Taiwanese Facebook Biz Pages Fall to Infostealer Phishing Campaign
Summary:
Cisco Talos has identified an ongoing phishing campaign targeting Facebook business and advertising account users in Taiwan since at least July 2024. The campaign leverages social engineering tactics to deceive victims into downloading and executing malware. The unknown threat actor employs sophisticated techniques, including the abuse of the legitimate service Google Appspot, to bypass security measures. Malicious payloads are delivered via targeted phishing emails containing links to infected PDF documents. These decoy email templates and fake PDF files observed use traditional Chinese. Traditional Chinese is only primarily spoken in Taiwan, Macau, and Hong Kong. Additionally, the company names used are well-known technology companies in Taiwan and Hong Kong. The emails and documents are designed to impersonate a company’s legal department and seemingly purport to involve copyright infringement.
When the victim clicks the link, the unknown threat actor leverages Appspot[.]com domains to deliver an information stealer to the target’s machine. The link connects the target to Appspot[.]com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the information stealer. The adversary uses the third-party data storage service as a download server to deceive network defenders. They obfuscate code, encrypt shellcode, and embed LummaC2 or Rhadamanthys information stealers within legitimate binaries to evade antivirus detection and honeypots. The campaign's goal is to exfiltrate sensitive information, with the capability to target system details, web browsers, cryptocurrency wallets, and browser extensions.
Security Officer Comments:
This phishing campaign has proven its sophistication through effective defense evasion techniques and targeted phishing lures. The targeting of social media business accounts underscores the looming threat of new phishing campaigns distributed through social media platforms. The threat actor's utilization of multiple evasion techniques underscores the importance of traditional and advanced threat detection and response solutions. Organizations should prioritize employee awareness training and policies to recognize and avoid phishing attempts. Additionally, segmenting networks and adhering to the Principle of Least Privilege can reduce the scope of credential-harvesting attacks. Given that the target is Taiwan, the campaign utilizes advanced TTPs, and has access to MaaS like LummaC2 or Rhadamanthys information stealers, one could infer the credential theft from these attacks is meant to be used for larger-scale attacks on Taiwanese industries like Semiconductors.
Suggested Corrections:
IOCs for this research can be found here.
https://www.darkreading.com/cyberattacks-data-breaches/facebook-businesses-targeted-infostealer-phishing-campaign
https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/
Cisco Talos has identified an ongoing phishing campaign targeting Facebook business and advertising account users in Taiwan since at least July 2024. The campaign leverages social engineering tactics to deceive victims into downloading and executing malware. The unknown threat actor employs sophisticated techniques, including the abuse of the legitimate service Google Appspot, to bypass security measures. Malicious payloads are delivered via targeted phishing emails containing links to infected PDF documents. These decoy email templates and fake PDF files observed use traditional Chinese. Traditional Chinese is only primarily spoken in Taiwan, Macau, and Hong Kong. Additionally, the company names used are well-known technology companies in Taiwan and Hong Kong. The emails and documents are designed to impersonate a company’s legal department and seemingly purport to involve copyright infringement.
When the victim clicks the link, the unknown threat actor leverages Appspot[.]com domains to deliver an information stealer to the target’s machine. The link connects the target to Appspot[.]com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the information stealer. The adversary uses the third-party data storage service as a download server to deceive network defenders. They obfuscate code, encrypt shellcode, and embed LummaC2 or Rhadamanthys information stealers within legitimate binaries to evade antivirus detection and honeypots. The campaign's goal is to exfiltrate sensitive information, with the capability to target system details, web browsers, cryptocurrency wallets, and browser extensions.
Security Officer Comments:
This phishing campaign has proven its sophistication through effective defense evasion techniques and targeted phishing lures. The targeting of social media business accounts underscores the looming threat of new phishing campaigns distributed through social media platforms. The threat actor's utilization of multiple evasion techniques underscores the importance of traditional and advanced threat detection and response solutions. Organizations should prioritize employee awareness training and policies to recognize and avoid phishing attempts. Additionally, segmenting networks and adhering to the Principle of Least Privilege can reduce the scope of credential-harvesting attacks. Given that the target is Taiwan, the campaign utilizes advanced TTPs, and has access to MaaS like LummaC2 or Rhadamanthys information stealers, one could infer the credential theft from these attacks is meant to be used for larger-scale attacks on Taiwanese industries like Semiconductors.
Suggested Corrections:
IOCs for this research can be found here.
- Do not open emails or download software from untrusted sources.
- Do not click on links or attachments in emails that come from unknown senders.
- Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion).
- Always verify the email sender's email address, name, and domain.
- Backup important files frequently and store them separately from the main system.
- Protect devices using antivirus, anti-spam, and anti-spyware software.
- Report phishing emails to the appropriate security or IT staff immediately.
https://www.darkreading.com/cyberattacks-data-breaches/facebook-businesses-targeted-infostealer-phishing-campaign
https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/