Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Spear Phishing. Show all posts
Spear Phishing
Cyber Crime Emails financial systems Korea ngos Spear Phishing

Why Emails Pretending to Be from NGOs and Banks Are Becoming More Dangerous



A new cyber threat campaign has been identified in South Korea in which attackers pretended to represent human rights groups and financial institutions to trick people into opening harmful files. The findings were published on January 19 by United Press International, citing research from South Korean cybersecurity firm Genians.

According to Genians, the attackers sent deceptive emails that appeared to come from legitimate North Korea-focused human rights organizations and South Korean financial entities. These messages were designed to persuade recipients to click links or open attachments that secretly installed malware on their devices. Malware refers to harmful software that can spy on users, steal information, or allow attackers to control infected systems.

The campaign has been named “Operation Poseidon” by researchers and has been linked to a hacking cluster known as Konni. Security analysts have associated Konni with long-running advanced persistent threat operations. Advanced persistent threats, often called APTs, are prolonged cyber operations that focus on maintaining covert access rather than causing immediate disruption. Genians reported that Konni shares technical infrastructure and target profiles with other North Korea-linked groups, including Kimsuky and APT37. These groups have previously been connected to cyber espionage, surveillance, and influence efforts directed at South Korean government bodies, researchers, and civil society organizations.

The emails used in this operation did not contain direct malicious links. Instead, the attackers hid harmful destinations behind legitimate online advertising and click-tracking services that are commonly used by businesses to measure user engagement. By routing victims through trusted services, the links were more likely to pass email security filters. Genians found that the redirections relied on Google Ads URLs and poorly secured WordPress websites. The final destinations hosted malware files that were often disguised as ordinary PDF documents or financial notices, increasing the likelihood that users would open them.

Security professionals note that campaigns of this nature are difficult to defend against because they combine technical methods with psychological manipulation. Genians assessed that the characteristics of Operation Poseidon reflect a high level of planning and sophistication, making it hard for any single security tool to stop such attacks on its own.

The findings come amid growing international concern over North Korea’s cyber operations. In October, the 11-country Multilateral Sanctions Monitoring Team described North Korea’s cyber program as a state-level effort with capabilities approaching those of China and Russia. The group reported that nearly all malicious cyber activity linked to the Democratic People’s Republic of Korea is conducted under the direction of entities sanctioned by the United Nations for involvement in weapons programs. In November, the United States Treasury Department estimated that more than 3 billion dollars had been stolen over the past three years through attacks on financial systems and cryptocurrency platforms.

Genians advised individuals and organizations to treat unsolicited emails with caution. The firm warned that attackers are likely to continue impersonating financial institutions and urged users not to trust documents based only on subject lines or file names.

Read more »
Transparent Tribe
Advanced Persistent Threat APT36 Command And Control cyber espionage Indian Government Cyber Attacks malware Remote Access Trojan Spear Phishing Transparent Tribe

Transparent Tribe Targets Indian Public Sector and Academic Networks


Several recent cyber espionage campaigns have drawn attention to Transparent Tribe, a long-standing advanced persistent threat group associated with a new wave of intrusions targeting Indian government bodies, academic institutions, and strategically sensitive organizations, which have re-opened the issue of Transparent Tribe. 


According to security researchers, the activity has been attributed to the deployment of a sophisticated remote access trojan that is designed to establish a persistent, covert control over the compromised system, allowing the monitoring and access of data over a period of time. 

In the process of carrying out this operation, it is evident that the execution was carried out with a high degree of social engineering finesse, as it used carefully crafted delivery mechanisms, including a weaponized Windows shortcut file disguised as a legitimate PDF document, filled with authentic-looking content, which reduced suspicion and increased execution rates, according to the technical analysis carried out by CYFIRMA.

APT36 is a name that has been associated with Transparent Tribe in the security community for more than a decade. Transparent Tribe has maintained a consistent focus on Indian targets since the beginning of the 20th century, refining tradecraft and tooling to support the group's goals. In the past few years, the group has steadily added malware to its malware portfolio. 

