Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link.
The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.”
Read more…
Source: Microsoft
Related:
- Legion: New hacktool steals credentials from misconfigured sites
April 13, 2023
A new Python-based credential harvester and SMTP hijacking tool named ‘Legion’ is being sold on Telegram that targets online email services for phishing and spam attacks. Legion is sold by cybercriminals who use the “Forza Tools” moniker and operate a YouTube channel with tutorials and a Telegram channel with over a thousand members. Read more… Source: Bleeping Computer
- Following the Lazarus group by tracking DeathNote campaign
April 12, 2023
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. Kaspersky researchers have previously published information about the connections of each cluster of this group. In this blog, Kaspersky focus on an active cluster that they dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is ...
- DDoS attacks shifting to VPS infrastructure for increased power
April 12, 2023
Hyper-volumetric DDoS (distributed denial of service) attacks in the first quarter of 2023 have shifted from relying on compromised IoT devices to leveraging breached Virtual Private Servers (VPS). According to internet security company Cloudflare, the newer generation of botnets gradually abandoned the tactic of building large swarms of individually weak IoT devices and are now shifting ...
- Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
April 11, 2023
This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or ...
- Latitude Financial refuses to pay cyber-attack ransom demands
April 11, 2023
Finance company Latitude Financial says it will not give in to ransom demands by cyber criminals behind one of Australia’s largest cyber-attacks. Almost 8 million driver’s licenses of Australian and New Zealand customers have been stolen including more than 6 million customer records. Read more… Source: MSN News
- Microsoft, Fortra are this fed up with cyber-gangs abusing Cobalt Strike
April 10, 2023
Microsoft and Fortra are taking legal and technical actions to thwart cyber-criminals from using the latter company’s Cobalt Strike software to distribute malware. Microsoft’s Digital Crimes Unit (DUC), Fortra, and Health Information Sharing and Analysis Center (Health-ISAC) filed a 223-page complaint against multiple groups known to have used older and altered versions of Cobalt Strike in ...