Ransomware/Malware Activity
New Meta-Phish Campaign Utilizing Facebook Copyright Violation Lures
A new phishing campaign dubbed "Meta-Phish" has been identified by Trustwave researchers utilizing Facebook posts in its attack chain. This tactic is used to trick victims into providing personally identifiable information (PII), account credentials, and Facebook profile links to the actor responsible after receiving a phishing email disguised as a corporate violation notification. The email claims that access to the victim's account will be lost if no objection is made within forty-eight (48) hours of receiving the notice. The email contains a link to a webpage that looks legitimate and uses a "Page Support" profile to show the fraudulent post. The user is then prompted to make an appeal through a crafted phishing page that mimics the actual Facebook copyright appeal page. Researchers noted that the three observed domains all appeared to be online as of December 15, 2022. The fields present in the phishing page include full name, login email address, phone number, Facebook page name, and additional info. Upon submission, the campaign also captures the victim's IP address and geolocation information. All collected information is exfiltrated to the actor's Telegram account. The victim is then redirected to an additional phishing page that displays a fake six (6) digit one-time-password request with a timer. Any combination of numbers will result in an error, and if the resulting "Need another way to authenticate?" or "Get Code" options are clicked, the victim is redirected to the legitimate Facebook website that requires them to log in. Researchers emphasized that there are currently various unauthentic accounts on the platform that are utilized in social engineering campaigns and threat actors will continue to innovate to bypass security controls and filters on social media platforms. CTIX analysts will continue to monitor phishing campaigns utilizing social media, and indicators of compromise (IOCs) for the Meta-Phish campaign can be viewed in Trustwave's report linked below.
Threat Actor Activity
Shift In Tactics Shows More Aggressive Side of TA453
A notorious threat organization has begun shifting their social engineering and overall tactics, becoming more aggressive towards victims of their phishing campaigns. The group, tracked as TA453 (bearing similar TTPs as APT42, Charming Kitten, PHOSPHORUS), often launches extensive social engineering operations targeting journalists, human rights activists, academics, diplomats, and several others. Historically, TA453 threat actors often structured their attacks around the victim they were targeting, establishing a bond between threat actor and victim to increase the chance of engagement and successful malware delivery. Some subgroups of TA453 would converse with the victim for days to weeks at a time, eventually delivering a malicious link with the intent of harvesting the victim’s credentials in several fashions. Other subgroups would act like most social engineering-driven threat groups and outright send the malicious link and hope the victim clicks on the embedded content. In recent campaigns, TA453 actors have shifted to becoming more aggressive against their victims. After compromising multiple email accounts including several high-ranking military officials, threat actors spear-phished a single victim with a harsh email. After translation from Hebrew, the email reads "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in [REDACTED]… Take care of yourself". With a dramatic shift in tactics from TA453, researchers indicate this could be an intimidation tactic formed between TA453 and hostile Iranian state-aligned operations. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Microsoft Patch Tuesday Fixes Actively Exploited Windows MoTW Bypass Vulnerability Used to Deliver Magniber and Qbot Payloads
The December 2022 Microsoft Patch Tuesday update fixed seventy-four (74) vulnerabilities, with seven (7) of them deemed critical. Out of the critical vulnerabilities that were patched, one (1) is a zero-day that has been actively exploited in-the-wild to deliver malware. The flaw, tracked as CVE-2022-44698, is a Windows SmartScreen security feature bypass vulnerability which is being exploited by threat actors to deliver Magniber ransomware and Qbot banking trojan and malware dropper payloads to victim machines. Specifically, the vulnerability impacts the Windows Mark of the Web (MoTW) feature, a defense mechanism utilized to protect users against executing malicious links or files by adding a zone identifier (aka MoTW) as an NTFS alternate data stream. The mark itself is a hidden flag that the operating system attaches to files downloaded from the Internet. Files that carry the MotW flag are automatically restricted, and a text prompt will open for the user, informing them that they should ensure the artifact is not malicious before interacting with it. Threat actors were able to facilitate these attacks with specially crafted malicious JavaScript files that were signed using a malformed signature. The files themselves have been observed on actor-controlled websites, as well as embedded within phishing emails and compromised websites. These malicious files are designed to evade the MoTW defenses by causing a SmartCheck error, which allows the files to execute without warning, regardless of the flag. If properly exploited, this vulnerability could allow attackers to execute arbitrary code on the victim machine. CTIX analysts recommend that Windows administrators ensure that the entirety of their infrastructure has been updated with the latest patch or have a plan in place to systematically patch their infrastructure in the near future. Multiple Windows MoTW bypass vulnerabilities have been actively-exploited this year, indicating that it is growing in popularity as a feature that may have more zero-day flaws.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
