Attacks spreading the Remcos RAT malware have been launched by Russian state-backed cyberespionage operation Gamaredon against Ukraine as part of a phishing campaign that has been underway since November, reports Security Affairs.
Gamaredon, also known as ACTINIUM, Armageddon, Callisto, and Primitive Bear, distributes phishing emails using troop-related lures that include malicious LNK files containing PowerShell code, which facilitates second-stage payload and decoy file deployment to evade detection, according to an analysis from Cisco Talos. Extraction of the payload to the %TEMP% folder is then followed by side-loading of another DLL that loads, decrypts, and executes Remcos RAT. Further analysis of Gamaredon's PowerShell scripts indicates legitimate app exploitation and the utilization of clean and malicious files, said Cisco Talos researchers. "We can see in the previously mentioned sample downloaded by "Any.run" that it contains the clean application TivoDiag.exe, as well as two DLLs. The file "mindclient.dll" is the malicious DLL which is loaded by "TivoDiag.exe" during execution," the report noted.
BleepingComputer reports that Google was discovered by Ethereum Name Service lead developer Nick Johnson to have had an OAuth vulnerability leveraged to facilitate the delivery of a bogus email purporting to be a security alert from the company with a valid DomainKeys Identified Mail authentication key as part of a DKIM replay phishing intrusion.
Massive ongoing US toll fraud underpinned by Chinese smishing kit Numerous threat actors have been leveraging an SMS phishing kit developed by Chinese threat actor "Wang Duo Yu" to conduct a widespread smishing attack campaign against toll road users across several U.S. states that has been underway since October, The Hacker News reports.
The FBI has warned that cybercriminals have been masquerading as Internet Crime Complaint Center employees assisting in the recovery of pilfered funds to compromise financial details from victims of fraud as part of an ongoing scam campaign, Cybernews reports.
