FlagThis

A new TorNet backdoor has been discovered which is being distributed in an ongoing phishing campaign that uses PureCrypter malware to drop other payloads. The campaign targets primarily users in Poland and Germany and delivers various payloads, including Agent Tesla and Snake Keylogger, and the new TorNet backdoor. This indicates a significant shift in how attackers distribute malware. This highlights the need for enhanced security measures against phishing attacks and the importance of detecting unknown backdoors.

A new ‘Sneaky 2FA’ phishing kit is targeting Microsoft 365 accounts, using a sophisticated Adversary-in-the-Middle technique to bypass 2FA. This kit utilizes compromised WordPress sites and other domains to host phishing pages, collecting credentials and 2FA codes. The kit has been linked to the W3LL Panel OV6 phishing kit, indicating a larger threat landscape for Microsoft 365 users. The phishing method is capable of intercepting user credentials and session cookies.

Cybercriminals are using fake job offers with the CrowdStrike brand to distribute a cryptominer, specifically XMRig. This is a social engineering scam where malicious actors pose as legitimate recruiters to trick job seekers into downloading malware.

A sophisticated phishing campaign is exploiting Microsoft 365 to target PayPal users. Attackers register free Microsoft 365 test domains to create distribution lists for sending authentic-looking PayPal money requests. This method bypasses traditional email protections, increasing the scam’s success rate. The technique leverages genuine PayPal features to deceive victims into revealing their credentials. This is not a new vulnerability, but it is a new use of the legitimate feature.

A new Microsoft 365 phishing-as-a-service platform called ‘FlowerStorm’ has emerged, filling the gap left by the shutdown of the Rockstar2FA cybercrime service. FlowerStorm is a sophisticated service which allows threat actors to create and deploy phishing campaigns specifically targeting Microsoft 365 accounts. This activity shows a clear increase in targeted phishing campaigns aimed at Microsoft users, which could lead to account compromise, data breaches and other associated risks. The sophisticated platform allows threat actors to automate much of the phishing process, increasing their efficiency and reach. This demonstrates the ease with which cybercriminals can set up and deploy complex phishing schemes.

A sophisticated phishing campaign has compromised approximately 20,000 Microsoft Azure accounts in Europe, primarily targeting manufacturing companies. The attackers used HubSpot’s Free Form Builder to create deceptive forms and DocuSign files, which were used in phishing emails to steal Microsoft Azure login credentials. This operation spanned from June to September 2024 and mainly affected firms in the automotive, chemical, and industrial sectors in Germany and the UK. The attackers aimed for long-term presence in the Azure cloud environments.

Cybercriminals are exploiting Cloudflare Pages (.dev) and Workers (.dev) for phishing and other attacks, leveraging Cloudflare’s trusted reputation. These platforms are being misused to host phishing attacks, malicious web pages, and targeted email lists. This highlights the risk of attackers misusing legitimate services for malicious purposes. The attackers are using the trusted reputation of Cloudflare to increase the success rate of their attacks.

This cluster focuses on the emergence of a new phishing-as-a-service (PhaaS) platform called ‘Rockstar 2FA’. It facilitates large-scale adversary-in-the-middle (AiTM) attacks, primarily targeting Microsoft 365 credentials. This highlights the ongoing threat of credential theft and the increasing sophistication of phishing attacks, emphasizing the importance of robust multi-factor authentication (MFA) and security awareness training.

Malicious actors are distributing malicious QR codes through various channels, including email attachments and physical mail. These QR codes lead to malicious applications designed to steal login credentials and other sensitive information. Security analysts are struggling to counter these attacks, while some email security vendors are employing overly aggressive flagging mechanisms that hinder legitimate communications.