Attackers are using the Tycoon 2FA phishing kit to steal user credentials and bypass multifactor authentication.
Tag: T1566.002
Hunting CryptoBot in the wild
Attackers are using spearphishing emails containing malicious links to deliver malware that uses Rundll32 and Mshta for defense evasion.
Suspected TTPs:
- Initial Access: Spearphishing Link
- Execution: Rundll32
- Defense Evasion: Mshta
Threat Hunting for Android MW – Gamaredon
Attacker is sending malicious links to mobile devices via SMS or social media posts. The links lead to the download of malicious apps that collect sensitive data.
Engage Report: Vishing via Microsoft Teams – DarkGate Malware
Attacker impersonates a client employee via Microsoft Teams call, manipulates the victim into downloading AnyDesk for remote access after a failed attempt to install Microsoft Remote Support application.
Engage Report: VEILDrive
The attacker impersonated an IT team member from a previously compromised organization (Org A) and used Microsoft Teams to send spearphishing messages to four employees at the targeted organization (Org C). The messages requested access to the employees’ devices via the Quick Assist remote utility tool.
CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks
T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.
T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.
T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
COLDRIVER – SPICA malware
APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.