Top 5 Clever Phishing Tactics to Watch Out For (May 2024)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five recently encountered phishing campaigns that you should know about, including Grandoreiro banking trojan re-emerging in a large-scale phishing campaign, phishing emails by Phorpiex distributing LockBit Black ransomware, APT43 exploiting weak DMARC for spear phishing, Black Basta ransomware striking 500+ entities with phishing tactics, and Docker Hub supply chain attacks exposing users to phishing threats.

Read on to discover more…

1. Grandoreiro banking trojan re-emerges in a global phishing campaign

The Grandoreiro banking trojan has re-emerged globally in a large-scale phishing campaign since March 2024, targeting over 1,500 banks in more than 60 countries, following a takedown in January. Initially focused on Latin America, Spain, and Portugal, this campaign now spans regions in Central and South America, Africa, Europe, and the Indo-Pacific.

Phishing emails prompt recipients to download a ZIP archive containing a Grandoreiro loader, which avoids detection by inflating its size and verifying the environment. Once executed, it downloads the main trojan, which establishes persistence through the Windows Registry. Significant updates include enhanced string decryption, domain generating algorithms, and the use of infected Microsoft Outlook clients for further phishing attacks, enabling remote control and spreading spam via victim inboxes.

2. Phishing emails by Phorpiex distribute LockBit Black ransomware

Since April, a large-scale LockBit Black ransomware campaign has been conducted via phishing emails sent through the Phorpiex botnet, targeting companies globally. Phorpiex, also known as Trik, has evolved over ten years from a worm into an IRC-controlled trojan distributed through email spam, infecting over a million devices, and engaging in cryptocurrency theft. The phishing emails, with subject lines like “your document” and “photo of you???”, are sent from over 1,500 IP addresses, including Kazakhstan, Uzbekistan, Iran, Russia, and China, using aliases such as “Jenny Brown” or “Jenny Green.”

These emails contain ZIP attachments with executables that, once opened, deploy LockBit Black ransomware, constructed using the leaked LockBit 3.0 builder. The ransomware encrypts files, steals sensitive data, and stops essential services. Although using the LockBit Black encryptor, this campaign is not officially linked to the LockBit ransomware operation. Reports suggest that millions of these phishing emails have been sent daily since April 24, 2024, facilitated by the Phorpiex botnet’s infrastructure, highlighting the ongoing threat to global cybersecurity.

3. North Korean APT43 exploits weak DMARC for spear phishing

The NSA and FBI warn of APT43, a North Korean group exploiting weak DMARC policies for spear phishing, targeting experts in East Asian affairs to gather geopolitical intelligence. APT43, also known as Kimsuky, uses spoofed emails from trusted sources to gain access to private documents and communications. They have targeted organizations in the US, Europe, Japan, and South Korea since 2018, impersonating journalists and academics.

Exploiting weak DMARC policies, especially with “p=none” configurations, allows their emails to bypass checks. Indicators of their activities include initial benign communications followed by malicious content, emails with awkward grammar, targeting government employees with knowledge of North Korean affairs, and emails requiring “Enable Macros” for documents. These campaigns help APT43 create more convincing spear phishing emails to target sensitive information.

4. Black Basta ransomware hits 500+ entities with phishing tactics

Since its emergence in April 2022, Black Basta, a Ransomware-as-a-Service (RaaS) operation, has targeted over 500 entities across North America, Europe, and Australia, encrypting and stealing data from critical infrastructure sectors. Affiliates employ phishing and known vulnerabilities for initial access, implementing a double-extortion model wherein they encrypt systems and exfiltrate data. Instead of initial payment demands, ransom notes provide victims with a unique code and instructions to contact the gang via a .onion URL.

Black Basta has utilized QakBot as an initial vector and maintains a persistent threat profile. Statistics reveal its ongoing activity, with ties to FIN7, another cybercrime group known for ransomware attacks since 2020. The group utilizes various tools for network scanning, lateral movement, privilege escalation, and data exfiltration, exploiting vulnerabilities such as ZeroLogon and deploying encryption using a ChaCha20 algorithm with an RSA-4096 public key.

5. Docker Hub supply chain attacks expose users to phishing threats

Cybersecurity researchers have uncovered multiple supply chain attacks targeting Docker Hub, revealing over four million imageless repositories used to redirect users to phishing or malware-hosting sites. Among these imageless repositories discovered, 2.81 million were utilized in campaigns redirecting users to fraudulent sites, including a downloader campaign, an e-book phishing scheme, and a website cluster, each employing different deceptive tactics.

These attacks, facilitated by 208,739 fake accounts created by threat actors, highlight the diversity of strategies employed to deceive users, with the downloader campaign leading users to links for pirated content or cheats, ultimately redirecting them to malicious sources. The e-book phishing scheme prompts users to enter financial information to download e-books, while the website cluster includes links to an online diary-hosting service or benign text, potentially for testing purposes. The payload delivered by the downloader campaign connects to a command-and-control (C2) server to transmit system metadata and receive a link to cracked software.

Key recommendations to combat cyber risks: 

• Schedule regular backups of data and store them offline in a secure location. Test backups regularly to ensure they can be restored.
• Encrypt sensitive data at rest and in transit to prevent unauthorized access.
• Exercise caution with emails and PDFs prompting a file download.
• Follow the Principle of Least Privilege and enable User Access Control (UAC).
• Develop a strategy to quickly patch vulnerabilities in internet-facing systems and secure or disable remote access such as RDP and VPNs.
• Use ad-blocking extensions in browsers to prevent drive-by infections from malicious ads.
• Implement email filtering solutions, such as spam filters, to help block messages.
• Use strong, unique passwords and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Educate users on recognizing phishing attempts and malicious redirects.
• Implement network segmentation and access control to detect unusual activity early. Employ EDR or MDR solutions to identify potential threats before they escalate.