To adapt to changing defenses while maintaining access to high-value networks, the group has deployed a suite of custom remote access trojans like CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. As the investigation has found, the intrusion chain was initiated by a targeted spear-phishing email that delivered a compressed ZIP archive that contained a Windows shortcut file, crafted to look like a benign PDF document. 

Upon execution, the file silently invokes a remote HTML Application using the native Windows component called mshta.exe, which has been abused numerous times over the years to circumvent security checks. 

To maintain the illusion of legitimacy, a PDF decoy file is also downloaded and opened while the HTA script is decrypted and loaded entirely in memory, minimizing its footprint on the disk. This decoy PDF can be downloaded and opened without triggering the HTA script. 

It has been reported by CYFIRMA that when the malware is able to decode the data, it will make extensive use of ActiveX objects, particularly WScript.Shell, to profile the host environment and manipulate runtime behavior. As a result of this technique, execution reliability and compatibility with the victim system will be improved. 

Furthermore, this campaign's adaptive persistence strategy differs from the rest in that it dynamically adjusts itself in accordance with the endpoint security software detecting the compromised machine on the runtime. 

Depending on the software people are running, Kaspersky, Quick Heal, Avast, AVG, or Avira have a tailor-made persistence mechanism that includes obfuscated HTA payloads, batch scripts, registry modifications, and malicious shortcut files placed in the Windows Startup directory to encrypt data. 

As for systems lacking recognizable antivirus protection, a broader combination of these strategies can be used. This operation is anchored on a secondary HTA component which delivers a malicious DLL — known as iinneldc.dll — that performs the function of a fully featured RAT capable of allowing attackers to remotely administer a host, execute file operations, exfiltrate data, capture screenshots, monitor clipboards and control processes, allowing them to take complete control of infected systems. 

In terms of operations, this campaign underscores Transparent Tribe's reliance on deceiving its adversaries as a central pillar of its intrusion strategy, emphasizing the importance of adaptability and deception. 

The researchers found that attackers intentionally embedded complete, legitimate-looking PDF documents as shortcut files, presenting them as regular correspondence while hiding executable logic under the surface so that they would appear to be routine correspondence. 

When this is done, it greatly increases the chances that the user will interact with the malware before it becomes apparent that any warning signs have been raised. Once access is gained, the malware doesn't need to rely on a single, static method to maintain its position. 

Instead, it actively evaluates the compromised system's security posture and dynamically selects persistence mechanisms based on the installed endpoint protection, with a degree of conditional logic that is a reflection of careful planning and familiarity with common defensive environments in an attempt to meet their needs. 

Using encrypted command-and-control channels, the remote access trojan can communicate with attacker-controlled infrastructure, enabling it to receive instructions and exfiltrate sensitive data all while blending into the normal traffic stream on the network, reducing the chances it will be detected. 

According to security analysts, this operation has far broader implications than just a routine malware incident and has a lot to do with the overall threat landscape. It is clear from the campaign that it is an operation of cyber-espionage carried out by a cyber-espionage group with a long history of targeting the Indian government, defense and research institutions as a target for their attacks. 

There is an intentional effort to avoid traditional signature-based defenses with this attack by focusing on in-memory execution and fileless techniques, while the use of socially engineered, document-based lures indicates that an understanding is in place of how trust and familiarity can be exploited within targeted organizations in order to achieve a successful attack. 

The combination of these elements suggests that a persistent and mature adversary has been refining its tradecraft for years, reinforcing concerns about the sustained cyber threat facing critical sectors in India. Additionally, the malware deployed in this campaign functions as a remote access trojan that allows attackers to control infected systems in a persistent and covert manner. Based on this analysis, it can be concluded that this malware is a highly sophisticated remote access trojan. 

In addition to the use of trusted Windows binaries such as mshta.exe, PowerShell, and cmd.exe, researchers discovered the toolset focuses heavily on stealth, utilizing in-memory execution as well, which minimizes the on-disk footprint, as well as evading traditional detection methods. 

