March 7, 2024 at 01:33AM
Threat actors are using fake websites promoting popular video conferencing apps like Google Meet, Skype, and Zoom to distribute malware targeting Android and Windows users. The attackers are using typosquatting tricks to deceive users into downloading Remote Access Trojans. Additionally, a new malware called WogRAT is targeting Windows and Linux systems through aNotepad platform. Meanwhile, financially motivated cybercriminal actor TA4903 is conducting phishing campaigns targeting U.S. government entities and various sectors to steal corporate credentials and launch business email compromise attacks. These campaigns involve the use of QR codes for credential phishing and the EvilProxy phishing kit to bypass two-factor authentication protections. Moreover, phishing campaigns have been utilized to distribute other malware families like DarkGate, Agent Tesla, and Remcos RAT, the latter utilizing steganographic decoys to drop the malware on compromised hosts.
Key takeaways from the meeting notes are:
1. Threat actors are using fake websites advertising popular video conferencing software to distribute Remote Access Trojans (RATs) for Android and Windows systems.
2. Spoofed websites in Russian closely resemble legitimate domains, using typosquatting tricks to deceive victims into downloading malware.
3. A new malware called WogRAT is targeting Windows and Linux, leveraging a free online notepad platform as a vector for hosting and retrieving malicious code, and targeting Asian countries.
4. TA4903, a financially motivated cybercriminal actor, is conducting high-volume phishing campaigns to steal corporate credentials, particularly targeting U.S. government entities and various sectors like construction, finance, healthcare, and food and beverage.
5. The phishing campaigns involve the use of QR codes for credential phishing and rely on the EvilProxy adversary-in-the-middle (AiTM) phishing kit to bypass two-factor authentication (2FA) protections.
6. Once a target mailbox is compromised, the threat actor searches for information relevant to payments, invoices, and bank information, with the goal of hijacking existing email threads to perform invoice fraud.