Microsoft yesterday offered more details on how the Solorigate threat actors worked, and why their infiltration of their targets was as quietly effective as it proved to be. It had, for example, been unclear how the handover from the Sunburst DLL backdoor to the CobaltStrike loader was accomplished, and Microsoft details how the threat actor obscured that handover as they accomplished it. Redmond’s assessment of the Solorigate crew is that they’re “skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence,” accomplished in operational security and adept at minimizing their footprint.
SecurityWeek describes research by Media Trust into a cross-platform malvertising campaign, “LuckyBoy,” that’s afflicting users of iOS, Android, and Xbox systems. It checks for blockers, test environments, and debuggers before it runs. Once it does execute, LuckyBoy uses a tracking pixel to redirect the victim to malicious sites like phishing pages or bogus software updates. The campaign, which surfaced last week, appears to be in its early, testing phases.
Proofpoint has found a business email compromise (BEC) campaign that uses Google Forms to bypass keyword-based email content filters. The researchers see the campaign as a hybrid, combining social engineering with exploitation of the scale and legitimacy of Google Services. The messages themselves are relatively primitive, with the poor idiomatic control so often found in criminal communications, but Proofpoint suspects they’ll find takers nonetheless. The researchers think that the BEC effort represents an “email reconnaissance campaign to enable target selection for undetermined follow-on threat activity.”