In addition to setting up an encrypted command-and-control channel, the RAT also provides operators with the ability to issue commands, collect detailed system information, and exfiltrate sensitive information without being noticed. 

By exploiting the exploits of the malware, operators are able to create a profile of compromised hosts by gathering information such as the operating system’s details, usernames, installed software, and active antivirus software, enabling them to implement follow-up actions tailored to their needs. 

This software enables remote command execution, comprehensive file management, targeted document theft, screenshot capture, clipboard monitoring and manipulation, granular process control, as well as the ability to execute commands remotely. This software is supported by persistence mechanisms that are adjusted according to the victim's security environment. 

Collectively, these capabilities strengthen the perception that the malware has been designed to support long-term surveillance and data collection rather than short-term disruption, thus confirming that it was built specifically for espionage. Typically, the infection lifecycle begins with a carefully constructed social engineering lure that appears to be legitimate and routine. 

As the payload in this case was framed as an examination-related document, it was used to target victims and spread the word that they would be able to receive a ZIP archive titled "Online JLPT Exam Dec 2025.zip." The archive reveals a shortcut file whose extension is .pdf.lnk when extracted, which is a tactic that exploits Windows’ way of handling shortcut files, where it conceals the executable nature of the payload even though the file extensions can be seen on the file.

This shortcut, which is unusually large—measuring over 2 megabytes instead of the usual 10 to 12 megabytes—prompted closer examination to reveal that the file was deliberately inflated in order to closely resemble a legitimate PDF file. 

It was discovered that the shortcut contained multiple markers associated with embedded image objects, indicating that it contained a complete PDF structure as opposed to serving simply as a pointer. This design choice was made so the shortcut would appear in line with user expectations, as well as fit the file size within the archive. 

In addition to this, a multi-stage design can be observed in the archive as well. An investigation revealed that there is a hidden directory labelled “usb” containing a file titled usbsyn.pim in it, which was unable to be decoded conclusively during analysis, but which researchers believe to contain encrypted data or code that will be used later on in the execution process. 

As a result of activating the shortcut, a legitimate Windows application called MSSHTA.exe is invoked, passing a remote URL to a malicious HTML application hosted on attacker-controlled infrastructure in order to retrieve and execute this malicious HTML application. 

It is evident from file metadata that the shortcut was created in late March 2025, a timeframe which provides some insight into the campaign's timeline. It is the intent of the HTA loader, to create the illusion of legitimacy, to retrieve and open a legitimate PDF document simultaneously, so the victim perceives the activity as harmless and expected. 

Moreover, the HTA loader itself is the basis of the execution chain, which has been designed to operate with the least amount of user visibility possible. 

A script launching at zero dimensions hides the activity of its execution by resizing its window to zero dimensions. The script then initializes a series of custom functions that perform Base64 decoding and XOR-based decryption routines, in order to gradually reconstruct the malicious payload in memory. This is all accomplished by the loader exploiting ActiveX components, such as WScript.Shell, in order to interact with the underlying Windows environment during this process.

Through the querying of registry keys to determine which .NET runtimes are available and the dynamic adjustment of environment variables such as COMPLUS_Version, the malware ensures that the malware is compatible with different systems. 

It is clear that Transparent Tribe's campaign has been highly calculated and methodical in its approach to environment profiling, runtime manipulation, and abuse of legitimate system components, demonstrating a mature tradecraft that is reflected in the campaign's methodical approach. 

Researchers report that, beyond the activities linked to Transparent Tribe, there are growing threats that are being targeted at Indian institutions, and tools and infrastructure that overlap are increasingly blurring the lines between various regional espionage groups who are using overlapping tools and infrastructure. 

A former hacker named Patchwork has also been identified as the perpetrator of an assault program dubbed StreamSpy, which introduces a dual-channel command-and-control model that utilizes WebSocket and HTTP protocols to deliver distinct operational benefits, as of December 2025. 

