FlagThis - #spearphishing

Russian threat actor Star Blizzard has been identified using a new spear-phishing campaign targeting WhatsApp accounts. This tactic marks a departure from their previous methods, which primarily involved sending spear-phishing emails with malicious links. Now, the group sends messages prompting targets to join WhatsApp groups, where their credentials can be harvested. The change in tactics is likely an attempt to evade detection after their previous methods and infrastructure were exposed, including the seizure of over 180 domains used by the group for phishing attacks in 2023 and 2024.

This campaign, which appears to have concluded at the end of November 2024, primarily focused on individuals within government, diplomacy, defense policy, and international relations, including researchers focusing on Russia and those providing assistance to Ukraine. The spear-phishing emails often pose as communications from a U.S. government official and contain a QR code leading to the compromised WhatsApp group. This shift in strategy highlights the group's adaptability and their continued efforts to gather intelligence through sophisticated social engineering.


References :

• Metacurity: Microsoft says that Russia's Star Blizzard sent spearphishing messages to journalists, think tanks, and NGOs asking them to join a WhatsApp group.
• The Hacker News: Russian Star Blizzard Shifts Tactics to Exploit WhatsApp QR Codes for Credential Harvesting
• www.microsoft.com: The campaign highlights the evolving nature of cyber threats, necessitating constant adaptation of security measures to counter such targeted attacks.
• gbhackers.com: GBHackers reports on Star Blizzard exploiting WhatsApp accounts.
• The Register - Security: Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts
• The Cyber Express: Russian Star Blizzard is Now After Your WhatsApp Data
• ciso2ciso.com: Russian Cyberspies Caught Spear-Phishing with QR Codes, WhatsApp Groups – Source: www.securityweek.com
• ciso2ciso.com: Russian Cyberspies Caught Spear-Phishing with QR Codes, WhatsApp Groups – Source: www.securityweek.com
• gbhackers.com: Russian Threat Actor “Star Blizzard” Exploit WhatsApp Accounts Using QR Codes
• Threats | CyberScoop: Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp
• securityaffairs.com: Security Affairs reports on Russia-linked APT Star Blizzard targeting WhatsApp accounts.
• malware.news: WhatsApp spear phishing campaign uses QR codes to add device
• Malwarebytes: This campaign, dubbed Star Blizzard by Microsoft, shifts from previous tactics focused on malicious links to QR codes, aiming to establish initial rapport before launching attacks.
• www.cybersecurity-insiders.com: Cybersecurity Insiders article on Microsoft exposing the Star Blizzard campaign.
• The Register - Security: Russia’s Star Blizzard phishing crew caught targeting WhatsApp accounts
• BleepingComputer: Russian nation-state actor Star Blizzard has been running a new spear-phishing campaign to compromise WhatsApp accounts of targets in government, diplomacy, defense policy, international relations, and Ukraine aid organizations.
• bsky.app: Researchers expose the Russian-linked Star Blizzard threat actor's attempt to compromise WhatsApp accounts.
• www.cybersecurity-insiders.com: Microsoft security researchers detail a new spear-phishing campaign run by the Russian threat group Star Blizzard targeting WhatsApp accounts.
• Microsoft Security Blog: Microsoft threat intelligence uncovered the spear-phishing campaign, detailing the tactics and targets.
• BleepingComputer: Russian threat actor Star Blizzard uses malicious QR codes to compromise WhatsApp accounts.
• www.bleepingcomputer.com: Russian group Star Blizzard using fake WhatsApp invites to target government officials and Ukraine supporters.
• securityonline.info: Star Blizzard Shifts Tactics: Spear-Phishing Campaign Targets WhatsApp Accounts
• Security Affairs: Russia-linked APT Star Blizzard targets WhatsApp accounts
• www.helpnetsecurity.com: How Russian hackers went after NGOs’ WhatsApp accounts
• bsky.app: Russian nation-state actor Star Blizzard has been running a new spear-phishing campaign to compromise WhatsApp accounts of targets in government, diplomacy, defense policy, international relations, and Ukraine aid organizations.
• securityonline.info: The Russian threat actor known as Star Blizzard is deploying spear phishing campaigns to access the WhatsApp accounts of high-profile targets.
• Techzine Global: Star Blizzard hackers abuse WhatsApp against diplomats
• socradar.io: New spear phishing campaign by the Russian threat actor Star Blizzard (a.k.a. UNC4057, Callisto, and ColdRiver).
• BleepingComputer: Russian nation-state actor Star Blizzard has been running a new spear-phishing campaign to compromise WhatsApp accounts of targets in government, diplomacy, defense policy, international relations, and Ukraine aid organizations.

Classification:

• HashTags: #StarBlizzard #WhatsAppPhishing #SpearPhishing
• Company: Microsoft
• Target: Government, diplomacy, defense, and international relations
• Attacker: Star Blizzard
• Product: WhatsApp
• Feature: spear phishing
• Type: Espionage
• Severity: Medium

Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) have issued a warning about a prolonged cyber-attack campaign against organizations, businesses, and individuals in Japan since 2019. The attacks are attributed to the Chinese cyber espionage group known as MirrorFace, also called Earth Kasha, which is believed to be a subgroup of APT10. This group aims to steal sensitive information related to Japan’s national security and advanced technologies. The group has been seen targeting a wide range of sectors, including government bodies, defense, aerospace, semiconductor, communications, research organizations and the media.

