Phishing

Attacks conducted until July involved the delivery of phishing messages with malicious shortcut attachments or Google Drive URLs to mainly distribute the Lumma Stealer, NetSupport, and StealC payloads, according to a Proofpoint analysis.

Attacks involved the utilization of Amazon S3 bucket and Content Delivery Network-hosted sites spoofing Google CAPTCHA pages and other verification sites, which include instructions that trigger a malicious PowerShell command downloading Lumma Stealer and proceeding with the exfiltration of sensitive device data.

Attacks commenced with the distribution of phishing emails with an HTML attachment or malicious link, which would trigger the deployment of the Java-based RAT, which enables not only file system, process, and remote desktop management, but also file uploads or downloads, keylogging, screenshot capturing, and webcam takeovers.

Attacks leveraging iServer to automate phishing pages impersonating widely used cloud-based mobile platforms commenced in North and South America before expanding in Europe, enabling the unlocking of more than 1.2 million devices.

The criminal hackers are behind at least 30 cybercrime scams, including malware, phishing and cryptocurrency fraud.

After establishing trust with targets via spear-phishing emails purporting to be job openings for senior-/manager-level employees in high-profile companies, UNC2970 proceeded to deliver a malicious ZIP file masquerading as a job description, an analysis from Google Cloud's Mandiant revealed.