At a glance.
- Update on the Robin Banks phishing kit.
- APT10 uses LODEINFO to target Japan.
- BEC gang impersonates international law firms.
- Insider threats.
Update on the Robin Banks phishing kit.
IronNet has published a follow-up to its July blog post on the Robin Banks phishing-as-a-service (PhaaS) platform, outlining measures the platform's developers have taken to keep their operation running:
"Following our initial discovery and reporting on Robin Banks in late July, Cloudflare engineers swiftly marked Robin Banks domains as malicious, leading the platform to experience disruptions to operations. This in turn provided a three day window where no victims were phished.
"In response, the developers revised the phishing kit and actively made changes to Robin Banks attack infrastructure to be more resilient against takedowns. After being blacklisted by Cloudflare, Robin Banks relocated its front-end and back-end infrastructure to DDOS-GUARD, a well-known Russian provider that hosts various phishing sites and content for cybercriminals."
The threat actors have also updated the kit to include a feature that can steal session cookies to bypass multifactor authentication, but customers need to pay an extra $1,500 per month for this feature (the base kit costs $200 per month).
APT10 uses LODEINFO to target Japan.
Researchers at Kaspersky continue to track LODEINFO, a malware family used by the Chinese threat actor APT10 to target "media, diplomatic, governmental and public sector organizations and think-tanks in Japan." The malware is distributed via spearphishing emails:
"In March 2022, we observed a Microsoft Word file that was used as the infection vector in some attacks. In June of the same year, a SFX file was discovered targeting the Japanese government or related organizations using a decoy file with Japanese content, as well as utilizing the name of a famous Japanese politician in the filename. A new downloader shellcode named DOWNIISSA that is used to deploy the LODEINFO backdoor was also observed."
BEC gang impersonates international law firms.
Abnormal Security is tracking a threat actor dubbed “Crimson Kingsnake” that’s launching business email compromise (BEC) attacks by impersonating attorneys, law firms, and debt recovery services. Crimson Kingsnake specializes in blind third-party impersonation attacks, a term Abnormal uses to describe BEC attacks in which the threat actor doesn’t have direct visibility into the targeted organization’s communications or business transactions. The researchers state:
“Based on our observations, a typical Crimson Kingsnake attack starts with an email impersonating an attorney and referencing an overdue payment the target's company owes to the firm or a company they represent. The impersonated attorney and the law firm they purportedly work for actually exist in the real world, so if the target ran a Google search for either, they would actually find results for the impersonated parties.
“To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm’s real domain. The display name of the sender is set to the attorney that is being impersonated and the email signature contains the firm’s actual company address. Since March 2022, we’ve identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the United States, the United Kingdom, and Australia. Many of the firms referenced in Crimson Kingsnake attacks are major, multinational practices with a global footprint.”
If an employee replies to one of these emails, the attacker will send them a phony invoice requesting tens of thousands of dollars. If the employee questions the invoice, the attackers will impersonate an executive at the employee’s company authorizing the transaction.
BleepingComputer has a list of some of the law firms being impersonated by Crimson Kingsnake. They include Allen & Overy, Clifford Chance, Deloitte, Dentons, Eversheds Sutherland, Herbert Smith Freehills, Hogan Lovells, Kirkland & Ellis, Lindsay Hart, Manix Law Firm, Monlex International, Morrison Foerster, Simmons & Simmons, and Sullivan & Cromwell. Note that these are impersonations, not compromises of the firms.
Insider threats.
Researchers at DTEX have published a study on insider threats, finding that unsanctioned third-party work on corporate devices has risen by nearly 200% over the past twelve months: "These ‘side-gigs’ leverage corporate IP to assist 3rd party businesses that may be in direct competition with the employer."
The researchers warn that workforce engagement declines by up to 50% in the weeks before the holiday season. Additionally, engagement is affected during the first week back after the holidays:
“Workforce engagement is also slow to ramp back up the week after the holidays. During the first week back, employees identify critical tasks and deal with urgent issues left unanswered before the holiday. Organizations should realize this and adjust expectations accordingly.”