Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link.
The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.”
Read more…
Source: Microsoft
Related:
- Intel CPUs vulnerable to new transient execution side-channel attack
April 24, 2023
A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register. The new attack was discovered by researchers at Tsinghua University, the University of Maryland, and a computer lab (BUPT) run by the Chinese Ministry of Education and is different than most other side-channel attacks. Read ...
- Cyber Thieves Are Getting More Creative
April 24, 2023
Cybercriminals pull off many of their crimes by combining lots of real information with just a tiny bit of misinformation, which can be financially devastating for both companies and individuals. This article describes some recent examples of this technique, which include exploiting wire transfers, stealing paychecks, and tricking employees into helping “the boss.” It’s important to ...
- Tomiris called, they want their Turla malware back
April 24, 2023
Kaspersky introduced Tomiris to the world in September 2021, following their investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Kaspersky researchers initial report described links between a Tomiris Golang implant and SUNSHUTTLE (which has been associated to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); ...
- How fiends abuse an out-of-date Microsoft Windows driver to infect victims
April 24, 2023
Ransomware spreaders have built a handy tool that abuses an out-of-date Microsoft Windows driver to disable security defenses before dropping malware into the targeted systems. This detection evasion utility, which Sophos X-Ops researchers are calling AuKill, is the latest example in a growing trend where miscreants either abuse a legitimate driver to disable, silence or otherwise ...
- Decoy Dog malware toolkit found after analyzing 70 billion DNS queries
April 23, 2023
A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity. Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations. Read more… Source: ...
- X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe
April 21, 2023
The X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe. In addition to this, two other organizations involved in financial trading ...