Using WebSocket connections for executing commands and returning execution results, as opposed to the traditional HTTP connections for transferring files, displays the analysis by QiAnXin, indicating a design choice intended to reduce visibility and evade routine network inspection by the company. 

By using ZIP archive delivery services hosted on attacker-controlled domains, the malware has delivered a payload capable of harvesting information about a system, establishing persistence through multiple mechanisms, including registry modifications, scheduled tasks, and startup shortcuts, and providing an array of commands for remote file manipulation, execution, and file retrieval. 

Furthermore, investigators have identified code-level similarities between StreamSpy and Spyder, a backdoor variant previously attributed to SideWinder and historically used by Patchwork, as well as digital signatures reminiscent of ShadowAgent, a Windows RAT associated with the DoNot Team, that are similar to ShadowAgent. 

According to the convergence of these technical indicators, coupled with independent detections by several security firms in late 2025, it appears that regional threat actors continue to integrate tooling and cross-pollinate among themselves. 

Analysts are stating that the emergence of StreamSpy and its variants reflects a sustained effort among these groups to refine the arsenals they possess, experiment with alternative communication channels, and maintain operational relevance while the defensive capabilities of these groups improve. Taking all of the findings presented in this investigation together, people are able to identify a cyber-espionage ecosystem that is more widespread and more entrenched against Indian institutions. 

It is characterized by patience, technical depth, and convergence between multiple threat actors in terms of tools and techniques. This campaign provides an example of how mature adversaries continue to improve their social engineering skills, take advantage of trusted components of systems and customize persistence mechanisms in order to maintain long-term access to high-value networks through social engineering and system abuse.

StreamSpy, for instance, illustrates a parallel trend in which regional espionage groups iterate on one another's malware frameworks, while experimenting with alternative command-and-control systems to evade detection, a trend that has been accelerating since the advent of related toolsets. 

Defendants should be aware that the significance of these campaigns lies not in any particular exploit or payload, but rather in the cumulative messages that they send, demonstrating that state-aligned threat actors are still deeply involved in collecting persistent intelligence and that the threat to government institutions, educational institutions, and strategic sectors is evolving rather than receding in sophistication.
Read more »
Spear Phishing
Cyber Security Emails Google Ads Identity Theft Linkedin links phishing Spear Phishing

Phishing Expands Beyond Email: Why New Tactics Demand New Defences

 


Phishing has long been associated with deceptive emails, but attackers are now widening their reach. Malicious links are increasingly being delivered through social media, instant messaging platforms, text messages, and even search engine ads. This shift is reshaping the way organisations must think about defence.


From the inbox to every app

Work used to be confined to company networks and email inboxes, which made security controls easier to enforce. Today’s workplace is spread across cloud platforms, SaaS tools, and dozens of communication channels. Employees are accessible through multiple apps, and each one creates new openings for attackers.

Links no longer arrive only in email. Adversaries exploit WhatsApp, LinkedIn, Signal, SMS, and even in-app messaging, often using legitimate SaaS accounts to bypass email filters. With enterprises relying on hundreds of apps with varying security settings, the attack surface has grown dramatically.


Why detection lags behind

Phishing that occurs outside email is rarely reported because most industry data comes from email security vendors. If the email layer is bypassed, companies must rely heavily on user reports. Web proxies offer limited coverage, but advanced phishing kits now use obfuscation techniques, such as altering webpage code or hiding scripts to disguise what the browser is actually displaying.

Even when spotted, non-email phishing is harder to contain. A malicious post on social media cannot be recalled or blocked for all employees like an email. Attackers also rotate domains quickly, rendering URL blocks ineffective.


Personal and corporate boundaries blur

Another challenge is the overlap of personal and professional accounts. Staff routinely log into LinkedIn, X, WhatsApp, or Reddit on work devices. Malicious ads placed on search engines also appear credible to employees browsing for company resources.

