One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8627443 |
| Date de publication | 2024-12-19 07:19:54 (vue: 2024-12-19 10:07:53) |
| Titre | Security Brief: Threat Actors Gift Holiday Lures to Threat Landscape |
| Texte | What happened As the holiday season ramps up globally, threat actors have begun to take advantage of people\'s desires for deals, jobs, and end of year bonuses. Proofpoint researchers have observed an increase in timely, themed content delivering malware, fraud, and credential phishing campaigns. Fly for the holidays For example, on 18 November, researchers identified a “Winter Holiday Promotion” campaign purporting to be from an airline. The messages were sent in both Spanish and English and contained compressed executables that led to the installation of Remcos RAT. “Holiday promo” themed lure delivering Remcos RAT. The campaign was low volume and included less than 100 messages. Merry phishmas The majority of holiday themed lures Proofpoint has observed are credential phishing campaigns. In another campaign that began on 9 December, threat actors purported to be human resources or payroll departments sending information about end of year bonuses and “Xmas Employee Payroll.” Lure impersonating corporate HR to send “Xmas” themed credential phishing. Messages were customized with the logo of the target organization or a Microsoft logo. These messages contained Open Office XML (OOXML) attachments, which also included the target organization logo, and included a QRCode. If scanned, the QR code URL directed users to a counterfeit Microsoft authentication page. Example phishing document including QR code. The credential phishing page presented the user\'s organization AAD (Azure Active Directory) Branding once email was provided and it was designed to harvest user credentials, 2FA token, and to retrieve an associated session cookie. This is achieved through the Adversary-in-the-Middle (AiTM) technique, utilizing synchronous relay capabilities provided by the Tycoon Phishing-as-a-Service (PhaaS) platform. The Open Office XML (OOXML) attachments are manipulated "brooxml" files. These "brooxml" files are specially crafted by threat actors prepending data at the start of the file which is not allowed in the OOXML standard, but which Microsoft Office can automatically "fix" by removing. This is a technique Proofpoint has seen abused by threat actors since August 2024 to attempt to bypass sandbox detection. Proofpoint has observed numerous campaigns using holiday and bonus themes to deliver Tycoon credential phishing URLs. SakaiPages bonus and holiday lures On 12 December 2024, researchers identified an AiTM credential phishing campaign using a variety of end of year and holiday themes. Messages purported to come from the target\'s HR team, and included subjects related to payroll and bonuses. SakaiPages credential phishing lure. The messages contained customized Microsoft Word attachments containing a QR code that directed users to a fake Microsoft authentication page. Attached document filenames included: annual_loyalty_compensation_award.docx december_achievement_compensation_award.docx december_holiday_appreciation_voucher.docx When a user provided an email to the credential phishing website, the page masqueraded as the user\'s organization AAD branded login. The credential phishing page harvested user credentials, 2FA tokens, and retrieved session cookies via the SakaiPages phishing Kit. Holiday job offers actually scams On 10 December 2024, Proofpoint identified an employment fraud campaign that impersonated the nonprofit organization Project HOPE attempting to recruit workers as “Community Liaison Agents.” In many emails, the threat actor stressed the idea that it would be "extra income" for the holiday season. Emails were sent from likely compromised senders, but included a contact email address in the body text: [various names]@jobs-projecthope[.]org. Lure |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 100 161 185 2024 2024 208 251 2fa 713d2cca841c2d3df5ba1a4f8926970966ff931d01616ac48d5170a69c1e0765 9a8ed03d @jobs aad about abused accept achieved achievement across active activities activity actor actors actually additional address advance advantage adversary advertising aff agents airline aitm allowed already also announcements annual another appreciation are are: associated attached attachments attempt attempting attempts august authentication automatically award azure before began begin begun benefit body bonus bonuses both branded branding brief: brooxml browsing but bypass c2 campaign campaigns can capabilities case choices cloudflare code com come common compensation comply compressed compromise compromised conduct consistent contact contained containing content convince cookie cookies corporate counterfeit craft crafted credential credentials cryptocurrency customized cybelejack9 data deal deals december deliver delivering departments description designed desires detection dev different digitally directed directory document docx domain email emails employee employers employment end engineering english entice enticing example executables expecting expires exploit extra f2cb57a2c2a430507599d2aa fake fee festive file filenames files financial first fix fly fraud fraudulent frequent from get gift gifts globally good happened harvest harvested has have holiday holidays hope hoping human idea identifiable identified illegal impersonated impersonating included included: including income increase indicators indicators individual information installation internet job jobs kit landing landscape largely laundering led legitimate less leverage liaison like likely login logo low loyalty lure lures lures majority make malware manipulated many masqueraded matters meeting merry messages microsoft middle miss money mywire names nonprofit not november numerous objective observed obtain occurs offer offers office often once online ooxml open opportunities org org organization orients page page paired payroll people perfect personally phaas phishing phishmas pii platform pose premise prepending presented previous project projecthope promocion promotion” promo” proofpoint provided purported purporting qrcode quantumdhub ramps rar rat receiver recipient recruit recruiters related relay remcos removing researchers resources retrieve retrieved risky ru rush sakaipages sakaipages sandbox scams scams scanned season seasonal seasons security seem seen seen send senders sending sent service session sha256 share sign since snag social someone spanish specially spend standard start steal stressed subjects such synchronous systemfacing tactics tailor take target targeted targets team technique tend text: than them theme themed themes these they threat threats through time timely token tokens tries try tycoon typically ultimate under universities unknowingly url urls user users using utilizing variety various victims volume voucher website websites what when where which why will willing word work worker workers would xml year zip “community “holiday “winter “xmas “xmas” ” |
| Tags | Malware Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.