Rewterz Threat Update – Around $112 Million Worth of Ripple XRP Stolen from Ripple Co-Founder’s Crypto Wallet
February 1, 2024Rewterz Threat Alert – PatchWork APT Threat Actor Group Targeting Pakistan – Active IOCs
February 5, 2024Rewterz Threat Update – Around $112 Million Worth of Ripple XRP Stolen from Ripple Co-Founder’s Crypto Wallet
February 1, 2024Rewterz Threat Alert – PatchWork APT Threat Actor Group Targeting Pakistan – Active IOCs
February 5, 2024Severity
High
Analysis Summary
An ongoing malvertising campaign has been observed targeting Chinese-speaking users with malicious Google ads for restricted messaging apps like Telegram. The attackers exploit Google advertiser accounts to create malicious ads and redirect unsuspecting users to pages that download remote access trojans (RATs) instead, granting the threat actors full access to the victim’s device.
The campaign has been dubbed “FakeAPP”. It is a continuation of a previous attack wave in October 2023 that targeted Hong Kong users who searched for messaging apps like WhatsApp and Telegram. The latest iteration of the campaign also added LINE messaging app to the list to redirect users to fake websites hosted on Google Docs or Google Sites. The Google infrastructure is used for embedding links to other actor-controlled websites to deliver malicious installer files and deploy trojans like Gh0st RAT and PlugX.
Researchers observed that the fake ads led to two advertiser accounts based in Nigeria. The threat actors seem to put quantity over quality by continuously propagating new payloads and infrastructure as command-and-control (C2). There has also been a significant increase in using a phishing-as-a-service (PhaaS) platform named “Greatness” to make credential harvesting pages that look legitimate to target Microsoft 365 users.
The kit allows the threat actors to personalize sender names, subjects, email addresses, messages, attachments, and QR codes. It comes with anti-detection functionality like encoding, randomizing headers, and obfuscation to enable attackers to bypass spam filters and security software. Greatness is offered for sale on the dark web for $120 per month, which lowers the entry barrier and helps in conducting attacks on a larger scale.
The attack chain starts with sending phishing emails with malicious HTML attachments that redirect the user who opens the attachments to a fake login page, capable of harvesting the login credentials that are entered and then exfiltrating them to the threat actor through Telegram. Other times, the attachments are used to deliver malware to the victim’s system to commit information theft.
To increase the success rate of the attack, phishing emails pretend to be from trusted sources like banks and employers to make the message look urgent. To achieve this, they use subjects like “urgent invoice payments” or “urgent account verification required”. It is not known currently how many victims have been affected so far, but Greatness is used widely and is well-supported with its own Telegram community that provides instructions on how to operate it with additional tricks and tips.
Recently, researchers have also observed phishing attacks targeting South Korean companies by using lures that pretend to be tech companies to drop AsyncRAT through malicious Windows shortcut (LNK) files. Malicious shortcut files have become a favorite method for threat actors and are constantly being distributed. Users can easily mistake the shortcut file for a normal document because the .LNK extension is not visible on the files’ names.
Impact
- Sensitive Data Theft
- Credential Theft
Indicators of Compromise
Domain Name
- telagsmn.com
- teleglren.com
- teleglarm.com
- 5443654.site
- 5443654.world
MD5
- 833128952da9a0668d3ca26c248c4267
- 80a96c471bd176e72b7fd0706da754d2
- 21b0773be7bb8c0815629383cb22c58d
- 04ea85b8ba79c2683c9d17104d593fdf
- 524d1b299fc24be90d726ff4e4d3582c
SHA-256
- 63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a
- a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e
- acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084
- ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a
- c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc
SHA-1
- 75349c4f319c16ffb7e90d427a8339d144a33104
- 5bd9489af3be1b98c112902dbbe7f1ae3c5020df
- 632fd0692a5156be605ab760336cd55f0e8aa7ac
- 33194529cc04867e37cd7c2342359482ca1a7292
- d7413cf46363eea6779ab986f33a4c2c664979f2
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Implement ongoing phishing awareness training for partners and staff.
- Implement a web application firewall to filter out malicious traffic and protect against common web-based threats.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Be vigilant and thoroughly check the URL to see if it’s legitimate before downloading apps.