This overlap makes corporate compromise more likely. Stolen credentials from personal accounts can provide access to business systems. In one high-profile incident in 2023, an employee’s personal Google profile synced credentials from a work device. When the personal device was breached, it exposed a support account linked to more than a hundred customers.


Real-world campaigns

Recent campaigns illustrate the trend. On LinkedIn, attackers used compromised executive accounts to promote fake investment opportunities, luring targets through legitimate services like Google Sites before leading them to phishing pages designed to steal Google Workspace credentials.

In another case, malicious Google ads appeared above genuine login pages. Victims were tricked into entering details on counterfeit sites hosted on convincing subdomains, later tied to a campaign by the Scattered Spider group.


The bigger impact of one breach

A compromised account grants far more than access to email. With single sign-on integrations, attackers can reach multiple connected applications, from collaboration tools to customer databases. This enables lateral movement within organisations, escalating a single breach into a widespread incident.

Traditional email filters are no longer enough. Security teams need solutions that monitor browser behaviour directly, detect attempts to steal credentials in real time, and block attacks regardless of where the link originates. In addition, enforcing multi-factor authentication, reducing unnecessary syncing across devices, and educating employees about phishing outside of email remain critical steps.

Phishing today is about targeting identity, not just inboxes. Organisations that continue to see it as an email-only problem risk being left unprepared against attackers who have already moved on.


Read more »
UAE
malware polyglot Spear Phishing UAE

New Malware Targets Aviation and Satellite Firms

 


A dangerous new cyberattack is affecting aviation, satellite communication, and transportation companies in the United Arab Emirates. Hackers are using a tricky type of malware called polyglot malware to infect computers. This malware installs a backdoor called Sosano, which lets attackers take control of the affected system and execute commands remotely.  


Who is Behind This Attack?  

Cybersecurity experts at Proofpoint discovered this attack in October 2024. They have linked it to a hacker group named UNK_CraftyCamel. Although the campaign is currently small, it is highly advanced and poses a serious risk to businesses.  

Researchers also noticed similarities between this attack and previous cyber operations carried out by Iranian-linked hacking groups TA451 and TA455. However, this particular campaign seems to focus more on stealing information, which makes it unique.  


What is Polyglot Malware?  

Polyglot malware is a sneaky kind of cyber threat that can be interpreted in different ways by different programs. This means a single file can look like one thing to one program and something else to another.  

For example, a file might act as an MSI installer on Windows but behave like a JAR file for Java. Most security software checks files based on one format, so they fail to detect the hidden malicious parts. This helps hackers bypass security systems and deliver harmful programs unnoticed.  

In this case, the UNK_CraftyCamel hackers are using this trick to send malware while avoiding detection.  


How the Attack Works  

The hackers start their attack with phishing emails, which are fake messages designed to trick people. These emails appear to come from a real Indian electronics company, INDIC Electronics. Inside the email, there is a malicious link that takes victims to a fake website (indicelectronics[.]net), where they are tricked into downloading a ZIP file named "OrderList.zip."  

This ZIP file contains:  

1. A shortcut file (LNK) that looks like an Excel document.  

2. Two PDF files called about-indic.pdf and electronica-2024.pdf.  

But these PDF files are not what they seem—they are polyglot files containing hidden malware:  

1. The first PDF hides a script (HTA code) that can execute harmful commands.  

2. The second PDF contains a hidden ZIP archive, which allows the malware to stay undetected.  

When the victim opens the shortcut file (LNK), it runs a command in the background that triggers the hidden script inside the first PDF. This leads to the execution of the second PDF, which then:  

1. Modifies the Windows Registry to maintain access even after a restart.  

2. Extracts and runs an encoded image file (JPEG) that secretly contains malware.  

3. Decodes and activates a DLL file ("yourdllfinal.dll"), which is actually the Sosano backdoor.  

Once Sosano is activated, it connects to a remote server (bokhoreshonline[.]com). This allows hackers to send commands, steal data, execute programs, and install more malware.  


