At a glance.
- Phishing for disinformation.
- Chinese cyberespionage in Southeast Asia.
- Transparent Tribe's current espionage run.
- Phishing trends in 2022.
Phishing for disinformation.
Proofpoint warns that the Russia-linked threat actor the company tracks as "TA499" (also known as "Vovan" or "Lexus") is launching phishing campaigns in an attempt "to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats." The threat actors pose as high-ranking Ukrainian government officials, and target individuals "that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda."
If a target agrees to a video call, the threat actors will use "extensive makeup" and deepfake technology to impersonate a Ukrainian official. The impersonator begins by conducting a normal interview, then eventually attempts to make the target contradict or embarrass themselves. TA499 will then edit the video and post it on social media:
"Conversations with TA499 typically begin serious and allow the target to voluntarily say as much information as possible. Once the target begins asking questions, the actor mirrors the target’s replies to keep the conversation going. Some of the 2021 videos with the threat actor have the Leonid Volkov impersonator asking for financial support and appear to encourage the target into voicing particular obligations and efforts in tandem with the Russian opposition led by Navalny. Once the target makes a statement on the matter, the video devolves into antics, attempting to catch the target in embarrassing comments or acts. The recordings are then edited for emphasis and placed on YouTube and Twitter for Russian and English-speaking audiences."
Chinese cyberespionage in Southeast Asia.
Check Point describes a Chinese cyberespionage operation that's targeting government entities in several Southeast Asian countries, including Vietnam, Thailand, and Indonesia. The threat actor is delivering a new version of the Soul malware framework. While the campaign has overlaps with previous operations by the Chinese APT tracked as "Sharp Panda," Check Point notes that since "sharing custom tools or operational methods is common among Chinese-based threat actors to facilitate intrusion efforts, it poses a challenge to their attribution."
(Added, 9:00 PM ET, March 10th, 2023. John Stevenson, Senior Product Marketing Manager, Skybox Security, wrote to comment on how such sharing increases ambiguity with respect to attribution. "Exploits like this that were once the sole province of nation-state actors, are now the common currency of the cybercrime underworld," Stevenson observed. "This latest example uses vulnerabilities in the Word equation editor dating back to 2017 and 2018 and perfectly illustrates the importance of using proactive vulnerability threat management to combat the malware threat. The Skybox Research Lab has noted that multi-stage attacks like this are on the rise, making it more important than ever that organizations use vulnerability threat management to discover vulnerabilities, prioritize based on exposure-based risk, and close with prescriptive remediation.")
Transparent Tribe's current espionage run.
ESET says the suspected Pakistan-based threat actor Transparent Tribe appears to be targeting Indian and Pakistani military and government officials with romance scams. The victims are convinced to download compromised versions of secure messaging apps to their Android phones. These apps will install the CapraRAT backdoor, which is designed to exfiltrate information: “The backdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information. The backdoor can also receive commands to download files, make calls, and send SMS messages. The campaign is narrowly targeted, and nothing suggests these apps were ever available on Google Play.”
ESET believes the attackers begin by contacting their victims via an email address or phone number and then luring them into a romance scam—a tactic Transparent Tribe has used in the past. After the victims have downloaded the Trojanized messaging app, the attackers continue communications with them over the messaging app while stealing information in the background. The malicious apps used poor operational security, and the researchers were able to locate over 150 victims in India, Pakistan, Russia, Oman, and Egypt.
Phishing trends in 2022.
Vade has published its annual Phishers' Favorites report for 2022, finding that Facebook, Microsoft, and Google were the most impersonated brands last year. Notably, Google, which placed #28 in 2021, jumped to the third most-impersonated brand last year, following a 1,560% increase in Google-themed phishing pages. The researchers attribute this increase to the growing popularity of Google Workspace, and Vade predicts that Microsoft and Google will be the two most widely impersonated brands in 2023 due to the prevalence of their productivity suites:
“Productivity suites are an attractive target for phishers. With a suite of integrated applications, these digital ecosystems give phishers more opportunities to exploit users before and after an initial compromise. For example, phishers can impersonate integrated applications such as file-sharing solutions in an initial attack, as well as use compromised accounts to distribute malicious links and files through new channels, such as instant messaging tools.”