| Category | Details |
|---|---|
| Threat Actors | Unknown actor targeting Facebook business and advertising account users in Taiwan. |
| Campaign Overview | – Active since at least July 2024. – Phishing emails impersonate legal departments of well-known companies. – Decoy emails claim copyright infringement to lure victims. |
| Target Regions (or Victims) | – Primary: Taiwan – Targeting Facebook users managing business/advertising accounts. – Focused on Traditional Chinese speakers. |
| Methodology | – Phishing emails with malware download links. – Use of fake PDF executables disguised as legitimate files. – Leveraged Google Appspot, short URLs, and Dropbox for malware delivery. – Obfuscation and file size inflation to evade detection. |
| Product Targeted | Facebook business/advertising accounts. |
| Malware Reference | LummaC2 and Rhadamanthys information stealers. |
| Tools Used | – Legitimate binaries: iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, PrivacyEraser. – APIs like CreateFileMappingA, VirtualAllocate. |
| Vulnerabilities Exploited | No specific vulnerabilities exploited; campaign relied on social engineering and delivery techniques to bypass defenses. |
| TTPs | – Use of encrypted archives requiring passwords. – Embedding malware into legitimate binaries. – Utilizing cloud platforms like Appspot.com for delivery. – Obfuscation, encryption, and shellcode memory mapping. |
| Attribution | No conclusive attribution; some connections to Vietnamese-language metadata, though evidence is insufficient. |
| Recommendations | – Educate users on phishing tactics and verify legal notices. – Implement advanced email filters to detect phishing. – Monitor unusual activity in file systems and network traffic. – Use updated security tools capable of identifying LummaC2 and Rhadamanthys. |
| Source | Cisco Talos Blog |
Read full article: https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply