Phishing Campaign Using Over Two Hundred Typosquatted Domains to Impersonate Twenty-Seven Brands
A mass phishing campaign has recently been identified that is utilizing approximately 200 typosquatted domains. Through this campaign, the threat actor responsible is intending to have victims download various Android and Windows malware. Cyble researchers discovered that the domains are being disguised as popular Android application stores and download portals for multiple platforms, utilizing six (6) typosquatted domains. This portion of the phishing campaign is focused on deploying "ERMAAC", a banking trojan that targets banking accounts and cryptocurrency wallets. BleepingComputer identified a larger portion of the campaign that involves over ninety (90) domains impersonating twenty-seven (27) brands including Google Play, PayPal, Microsoft Visual Studio, TikTok, Notepad+, MetaMask, and more. This portion of the campaign focuses on distributing Windows malware, pushing Android malware, and exfiltrating cryptocurrency recovery keys. Additional malware seen by researchers include the Vidar Stealer information-stealing malware and Agent Tesla keylogger and remote access trojan (RAT). The majority of the identified domains are clones of the legitimate website it is impersonating. Users could be led to these malicious sites through mistyping the domain as well as phishing emails, SMS messages, or social media/forum postings. Examples of the typosquatted domains as well as indicators of compromise (IOCs) can eb reviewed in Cyble's report linked below.
Threat Actor Activity
CISA Warning: Daixin Team
In a recent alert by the Cybersecurity & Infrastructure Security Agency (CISA), authorities warn that Daixin threat actors are actively targeting the United States healthcare industry with devastating ransomware attacks. The Daixin Team is an evolving ransomware and data extortion group that has been targeting the healthcare sector since June 2022. Data exfiltrated from their ransomware operations includes personal identifiable information (PII) and patient health information (PHI), both of which are commonly used as leverage if the victim doesn’t pay the demanded ransom. In previous cases, Daixin threat actors gained access through vulnerable VPN servers by utilizing phished login credentials. Once inside the victim network, threat actors deployed several web shells and scripts to perform credential harvesting, followed by accessing the vCenter Server and resetting all user credentials. Analysis of Daixin ransomware attacks has shown that these threat actors utilize a similar source code structure to that of Babuk Locker. CTIX will continue to monitor threat actor activity worldwide and provide additional updates accordingly.
Apple Patches Critical iOS and iPad Zero-day Vulnerability
Apple has patched a new critical zero-day vulnerability, affecting iPhones and iPads that is being actively exploited in-the-wild. The flaw, tracked as CVE-2022-42827, is described as an out-of-bounds write vulnerability, which is caused when software writes data outside of the limits of the intended buffer, or to an invalid memory location. If exploited by threat actors, the write operation could lead to the corruption of sensitive information, the crashing of applications or the system itself, and code execution with kernel privileges on the vulnerable device. Although the vulnerability is under active attack, Apple has yet to release the technical details of the flaw in order to allow as many of their customers to patch their vulnerable iOS devices. This is zero-day number nine (9) for Apple this year, and CTIX analysts recommend all customers who use the affected devices upgrade to the latest security update. If further technical details, or a proof-of-concept exploit is published, and update to this piece may be released in a future FLASH update.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.