Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link.
The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.”
Read more…
Source: Microsoft
Related:
- Estonia hit by ‘most extensive’ cyberattack since 2007 amid tensions with Russia over Ukraine war
August 17, 2022
Estonia was subject to “the most extensive cyberattack” since 2007, the Baltic state’s government said on Thursday, a day after it started removing Soviet-era war monuments from public areas in the wake of Russia’s February invasion of Ukraine. The Russia-based and pro-Russia hacker group Killnet said on the messaging app Telegram that it was responsible for ...
- Switching side jobs: Links between ATMZOW JS-sniffer and Hancitor
August 17, 2022
The hacker group ATMZOW and its JavaScript-sniffer became known in 2020, thanks to the Malwarebytes researchers, when the group installed a JS sniffer on a website that was collecting donations for victims of the Australia bushfires. However, based on a specific obfuscation technique used by the group, we can track its activities back to 2015 as ...
- BlackByte ransomware gang is back with new extortion tactics
August 17, 2022
The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit. After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls. The data leak site only includes one ...
- North Korean hackers use signed macOS malware to target IT job seekers
August 17, 2022
North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector. While it is no surprise that they’re targeting workers at Web3 companies, details about this specific social engineering campaign so far were limited to malware for the Windows ...
- Malware devs already bypassed Android 13’s new security feature
August 17, 2022
Android malware developers are already adjusting their tactics to bypass a new ‘Restricted setting’ security feature introduced by Google in the newly released Android 13. Android 13 was released this week, with the new operating system being rolled out to Google Pixel devices and the source code published on AOSP. As part of this release, Google attempted ...
- Shuckworm: Russia-Linked Group Maintains Ukraine Focus
August 17, 2022
Recent Shuckworm activity observed by Symantec, a division of Broadcom Software, and aimed at Ukraine appears to be delivering information-stealing malware to targeted networks. This activity was ongoing as recently as August 8, 2022 and much of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26. The ...