How to Stay Safe  

To prevent such cyberattacks, companies should take multiple security measures, such as:  

1. Blocking Suspicious Emails: Use email security tools to detect and remove harmful links and attachments before they reach employees.  

2. Employee Awareness Training: Teach workers to identify phishing emails and avoid clicking on unknown links or opening suspicious files.  

3. Restricting Dangerous Files: If file types like LNK, HTA, and ZIP are not required for daily work, companies should block them in emails to reduce risks.  

4. Advanced Malware Detection: Security software should be able to scan files in multiple ways, ensuring that hidden malware is detected.  

Cybercriminals constantly develop new ways to avoid security measures. Companies in aviation, satellite communications, and critical infrastructure should stay alert, update their cybersecurity strategies, and use advanced security tools to protect their systems.

Read more »
Spear Phishing
Business Security Cyber Attacks Malicious Campaign Russian Hacker Spear Phishing

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

 

Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems. 

The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks. 

In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust. 

According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system. 

The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards. 

It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s). 

Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.
Read more »
vigilance
Cyber Fraud Cyber Threats Cybersecurity Data Theft phishing Scams Sensitive Information Spear Phishing Spoofing vigilance

The Evolution of Phishing Emails: From Simple Scams to Sophisticated Cyber Threats

 

Phishing emails have undergone significant changes over the past few decades. Once simple and easy to detect, these scams have now evolved into a sophisticated cyber threat, targeting even the most tech-savvy individuals and organizations. Understanding the development of phishing attacks is key to protecting yourself from these ever-evolving cyber dangers.

In the late 1990s and early 2000s, phishing emails were quite basic and easily identifiable. One of the most well-known scams was the "Nigerian Prince" email. These messages claimed to be from foreign royalty or officials, offering large sums of money in return for a small processing fee. The common signs included poor language, unrealistic promises, and large financial rewards—elements that eventually made these scams easy for users to recognize and dismiss.

As people became aware of these early scams, phishing attacks shifted focus, aiming to steal sensitive financial information. By the mid-2000s, attackers began impersonating banks and financial institutions in their emails. These messages often used fear-inducing language, such as warnings of account breaches, to pressure recipients into handing over personal details like login credentials and credit card information. During this time, phishing attempts were still marked by clear warning signs: poorly written emails, generic greetings, and inaccurate logos. However, as technology advanced, so did the attackers' ability to produce more convincing content.

The evolution of phishing took a major step forward with the introduction of spear phishing. Unlike traditional phishing, which targets a broad audience, spear phishing focuses on specific individuals or companies. Attackers gather personal information through social media and public records to craft emails that appear highly legitimate, often addressing the victim by name and referencing workplace details. This tailored approach makes the scam more believable and increases the chances of success.

Phishing emails today have become highly sophisticated, utilizing advanced techniques such as email spoofing to mimic trusted sources. Attackers frequently impersonate colleagues, supervisors, or official entities, making it difficult for users to tell the difference between genuine and malicious messages. Modern phishing schemes often rely on psychological tactics, using fear or urgency to pressure recipients into clicking harmful links or downloading malware. This evolution reflects the growing complexity of cybercriminal activities, demanding greater awareness and stronger cybersecurity defenses.

In summary, phishing emails have evolved from basic scams to intricate, personalized attacks that are harder to detect. Being informed about these tactics and staying vigilant is critical in the digital age. If you're ever in doubt about an email’s legitimacy, contact your Information Security Team for verification.
Read more »
Spear Phishing
Critical Infrastructure Cyber Attacks cybercrime group Defense Kaspersky Russian Government Spear Phishing

Awaken Likho Targets Russian Agencies with MeshCentral Remote Access Tool

 

Awaken Likho, also referred to as Core Werewolf or PseudoGamaredon, is a cyber threat group targeting Russian government agencies and industrial entities. Since June 2024, a new campaign has been observed, where attackers have shifted from using UltraVNC to MeshCentral’s legitimate agent for remote access to compromised systems. The campaign primarily focuses on Russian government contractors and industrial enterprises, as reported by Kaspersky. Spear-phishing is a key method employed by Awaken Likho, with malicious executables disguised as Word or PDF files. 

