Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link.
The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.”
Read more…
Source: Microsoft
Related:
- Malware found on laptops given out by UK government
January 23, 2021
Some of the laptops given out in England to support vulnerable children home-schooling during lockdown contain malware, BBC News has learned. Teachers shared details on an online forum about suspicious files found on devices sent to a Bradford school. The malware, which they said appeared to be contacting Russian servers, is believed to have been found on ...
- SolarWinds: How Sunburst Sends Data Back to the Attackers
January 22, 2021
In our previous blog we described how the attackers controlled the Sunburst malware, and detailed a variety of commands that will result in data being sent to the threat actors. The next technique to discuss is how Sunburst sends this data to the attackers. If data is being sent to the attacker as a result of ...
- Network Attack Trends: Internet of Threats
January 22, 2021
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not ...
- Amazon Kindle RCE Attack Starts with an Email
January 22, 2021
Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root – paving the way for siphoning money from unsuspecting users. Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the “Send to Kindle” feature to ...
- Cybercriminals kick-off 2021 with sweepstakes, credit card, delivery scams
January 22, 2021
Trend Micro researches have predicted that this year, cybercriminals will continue to take advantage of Covid-19-related effects and incidents — such as people’s reliance on online purchases and e-services and the increased need for financial assistance — in order to bait victims and steal critical information. Even though new ways of stealing information regularly arise, ...
- Windows Remote Desktop servers now used to amplify DDoS attacks
January 21, 2021
Windows Remote Desktop Protocol (RDP) servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service (DDoS) attacks. The Microsoft RDP service is a built-in Windows service running on TCP/3389 and/or UDP/3389 that enables authenticated remote virtual desktop infrastructure (VDI) access to Windows servers and workstations. Attacks taking advantage of this new UDP reflection/amplification ...