“It is it is unclear whether it is a stolen authentic document or perhaps a document forged by the attackers and made to appear as if it originated from the Front’s high-rank official,” according to the report.ĭropBook meanwhile is a Python-based backdoor compiled with PyInstaller. Cybereason said that the document contains information allegedly created by the media department of the Popular Front for the Liberation of Palestine (PLFP) describing preparations for the commemoration of the PLFP’s 53rd anniversary. Victims receive a decoy document as part of the infection gambit. It also can execute arbitrary commands from the C2, and as mentioned, can download and execute additional payloads. It also has a Dropbox client API to communicate with Dropbox using a token, to download and exfiltrate data. The latest version (a third iteration) performs screen captures and checks for the presence of the Arabic language on the infected machine, thus avoiding execution on non-relevant devices, researchers explained. NET malware that appears to be under continuous development. Helpfully, the message provides the password and gives targets the option of downloading from either Dropbox or Google Drive. When a victim clicks it open, they receive a message that they will need to download the content from a password-protected archive. The phishing emails arrive with a non-boobytrapped PDF attachment that will evade scanners, according to Cybereason. It’s been used by various APTs in the past, including MoleRats and the Chinese-speaking APT 10. Quasar RAT is billed as a legitimate remote administration tool for Windows, but it can be used for malicious purposes, like keylogging, eavesdropping, uploading data, downloading code and so on. Cybereason found that both have been observed being used in conjunction with the known MoleRats backdoor Spark and both have been seen downloading additional payloads, including the open-source Quasar RAT. In analyzing the offensive, they uncovered the SharpStage and DropBook backdoors (as well as a new version of a downloader dubbed MoleNet), which are interesting in that they use legitimate cloud services for C2 and other activities.įor instance, the DropBook backdoor uses fake Facebook accounts or Simplenote for C2, and both SharpStage and DropBook abuse a Dropbox client to exfiltrate stolen data and for storing their espionage tools, according to the analysis, issued Wednesday. “Analysis of the phishing themes and decoy documents used in the social engineering stage of the attacks show that they revolve mainly around Israel’s relations with neighboring Arab countries as well as internal Palestinian current affairs and political controversies,” Cybereason researchers noted. Secretary of State Mike Pompeo and Israeli Prime Minister Benjamin Netanyahu. Emailed phishing documents are the attack vector, with lures that include various themes related to current Middle Eastern events, including Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and a reported clandestine meeting between the Crown Prince of Saudi Arabia, the U.S. "If an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue," the agency said.The most recent campaign, uncovered by researchers at Cybereason, targets high-ranking political figures and government officials in Egypt, the Palestinian Territories, Turkey and the UAE, they noted. Cybersecurity and Infrastructure Security Agency (CISA) published guidance to implement phishing-resistant multi-factor authentication (MFA) to safeguard against phishing and other known cyber threats. The Dropbox notification also comes as the U.S. "This is precisely why phishing remains so effective." "Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time," the company concluded. It also said it found no evidence that any customer data was stolen as a result of the incident, adding it's upgrading its two-factor authentication systems to support hardware security keys for phishing resistance. The company did not reveal how many of its employees fell for the phishing attack, but said it took prompt action to rotate all exposed developer credentials and that it alerted law enforcement authorities. Discover the Hidden Dangers of Third-Party SaaS AppsĪre you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |