_Andrea_Danti_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
October 31, 2024 at 05:17PM
A phishing campaign targeting Facebook businesses in Taiwan uses deceptive emails impersonating legal teams and well-known companies to distribute malware. Threat actors demand immediate content removal under copyright claims, while employing techniques to bypass antivirus detection. Key malware includes Lumma Stealer and Rhadamanthys, which harvest sensitive information from victims.
### Meeting Takeaways:
1. **Emerging Threat**: A phishing campaign is targeting Facebook business and advertising account users in Taiwan, led by an unidentified threat actor.
2. **Phishing Tactics**:
– Decoy emails designed to mimic legal teams.
– Fake PDF filenames to lure victims into downloading malware.
3. **Additional Phishing Attempts**:
– Emails impersonating a well-known industrial motor manufacturer and a major online retailer in Taiwan.
– Claims of copyright infringement, demanding content removal within 24 hours, which includes threats of legal action for non-compliance.
4. **Research Insight**: Cisco Talos researchers have documented these scams, highlighting the urgency and seriousness of the emails.
5. **Evasion Techniques**:
– The threat actors employ various methods to bypass antivirus detection, including:
– Shellcode encryption
– Code obfuscation
– Embedding malware (LummaC2 and Rhadamanthys) into legitimate binaries.
6. **Malware Details**:
– **Lumma Stealer**: Targets and exfiltrates information from compromised systems, including system details and browser data.
– **Rhadamanthys**: A sophisticated infostealer that collects system information, credentials, cryptocurrency wallets, passwords, cookies, and other application data.
7. **Campaign Longevity**: This phishing campaign has been active since at least July and uses phishing emails written in traditional Chinese, indicating a focus on Chinese-speaking victims.