At a glance,
- TA2541 targets the transportation industry.
- Roaming Mantis spreads to Europe.
- Emotet uses a new infection method.
TA2541 targets the transportation industry.
Proofpoint is tracking a cybercriminal actor it's calling "TA2541" that's targeting the "aviation, aerospace, transportation, and defense industries" with phishing emails. The threat actor has compromised hundreds of organizations, particularly in North America, Europe, and the Middle East. The researchers note that the threat actor's phishing lures are generally written in English, and contain Word documents with malicious macros that deliver AsyncRAT:
"All the malware used by TA2541 can be used for information gathering purposes and to gain remote control of an infected machine. At this time, Proofpoint does not know what the threat actor’s ultimate goals and objectives are once it achieves initial compromise.
"While AsyncRAT is the current malware of choice, TA2541 has varied its malware use each year since 2017. The threat actor will typically use just one or a handful of RATs in observed campaigns, however in 2020, Proofpoint observed TA2541 distributing over 10 different types of malware, all using the same initial infection chain."
Roaming Mantis spreads to Europe.
Kaspersky warns that a smishing campaign dubbed "Roaming Mantis" has spread to Germany and France. The campaign had previously targeted users in Japan, Taiwan and Korea:
"Our latest research into Roaming Mantis shows that the actor is focusing on expanding infection via smishing to users in Europe. The campaign in France and Germany was so active that it came to the attention of the German police and French media. They alerted users about smishing messages and the compromised websites used as landing pages. Typically, the smishing messages contain a very short description and a URL to a landing page. If a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices."
The researchers add, "Regarding the updates to the Wroba.g/Wroba.o payload, Kaspersky experts only observed two minor updates in the payload part. One of them is the feature for checking the region of the infected device in order to display a phishing page in the corresponding language. In the old sample, it checked for three regions: Hong Kong, Taiwan and Japan. However, Germany and France were added as new regions. From this update, together with the map above, it is clear that Germany and France have become the main targets of Roaming Mantis with Wroba.g/Wroba.o."
The malware also has two new backdoor commands that allow the attackers to steal photos from infected devices.
Emotet uses a new infection method.
Palo Alto Networks's Unit 42 describes a new infection technique being used by the Emotet banking Trojan. The malware is being delivered via phishing emails with macro-laden Excel documents:
"As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest modification of the Emotet attack follows suit.
"The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload."