Jun 24 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that doesn’t know what’s more depressing, cybercrime or watching England play football 😭😭😭
Today’s hottest cybersecurity news stories:
👨🏻💼 12 Kaspersky executives sanctioned by U.S. Treasury 🗽
👻 PHANTOM#SPIKE military email scam targets Pakistan 👳🏽♂️
🦪 Oyster backdoor circulates via fake popular downloads 📥
Recent Sanctions Imposed! 🔒 The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned 12 senior executives of Kaspersky Lab, following a Commerce Department ban on the Russian company.
Commitment to Cybersecurity Integrity 🖥️🛡️
Official Statement 🔊: "These sanctions highlight our dedication to protecting our cyber domain and citizens from malicious threats," said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence. "The U.S. will hold accountable those enabling such activities."
Individuals Sanctioned 🧑💼🚫
Executive List 📋⬇️:
Andrei Gennadyevich Tikhonov: Chief Operating Officer (COO) and board member
Daniil Sergeyevich Borshchev: Deputy CEO and board member
Andrei Anatolyevich Efremov: Chief Business Development Officer (CBDO) and board member
Igor Gennadyevich Chekunov: Chief Legal Officer (CLO) and board member
Andrey Petrovich Dukhvalov: Vice President and Director of Future Technologies
Andrei Anatolyevich Suvorov: Head of Kaspersky Operating System Business Unit
Denis Vladimirovich Zenkin: Head of Corporate Communications
Marina Mikhaylovna Alekseeva: Chief Human Resources (HR) Officer
Mikhail Yuryevich Gerber: Executive Vice President of Consumer Business
Anton Mikhaylovich Ivanov: Chief Technology Officer (CTO)
Kirill Aleksandrovich Astrakhan: Executive Vice President for Corporate Business
Anna Vladimirovna Kulashova: Managing Director for Russia and the Commonwealth of Independent States (CIS)
Exclusions from Sanctions ⚠️❌
Clarifications from OFAC 🗂️✍️: The sanctions do not affect Kaspersky Lab, its parent or subsidiary companies, or its founder and CEO, Eugene Kaspersky.
Commerce Department Actions 📅🛑
Ban on Kaspersky Software 🖥️❌: The Commerce Department banned Kaspersky from providing its software and security services in the U.S. starting July 20, 2024, citing national security concerns.
Reactions and Statements 🗣️
Russian Response 💬: Russia called the ban a move to stifle foreign competition with American products. Kaspersky reiterated it has no ties to the Russian government.
Custom Backdoor: PHANTOM#SPIKE Identified by Securonix 🐍 Cybersecurity researchers have uncovered a new phishing campaign targeting individuals in Pakistan using a custom backdoor dubbed PHANTOM#SPIKE. The campaign, detected by Securonix, utilises military-themed phishing documents to initiate the attack.
Attack Methodology 📨💥
"The attackers employed ZIP files with password-protected payloads," noted researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a report shared with The Hacker News. The email attachments claim to be meeting minutes from the International Military-Technical Forum Army 2024, a legitimate event organised by the Russian Ministry of Defense.
Infection Sequence ⚙️📂
The ZIP file contains a Microsoft Compiled HTML Help (CHM) file and a hidden executable ("RuntimeIndexer.exe"). When the CHM file is opened, it displays meeting minutes and images, but covertly executes the bundled binary upon any user interaction with the document.
Remote Access via PHANTOM#SPIKE 🗂️🔗
The backdoor connects to a remote server over TCP, allowing attackers to execute commands on the infected machine. It collects and exfiltrates system information, runs commands like systeminfo and tasklist, retrieves the public IP address using curl with ip-api[.]com, and sets up persistence using schtasks.
Security Researcher Insight 🔬🛡️
"This backdoor operates as a command line-based remote access trojan (RAT)," the researchers explained. "It grants the attacker persistent, covert access to the infected system, enabling data theft and the execution of additional malware payloads."
Conclusion 📈🛡️
This campaign highlights the persistent threat of phishing attacks using simple yet effective methods. Vigilance and robust cybersecurity measures are essential to protect against such covert operations.
Stay ahead of the curve with Presspool.ai! 🚀 Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." 🤓💡 That’s us, alright! 🤵 How about you? Visionary AI executive, much? 👀
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business 🤖👩💻🌐
Rest assured, the process is very straightforward.
You simply:
🆕 Sign Up & Create Campaign
📊 Define your audience, budget, and message to captivate your audience.
🚀 Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯
🕵️ Finally, you leverage real-time analytics to track performance and refine future strategies. 📈 Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦
Presspool.ai 📰🏊🤖 may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters 😉
A malvertising campaign has been uncovered, leveraging trojanized installers for popular software like Google Chrome and Microsoft Teams to deploy a backdoor named Oyster (also known as Broomstick and CleanUpLoader).
Campaign Details 📋
Malicious Setup: Lookalike websites host trojanized installers that users are redirected to via search engines such as Google and Bing.
Fake Downloads: Unsuspecting users are lured into downloading what appears to be legitimate software, initiating a malware infection chain instead.
Malware Payload: The executable serves as a pathway for the Oyster backdoor, which:
Gathers information about the compromised host
Communicates with a hard-coded command-and-control (C2) server
Supports remote code execution
Attack Chain 🚨
Previous Observations: Oyster was delivered via a loader known as Broomstick Loader.
Current Tactics: The latest attacks involve direct deployment of the Oyster backdoor.
Associated Group: Linked to ITG23, a Russia-linked group known for the TrickBot malware.
Additional Observations 🧩
Legitimate Software Installation: To avoid suspicion, the malware instals legitimate Microsoft Teams software post-execution.
Persistence Mechanism: The malware spawns a PowerShell script to establish persistence on the infected system.
Related Threats and Campaigns ⚠️
Rogue Raticate (RATicate): An email phishing campaign using PDF decoys to deliver NetSupport RAT.
Phishing-as-a-Service (PhaaS): Emergence of ONNX Store, a platform using QR codes in PDF attachments for credential harvesting.
Key Features:
Offers Bulletproof hosting and RDP services via a Telegram bot
Bypasses 2FA using Cloudflare's anti-bot mechanisms and encrypted JavaScript
Mimics Microsoft 365 login pages to steal authentication details
Conclusion 🛡️
The discovery of this malvertising campaign underscores the persistent threat posed by cybercriminals leveraging popular software to deploy sophisticated malware. Vigilance and robust cybersecurity measures are essential to mitigate such threats.
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!