Summary :
As the holiday season approaches, threat actors are exploiting people’s desires for deals and bonuses through malware and phishing campaigns. Recent activities include credential phishing and employment fraud, targeting individuals with deceptive messages. #HolidayScams #Phishing #CyberSecurity
Keypoints :
Increased malware and phishing campaigns during the holiday season.…Summary: Proofpoint’s research reveals that the advanced persistent threat (APT) group TA397 targeted a Turkish defense organization using sophisticated spearphishing tactics and malware delivery methods. The attack involved the use of RAR archives and NTFS alternate data streams to deploy WmRAT and MiyaRAT malware for intelligence collection.…
Summary :
Proofpoint has identified APT TA397 targeting a Turkish defense organization using a spearphishing attack related to Madagascar’s public infrastructure. The attack involved a RAR archive delivering a malicious LNK file that created a scheduled task to download further malware, including WmRAT and MiyaRAT, for intelligence gathering.…
Summary:
Proofpoint researchers have identified a rise in the ClickFix social engineering technique, which deceives users into executing malicious PowerShell commands by displaying fake error messages. This method has been observed across various threat actors and campaigns, leading to the distribution of multiple malware types.Keypoints:
ClickFix is a social engineering technique that tricks users into running malicious PowerShell commands.…Short Summary:
Proofpoint has reported a rise in cryptocurrency fraud involving job scams that impersonate reputable organizations. This new tactic, which is a shift from traditional Pig Butchering scams, targets users with enticing job offers, often through social media and messaging platforms. The fraudsters exploit brand recognition and employ psychological manipulation to convince victims to invest money into fake job platforms, leading to significant financial losses.…
Short Summary:
Proofpoint researchers uncovered a sophisticated malware campaign named “Voldemort,” which targets organizations globally by impersonating tax authorities. The campaign employs unique techniques, including the use of Google Sheets for command and control, and is assessed to be espionage-oriented rather than financially motivated.
Key Points:
Campaign named “Voldemort” identified by Proofpoint researchers.…Short Summary:
Proofpoint has identified the Iranian threat actor TA453 targeting a prominent religious figure through a fake podcast invitation. The attack involved a multi-stage process to deliver a new malware toolkit called BlackSmith, which includes a PowerShell trojan named AnvilEcho. This malware is designed for intelligence gathering and exfiltration, consolidating previous capabilities into a single script.…
“`html Short Summary:
Proofpoint has reported an increase in malware delivery through the abuse of TryCloudflare Tunnels, primarily distributing remote access trojans (RATs) like Xworm, AsyncRAT, and others. The campaigns have evolved in their tactics to evade detection, utilizing various methods to deliver malware, including obfuscated scripts and temporary infrastructure.…
Key Findings
In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers’ email infrastructure by sending spam from Microsoft 365 tenants All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default Any email infrastructure that offers this email routing configuration feature can be abused by spammers Proofpoint Essentials customers are not affected, as configuration settings are already set that prevent unauthorized relay abuse This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result We are sharing what we know about these campaigns to help others mitigate this issue and prevent further unauthorized abuse, as it is not unique to Proofpoint
Abusing an Outbound Email Relay Configuration to Conduct Spam Campaigns
In March 2024, Proofpoint observed spam campaigns being relayed from Microsoft 365 tenants through several Proofpoint enterprise customers’ email infrastructures, targeting users of free email providers such as Yahoo, Gmail, and GMX.…
Key findings
Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. Researchers observed TA571 and the ClearFake activity cluster use this technique. Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk.…
What happened
Proofpoint recently identified a fraudulent website purporting to sell tickets to the Paris 2024 Summer Olympic Games. The website “paris24tickets[.]com” claimed to be a “secondary marketplace for sports and live events tickets.” It was notably listed as the second sponsored search result on Google, after the official website, when searching for “Paris 2024 tickets,” and related searches.…
Global law enforcement recently announced Operation Endgame, a widespread effort to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In a press release, Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.”…
What happened
Proofpoint recently identified a cluster of activity conducting malicious email campaigns using piano-themed messages to lure people into advance fee fraud (AFF) scams. The campaigns have occurred since at least January 2024, and are ongoing. Most of the messages target students and faculty at colleges and universities in North America, however other targeting of industries including healthcare and food and beverage services was also observed.…
What happened
Proofpoint recently identified a SugarGh0st RAT campaign targeting organizations in the United States involved in artificial intelligence efforts, including those in academia, private industry, and government service. Proofpoint tracks the cluster responsible for this activity as UNK_SweetSpecter.
SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0stRAT, an older commodity trojan typically used by Chinese-speaking threat actors.…
What happened
Beginning April 24, 2024 and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware. This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorphiex in such high volumes.…
April 16, 2024
Greg Lesnewich, Crista Giering, and the Proofpoint Threat Research Team
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. …
April 10, 2024
Tommy Madjar, Selena Larson and the Proofpoint Threat Research Team
What happened
Proofpoint identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors. …