MirrorFace has conducted several campaigns, including spear-phishing emails with malware attachments, exploiting VPN vulnerabilities, and using advanced techniques like abusing Windows Sandbox for malware execution and leveraging Visual Studio Code's development tunnels for stealthy remote control. The group deploys tools such as LODEINFO, ANEL, LilimRAT, NOOPDOOR and Cobalt Strike Beacon. The NPA has linked MirrorFace to over 200 cyber incidents in the past five years. Authorities have raised concerns about the sophisticated techniques and the focus on infiltrating Japanese national security and advanced technology sectors, and are working to mitigate the risks.


References :

• : National Police Agency (Japan): (Japanese language) See parent toot above. The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity have assessed that a cyber attack campaign against organizations, businesses and individuals in Japan from around 2019 to the present has been carried out by a cyber attack group called "MirrorFace" (also known as "Earth Kasha").
• securityonline.info: MirrorFace: Unmasking the Chinese Cyber Espionage Group Targeting Japan
• ciso2ciso.com: Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace – Source: www.infosecurity-magazine.com
• The Hacker News: MirrorFace Leverages ANEL and NOOPDOOR in Multi-Year Cyberattacks on Japan
• ciso2ciso.com: Japanese police claim China ran five-year cyberattack campaign targeting local orgs – Source: go.theregister.com
• www.npa.go.jp: National Police Agency (Japan): (Japanese language) See parent toot above.
• Techmeme: Japan says Chinese hacking group MirrorFace is linked to 200+ cyberattacks from 2019 to 2024 targeting the country's national security and advanced tech data (Mari Yamaguchi/Associated Press)
• ciso2ciso.com: Chinese APT Group Is Ransacking Japan’s Secrets – Source: www.darkreading.com
• ciso2ciso.com: Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace – Source: www.infosecurity-magazine.com
• www.scworld.com: Years-long hacking spree against Japan linked to Chinese hackers
• ciso2ciso.com: Japanese police claim China ran five-year cyberattack campaign targeting local orgs – Source: go.theregister.com
• Pyrzout :vm:: Japanese police claim China ran five-year cyberattack campaign targeting local orgs
• Latest from TechRadar: Japan says Chinese hackers have launched hundreds of attacks against targets in the country | Hacking group ‘MirrorFace’ accused of hitting dozens of targets
• securityaffairs.com: Japanese authorities attribute a cyber-espionage campaign targeting the country to the China-linked APT group MirrorFace.

Classification:

• HashTags: #MirrorFace #CyberEspionage #ChinaAPT
• Company: Japanese Government
• Target: Japan
• Attacker: MirrorFace
• Feature: Cyber Espionage
• Malware: ANEL, NOOPDOOR
• Type: Espionage
• Severity: Major

The Bitter APT group, also known as TA397, is actively targeting the Turkish defense sector using sophisticated spearphishing techniques. Proofpoint researchers have uncovered an attack chain utilizing RAR archives containing hidden Alternate Data Streams (ADS). These streams conceal malicious LNK files that, when executed, create scheduled tasks to download the WmRAT and MiyaRAT malware. The attack used a lure of infrastructure projects in Madagascar to entice victims to open the malicious files. The use of NTFS ADS, a feature that allows hidden data streams within files, is a key tactic employed by Bitter to conceal their malicious payloads.

This campaign highlights the group's focus on espionage, leveraging the RAT capabilities of WmRAT and MiyaRAT to collect host information, upload/download files, and take screenshots. Bitter, a suspected South Asian cyber espionage threat group, has a history of targeting entities in Asia and has been linked to other malware deployments, demonstrating their persistent and evolving threat capabilities. This latest attack campaign underscores the group's ability to adapt and utilize advanced techniques to compromise target systems. The researchers have tracked this group under various names including APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali, indicating its long history of activity.


References :

• Virus Bulletin: Proofpoint researchers observed TA397 spear phishing that targeted a Turkish defence sector organization. The attack chain used alternate data streams in a RAR to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down WmRAT & MiyaRAT.
• The Hacker News: A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT.
• Security Risk Advisors: #TA397 (Bitter #APT) targets the Turkish defense sector with #spearphishing, NTFS Alternate Data Streams, and #malware (#WmRAT/#MiyaRAT).
• gbhackers.com: Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload
• Proofpoint Threat Insight: TA397 Exploits NTFS Alternate Data Streams to Target Turkish Defense Sector

Classification:

• HashTags: #BitterAPT #Spearphishing #Malware
• Company: Proofpoint
• Target: Turkish defense sector
• Attacker: Bitter APT
• Product: WmRAT, MiyaRAT
• Feature: Alternate Data Streams
• Malware: WmRAT, MiyaRAT
• Type: Espionage
• Severity: Major