Cisco Talos experts discovered a malicious site created by Iranian hackers from the Tortoiseshell group…
“The attack on the target organization begins in the traditional way – by sending it a phishing email. The subject lines of the letters range from subpoenas to blocking bank accounts and requests to pass a mandatory coronavirus test. In some cases, letters were sent on behalf of the Attorney General’s Office or the National Directorate of Taxes and Customs”, – say ESET experts.
The letters contain a PDF file with a link to the RAR archive. If the victim downloads an archive hosted on OneDrive, MediaFire, or other cloud storage, the file it contains launches malware. To deploy malware, hackers use a large arsenal of downloaders and packers that execute a Remote Access Trojan (RAT) by injecting it into a legitimate process.
“In total, the malicious campaign uses three RAT Trojans. They are all sold on the black market and were not created by the organizers of Operation Spalax”, – told in ESET.
The first Trojan, Remcos, can be purchased from a cybercrime forum for as little as $58.
The second, njRAT, is known for using Pastebin instead of C&C infrastructure. The third Trojan is the open source remote administration tool AsyncRAT. The experts did not identify any special linkage between downloaders and trojans, but noted that NSIS most often downloads the Remcos Trojan, while Agent Tesla and AutoIt packers download njRAT.
Researchers also did not find enough clues to identify cybercriminals.
However, they found some references to the APTC36 group, also known as the Blind Eagle. In 2019, this APT group carried out cyberattacks against Colombian organizations in order to steal confidential information.
Let me remind you about the fact that Cybercriminals use the popular RAT Orcus and Revenge to attack governmental organizations, as well as that for attacking government networks, hackers combine Zerologon problem with VPN vulnerabilities.
News-bfopeci.info is a domain that tries to force you into subscribing to its browser notifications…
News-bfugaho.info is a site that tries to force you into clik to its browser notifications…
News-bganise.info is a domain that tries to trick you into clik to its browser notifications…
News-xhijupa.com is a domain that tries to trick you into subscribing to its browser notifications…
News-xnicini.cc is a domain that tries to trick you into subscribing to its browser notifications…
News-xpafema.cc is a site that tries to trick you into subscribing to its browser notifications…