Top 5 Most Deceptive Phishing Campaigns You Should Know About (September 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five recently encountered phishing campaigns that you should know about, including DarkGate malware spreading through phishing in Microsoft Teams, info-stealers using phishing to deploy ransomware payloads, APT34 deploying new malware variants in targeted phishing onslaught, SuperBear RAT targeting activists in state-sponsored phishing attack, and Oktapus campaign targeting Okta with calculated social engineering attacks.

Read on to discover more…

1. DarkGate malware exploits Microsoft Teams in phishing attack

Recently, a phishing campaign exploiting Microsoft Teams messages targeted organizations, delivering the DarkGate Loader malware through malicious attachments. The attack began with compromised external Office 365 accounts sending deceptive Microsoft Teams messages enticing users to download a ZIP file named “Changes to the vacation schedule.” Clicking the attachment triggered a download from a SharePoint URL, containing a malicious LNK file posing as a PDF. Researchers uncovered malicious VBScript within the campaign, which initiated an infection chain leading to DarkGate Loader.

To avoid detection, the malware download process utilized Windows cURL, and the script concealed its malicious code using AutoIT script “magic bytes.” It checked for antivirus software and adapted its behavior accordingly. This campaign follows a trend of compromised Microsoft Teams accounts used to send malicious attachments, similar to a June 2023 report, with no official Microsoft resolution.

2. Cybercriminals combine phishing and EV certificates to deliver ransomware payloads

Threat actors previously associated with the RedLine and Vidar information stealers have transitioned to ransomware attacks, using phishing campaigns that distribute payloads signed with Extended Validation (EV) code signing certificates. Recent incidents have revealed a division of labor between payload providers and operators, with new phishing campaigns employing DBatLoader to distribute various malware, including Agent Tesla and Warzone RAT.

These campaigns, ongoing since late June, primarily target English-speaking victims but also extend to Spanish and Turkish recipients. The threat actors demonstrate significant control over email infrastructure, enabling them to bypass email authentication methods such as SPF, DKIM, and DMARC. OneDrive serves as a common platform for payload staging, while some campaigns utilize transfer[.]sh or compromised domains. Additionally, a separate malvertising campaign targets users searching for Cisco’s Webex, redirecting them to a fake website distributing BATLOADER malware, which subsequently downloads DanaBot, an information stealer and keylogger.

3. New SideTwist Backdoor and Agent Tesla variant unleashed via phishing campaigns

The Iranian threat actor APT34, also known as Cobalt Gypsy and Hazel Sandstorm, has been linked to a recent phishing campaign utilizing a variant of the SideTwist backdoor. APT34, known for its extensive cyber espionage activities in the Middle East, employed spear-phishing tactics to deliver a malicious Microsoft Word document containing a harmful macro. When executed, this macro launches a Base64-encoded payload, which is a variant of the SideTwist backdoor, granting the attacker access to the compromised system.

Meanwhile, a separate phishing campaign was also identified distributing a new Agent Tesla variant. This campaign leverages a specially crafted Microsoft Excel document to exploit the CVE-2017-11882 vulnerability in Microsoft Office’s Equation Editor. Agent Tesla is notorious for stealing sensitive data, making the exploitation of this vulnerability particularly concerning.

4. New SuperBear trojan emerges in targeted phishing attack on South Korean activists

A newly discovered remote access trojan (RAT) named SuperBear has been found in a targeted phishing attack against civil society groups and activists in South Korea, with suspected involvement from North Korean state-sponsored hackers. The attack commences with a phishing email impersonating a known contact within the victim’s organization. When the victim opens the email, they are coerced into executing a malicious LNK file attached to it. This LNK file initiates a PowerShell command, subsequently launching a Visual Basic script responsible for fetching additional payloads from a compromised WordPress website.

To avoid detection, the attack employs a multi-stage infection process, utilizing legitimate platforms like PowerShell and WordPress. The subsequent stage utilizes an AutoIt script to perform the process hollowing, injecting the SuperBear RAT into a suspended instance of Explorer.exe. Once active, the RAT establishes a secure connection to a Command and Control (C2) server, enabling it to execute commands, exfiltrate data, and download and execute additional DLLs. The C2 server’s default instruction set focuses primarily on data exfiltration and system surveillance.

5. Social engineering attacks target Okta Super Administrator privileges

The Oktapus phishing campaign targeted Okta, an identity and access management company, and successfully victimized several US-based Okta customers by employing social engineering attacks against IT service desk personnel. The attackers’ strategy involved convincing service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users. Subsequently, the threat actors abused Okta Super Administrator accounts to impersonate users within the compromised organization.

Central to these attacks was the use of the commercial phishing kit 0ktapus, which provided pre-made templates for creating convincing false login portals to steal credentials and MFA codes. Additionally, the kit incorporated a built-in command-and-control (C2) channel via Telegram. In some cases, the threat actors already possessed privileged user passwords or had the capability to manipulate delegated authentication via Active Directory before contacting the targeted company’s IT help desk to request an MFA reset, highlighting the sophistication of their tactics.

Key recommendations to combat cyber risks:

• Implement robust email filtering solutions to detect and block phishing emails before they reach users’ inboxes.
• Educate employees about phishing attacks and encourage them to be cautious when opening email attachments, especially from unknown sources.
• End users, especially with admin rights, must always double-check the URL of a website where they share their login credentials to ensure maximum security.
• Enforce phishing-resistant authentication and enable new devices and suspicious activity end-user notifications.
• Enable Multi-factor Authentication (MFA) for email and critical systems to enhance security.
• Regularly update software and security patches to mitigate vulnerabilities.
• Implement continuous monitoring to detect unusual activities and potential threats.
• Employ advanced endpoint protection solutions to detect and block malicious activities, including the deployment of backdoors and information theft.
• Have an incident response plan in place for quick action if a compromise is detected.
• Stay informed about the latest threat actors, tactics, and vulnerabilities by leveraging threat intelligence sources.