APT impersonates the Red Cross in phishing campaigns.
N2K logoSep 26, 2023

"AtlasCross" is deploying two new Trojans: DangerAds and AtlasAgent.

APT impersonates the Red Cross in phishing campaigns.

NSFOCUS Security Labs reports tracking a patient, persistent, low-profile APT that's impersonating the Red Cross to prospect its victims. The researchers call the threat group "AtlasCross."

AtlasCross is technically capable and, above all, "cautious."

The researchers believe that AtlasCross shares no significant "attribution indicators" with other known threat groups. None of the usual markers, which NSFOCUS lists as "execution flow, attack technology stack, attack tools, implementation details, attack objectives, [and] behavior tendency," show any similarity to those employed by other actors, and the researchers offer no speculation about AtlasCross's allegiance.

The initial approach is phishing. An email with American Red Cross blood donation information in its subject line carries an attachment, “Blood Drive September 2023.docm.” For the phishbait document to be displayed, the victim is prompted to enable macros: the preliminary screen carries a reassuring note "This document is protected by McAfee DLP. Click 'Enable Content' to view." Once the target does so, the document displays a promotional flier for an American Red Cross blood drive. It also initiates communication with the attacker and installs a loader Trojan. That loader detects the host environment and executes shellcode that subsequently loads the final payload, AtlasAgent, which collects information about the host, executes shellcode, and carries out further actions against the target.

AtlasCross has compromised twelve servers, all of them in the United States, and all of them hosted in an Amazon cloud. The hosts are otherwise clean, and are unlikely to trip warnings or otherwise arouse suspicion.

Victimology offers no obvious insight into the nature of the campaign.

The researchers conclude, "The new attacker AtlasCross discovered by NSFOCUS Security Labs is a very cautious hacker organization with strong process and tool development capabilities. On the one hand, this attacker can actively absorb various hacker technologies and integrate them into its own technology stack and tool development process; on the other hand, it has chosen the most conservative route in environmental detection, execution strategy, network facility selection, etc., reducing its exposure risks at the expense of efficiency. In addition, the residual debug code in AtlasCross self-developed Trojan can also prove that this attacker is still improving the attack process."

NSFOCUS notes that the use of blood drive phishbait suggests that victims can be expected to have some connection with--or more accurately, interest in--the American Red Cross. But such interest is so widespread in the United States that it approaches universality, and so reveals little about the goals of the campaign. James McQuiggan, security awareness advocate at KnowBe4, pointed out that this kind of phishing can be psychologically compelling. “Cybercriminals know the psychological levers driving human behavior and frequently exploit our trust in popular brands to craft deceptive emails, messages, or voicemails that elicit a sense of urgency, fear, or sheer curiosity," he said. "This emotional engagement often clouds judgment, leading individuals to impulsively click on a link or open an attachment without due diligence. Cybercriminals dramatically increase the chances of their social engineering attacks succeeding by hijacking the trust in household names. It's a reminder that our emotions and inherent biases can be some of our most significant vulnerabilities when it comes to social engineering.”

And, after all, who's not in favor of blood drives? To be sure there will be a few people with a conscientious reservation about transfusions, but such are few and far between. In this case, AtlasCross, whoever they are, has chosen their phishbait well.