Search the Community
Showing results for tags 'spear phishing campaign'.
mood posted a topic in Security & Privacy NewsLinkedIn Users Targeted by Spear-Phishing Campaign Security researchers are warning LinkedIn users to beware of unsolicited job offers after revealing a new spear-phishing campaign designed to install Trojan malware on their devices. The eSentire Threat Response Unit (TRU) yesterday claimed that individuals were being targeted with customized files named the same as their own current role. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer,” it continued. “The threat group behind more_eggs, Golden Chickens, sell the backdoor under a malware-as-a-service (MaaS) arrangement to other cyber-criminals.” Once more_eggs is installed, the backdoor can be used by Golden Chickens customers to further their own campaigns, by infecting with additional malware like ransomware, credential stealers and banking Trojans, warned eSentire. Backdoor access could also be used to find and exfiltrate sensitive data from the victims’ machine, it added. The group is thought to be taking advantage of the high number of COVID-19 redundancies in the US to spread this email campaign, whilst including the victim’s own LinkedIn job position as the name of the malicious Zip file to increase the chances of them opening it. The Trojan also abuses legitimate Windows processes such as WMI to evade detection by traditional AV tools. The campaign is similar to one from 2019 in which employees of US retail, entertainment and pharmaceutical companies were targeted by the same more_eggs Trojan disguised as a job offer matching their own current position, eSentire claimed. Noted Advanced Persistent Threat (APT) groups including FIN6, Cobalt Group and Evilnum have all been spotted in the past using more_eggs in their attacks, although it’s unclear who is behind the Golden Chickens group. Source: LinkedIn Users Targeted by Spear-Phishing Campaign
The AchieVer posted a topic in Security & Privacy NewsNew Spear Phishing campaign targets US national security think tanks with BabyShark malware Researchers recently observed a spear phishing campaign containing a new malware dubbed ‘BabyShark’. Researchers noted that the spear phishing campaign targets national security think tanks and research institutions in the US. Researchers from Palo Alto Networks observed a spear phishing campaign containing a new malware dubbed ‘BabyShark’. Researchers noted that the spear phishing campaign targets national security think tanks and research institutions in the US. Worth noting The spear phishing emails purported to be from a nuclear security expert who currently works as a consultant in the US. The phishing emails were sent from a public email address with the nuclear security expert’s name. The emails contained subjects referencing North Korean nuclear issues. The emails included a Microsoft Excel document attachment with malicious macros. The malicious macros when enabled, downloads and executes a new Microsoft Visual Basic (VB) script-based malware dubbed ‘BabyShark’. Why it matters - The phishing emails targeted universities and research institutes in the US. The emails were sent to a University in the US while it had to conduct a conference on North Korea denuclearization issue. The emails also targeted a research institute in the US which serves as a think tank for national security issues. What it reveals - Analysis of BabyShark malware revealed connections with other North Korean activities - KimJongRAT and STOLEN PENCIL campaign. BabyShark and KimJongRAT use the same path file for storing collected system information. KimJongRAT also targeted national security think tanks. The attackers behind BabyShark frequently tested its samples for antivirus detection, which included a freshly compiled KimJongRat sample. BabyShark sample was signed with a stolen certificate that was used in the STOLEN PENCIL campaign. “While not conclusive, we suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN PENCIL campaign,” Researchers from Palo Alto networks said. What's the conclusion - While most of the content used in the phishing emails were publicly available information on the internet, some content was non-public. This implies that the attacker behind the spear phishing campaign has most likely compromised someone from the US national security think tank who had access to private information. “The threat actor behind it has a clear focus on gathering intelligence related to Northeast Asia’s national security issues. Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” researchers noted. Source