Attackers are compromising email accounts to launch real estate scams, targeting individuals seeking rental properties.
Tag: T1566
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
Hunting all around for TA397 RATs
Attackers are using phishing emails to deliver malicious attachments that gather system information and exfiltrate it to a remote server.
Threat Hunting Scenario: Lazarus Group’s Evolved Infection Chain
Lazarus group actors are actively targeting specific industries with tailored spearphishing attacks, utilizing trojanized remote access tools and a complex infection chain involving multiple malware stages and C2 communication for persistent access and data exfiltration.
Unveiling RevC2 and Venom Loader
- Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
- Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
- Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
- Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
- Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
- Collection: RevC2 steals cookies, passwords, and takes screenshots.
- Exfiltration: Stolen data is exfiltrated over the C2 channel.