These files trick victims by using double extensions such as “.doc.exe” or “.pdf.exe,” making them appear like standard document formats. When opened, these files trigger the installation of UltraVNC or, in the new campaign, MeshCentral’s MeshAgent tool, which grants the attackers full control over the compromised system. Awaken Likho’s cyberattacks date back to at least August 2021, first gaining attention through targeting Russia’s defense and critical infrastructure sectors. However, more recently, the group has shifted to using self-extracting archives (SFX) to covertly install UltraVNC, along with presenting decoy documents. 

In its latest campaigns, an SFX archive triggers the execution of a file named “MicrosoftStores.exe,” which unpacks an AutoIt script. This script eventually runs the MeshAgent tool, facilitating ongoing remote control via the MeshCentral server. By creating a scheduled task, Awaken Likho ensures persistence within the infected system. The scheduled task consistently runs the command file, which in turn launches MeshAgent, allowing communication with the MeshCentral server. This tactic gives the attackers access to the system long after the initial breach. Russian cybersecurity company Kaspersky has revealed that the campaign’s primary focus remains within Russian government bodies, contractors, and industrial enterprises. 

Additionally, earlier findings from BI.ZONE in June 2023 indicated that Awaken Likho has targeted sectors including defense and critical infrastructure, emphasizing the group’s intent on penetrating Russia’s most vital industries. A notable attack in May 2023 targeted a Russian military base in Armenia, as well as a research institute involved in weapons development. These actions suggest Awaken Likho’s primary focus on entities involved in Russia’s security and defense sectors, with significant consequences for the country’s critical infrastructure. 

This new chapter in Awaken Likho’s activity signals the group’s evolving tactics and its continued interest in leveraging spear-phishing attacks with more sophisticated tools. By transitioning to the MeshCentral platform, the group showcases its adaptability in maintaining control over systems while evading detection, making it a significant threat to Russian entities in the future.
Read more »
Threat Landscape
Cyber Security Cybersecurity Agencies Iran hackers Spear Phishing Threat Landscape

UK and US Warn of Rising Iranian Spear Phishing Threat

 

The UK’s National Cyber Security Centre (NCSC) collaborated with government agencies across the Atlantic to issue a new alert regarding Iranian cyber-threats last week. 

The security advice, issued in collaboration with the FBI, US Cyber Command - Cyber National Mission Force (CNMF), and the Department of the Treasury (Treasury), claimed that Iran's Islamic Revolutionary Guard Corps (IRGC) was behind the spear phishing attack. 

The campaign is aimed at individuals "with a nexus to Iranian and Middle Eastern affairs," but it is also focused on US political campaigns, with the ultimate goal of expanding its information operations, the advice stated. Current or former top government officials, think tank personnel, journalists, activists, and lobbyists seem to be potential targets. 

Threat actors change their strategies according to the specific target, which could involve impersonating family members, professional contacts, prominent journalists, and/or email providers. The lure may be an interview, an invitation to a conference or embassy event, a speaking engagement, or another political or foreign policy dialogue. 

“The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials,” the report reads. 

“Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error.” 

Prevention tips

The advisory advised readers to be suspicious of unsolicited contact, attempts to send links or files via social media and other online services, email messages flagging alerts for online accounts, emails purporting to be from legitimate services and shortened links. It also recommended enterprises to:

  • Implement a user training program for phishing awareness.
  • Recommend users only use work emails for official business, always keep software updated, switch on multi-factor authentication, and never click on links or open attachments in unsolicited emails.
  • Users are recommended to use advanced protection services and hardware security keys. 
  • Switch on anti-phishing and spoofing security features. 
  • Block automatic email forwarding to external addresses.
  • Monitor email servers for changes to configuration and custom rules.
Read more »
Subscribe to: Comments (Atom)