targeting multiple platforms, stealing sensitive information.
Qbot (Qakbot): Multipurpose malware stealing credentials and deploying additional malware.
Top Exploited Vulnerabilities:
Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086): Allows remote code execution.
Web Servers Malicious URL Directory Traversal: Permits unauthorized file access on vulnerable servers.
Apache Log4j Remote Code Execution (CVE-2021-44228): Enables attackers to execute arbitrary code.
Top Mobile Malware:
Anubis: Android banking Trojan with ransomware capabilities.
AhMyth: Remote Access Trojan (RAT) stealing sensitive information.
Hydra: Banking Trojan stealing credentials through manipulated permissions.
Most Attacked Industries:
Education/Research
Government/Military
Communications
Top Ransomware Groups:
LockBit3: Responsible for 33% of attacks, targeting large enterprises.
Inc. Ransom: Emerging ransomware group targeting multiple sectors.
Play: A ransomware impacting businesses and critical infrastructure.
Organizations must stay vigilant and implement robust cybersecurity measures to defend against these evolving threats. For more detailed information, visit Check Point.
SmokeLoader Evolution and Impact
Zscaler's ThreatLabz provides an in-depth historical analysis of SmokeLoader, a modular malware family first advertised in 2011. Initially serving as a downloader, SmokeLoader has evolved to include functionalities for data theft, DDoS attacks, and cryptocurrency mining. Key features include advanced anti-analysis techniques, modular capabilities, and encrypted C2 communications. Notable developments include the introduction of a stager component in 2014 and sophisticated obfuscation methods. SmokeLoader remains a persistent threat due to its continuous evolution and adaptability.
Key Takeaways:
Modular Design: Allows for flexible and varied attack strategies.
Advanced Evasion: Sophisticated anti-analysis and obfuscation techniques.
Persistent Threat: Continuous updates keep it relevant and dangerous.
For detailed insights, visit the Zscaler Blog.
DarkGate Malware's Evolving Tactics
Cisco Talos has identified a significant increase in DarkGate malware activity through malicious email campaigns since March 2024. These campaigns use Remote Template Injection to bypass email security controls, deploying Excel attachments that trigger malware execution when opened. Notably, DarkGate has transitioned from using AutoIT to AutoHotKey scripts for its infection process, with the payload executing in-memory without being written to disk.
Key Takeaways:
Remote Template Injection: Bypasses security controls using Excel files.
In-Memory Execution: Enhances evasion by avoiding disk writes.
AutoHotKey Scripts: Replaces AutoIT for advanced automation.
For detailed insights, visit the Cisco Talos Blog.
Active Phishing Campaign: Yousign HR Lure
Agari has identified an active phishing campaign using the Yousign platform to distribute malicious emails posing as HR notifications. These emails prompt recipients to review an updated employee handbook, leading to credential harvesting. By leveraging the legitimacy of Yousign's domain, attackers bypass email security filters. The campaign employs Remote Template Injection and unique URLs to evade detection.
Key Takeaways:
Legitimate Domains: Used to bypass security controls.
Credential Harvesting: Malicious forms disguised as HR documents.
Unique URLs: Hinders detection by security tools.
For detailed insights, visit the Agari Blog.
FBI Alert: Healthcare Industry Phishing Campaign
The FBI and HHS have issued a warning about a sophisticated phishing campaign targeting the healthcare sector. Threat actors are using social engineering tactics to steal login credentials and redirect Automated Clearing House (ACH) payments to accounts they control. These attackers manipulate help desk staff to gain access and then use stealth techniques to divert payments. Healthcare organizations, due to their size and access to sensitive data, are prime targets. Enhance employee training to recognize and thwart social engineering attacks.
Key Takeaways:
Sophisticated Tactics: Attackers use social engineering to exploit help desk staff.
ACH Payment Redirection: Stolen credentials are used to divert ACH payments.
Targeted Sector: Healthcare organizations are primary targets due to their sensitive data.
Employee Training: Essential to enhance awareness and ability to recognize phishing attempts.
For detailed information, visit the KnowBe4 blog.
New Threat: ASCII-Based QR Codes
QR code phishing, or "quishing," is evolving with attackers now using ASCII characters to create QR codes within HTML, bypassing traditional OCR-based security measures. These codes appear as legitimate QR codes to users but evade detection by security systems, leading to credential theft and malware deployment.
Key Takeaways:
Evolution of Technique: ASCII-based QR codes embedded in HTML are the latest in phishing tactics, making it harder for security systems to detect them (Avanan) (Techzine Europe) .
Real-World Impact: Over 600 instances detected, with significant disruptions including a recent healthcare provider attack (Sechub) (Coalition) .
Mitigation Strategies:
Implement security that decodes and analyzes QR codes in emails.
Use solutions that rewrite embedded QR codes with safe links.
Employ advanced AI-based tools to detect phishing indicators.
Stay informed and update your security measures to guard against these sophisticated threats.
For more details, visit the Checkpoint Blog or read more on Techzine.
New Threat: Exploitation of Microsoft SmartScreen
Overview Hackers are actively exploiting a vulnerability in Microsoft SmartScreen (CVE-2024-21412) to deploy stealer malware such as Lumma and Meduza Stealer. Despite a patch released in February 2024, attackers continue to bypass SmartScreen using malicious internet shortcuts distributed via spam emails.
Key Takeaways:
Method: Bypassing SmartScreen through WebDAV-hosted shortcuts and executing multi-step attacks using PowerShell and JavaScript.
Impact: Significant breaches leading to information theft and potential system compromise.
Recommendations: Verify emails, use advanced filtering, avoid suspicious links, keep software updated, limit scripting languages, and segment networks.
For more details, visit the Cyber Security News.
New Threat: Volcano Demon Ransomware
Overview A new ransomware group named Volcano Demon is using phone calls to pressure victims into paying ransoms. This group deploys LukaLocker ransomware to encrypt files and uses double extortion tactics by exfiltrating data before encryption. Victims receive threatening phone calls from unidentified numbers, increasing the pressure to comply with ransom demands.
Key Takeaways:
Method: Phone calls combined with data exfiltration and encryption.
Impact: Significant disruption, with threats to leak data and continued attacks.
Recommendations: Strengthen network security, train employees on phishing tactics, and prepare for potential ransomware attacks.
For more details, visit the The Record.