Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link.
The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.”
Read more…
Source: Microsoft
Related:
- Matanbuchus: Malware-as-a-Service with Demonic Intentions
June 16, 2021
Unit 42 researchers often spend time investigating what we call non-traditional sources. Non-traditional sources often include underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels and other marketplaces. One such case that we investigated involves a threat actor called BelialDemon, who is a member of several underground forums and marketplaces. In ...
- Ferocious Kitten: 6 years of covert surveillance in Iran
June 16, 2021
Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It ...
- Ransomware Poll: 80% of Victims Don’t Pay Up
June 16, 2021
Ransomware is on the rise, but what toll does it take on the real world? Threatpost set out to answer that question in an exclusive poll aimed at taking the pulse of organizations wrestling with attacks, including looking at mitigations and the defenses organizations have in place. When viewed against the backdrop of complementary reports from ...
- Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
June 16, 2021
Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. As reported in the Mandiant post, “Shining a Light on DARKSIDE Ransomware Operations,” Mandiant Consulting has ...
- ZDI-21-502: An Information Disclosure Bug In ISC Bind Server
June 16, 2021
Last year, we received a submission of a remote code execution vulnerability in the ISC BIND server. Later, that same anonymous researcher submitted a second bug in this popular DNS server. Similar to the first bug, it exists within the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component, and its location is quite close to ...
- Apple Hurries Patches for Safari Bugs Under Active Attack
June 15, 2021
Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that “may have been actively exploited,” according to a Monday security bulletin by the company. The bugs affect sixth-generation Apple iPhones, iPads and iPod touch model hardware, released between 2013 and 2018. “Apple is aware of a report that this issue may ...