Targeted Spear-Phishing Campaign Deployed by Nation-State Actors to Exploit Financial Executives
A sophisticated spear-phishing campaign has been discovered, targeting CFOs and finance executives in sectors including banking, insurance, energy, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. The attackers, likely nation-state actors, are using social engineering tactics to impersonate a recruiter from Rothschild & Co., offering a "confidential leadership opportunity." The attack starts with an email titled "Rothschild & Co leadership opportunity (Confidential)" that contains an attachment named "Rothschild_&Co-6745763[.]PDF." However, the file is not a PDF but a phishing link redirecting recipients to a Firebase-hosted page protected by a custom CAPTCHA. This CAPTCHA, designed to bypass traditional security defenses, reveals a hidden URL that leads to a ZIP file containing a VBS script for further execution. After opening the ZIP file, the VBS script creates a directory at C:\temper\ and downloads a secondary VBS payload from a C2 server. This secondary payload silently installs NetBird and OpenSSH remote access tools using MSI packages, allowing the attackers to gain and maintain persistent access to the victim's network. The attackers create a hidden local admin account, enable Remote Desktop Protocol, and adjust firewall settings to facilitate future connections. To ensure long-term persistence, they set up scheduled tasks and use defense evasion techniques, bypassing UAC and escalating privileges. The sophisticated nature of this operation suggests the involvement of a highly organized nation-state threat actor, likely seeking to steal sensitive financial data or conduct espionage. Trellix recommends executives treat unsolicited recruitment emails with caution and urges organizations to deploy advanced security measures like Endpoint Detection and Response solutions and monitor for unusual script executions and unauthorized account creation.
APT41 Leverages Google Calendar for C2 in Sophisticated Cyber Espionage Campaign
Google Mandiant disclosed a highly targeted cyberattack attributed to the Chinese state-sponsored group APT41, which used a malware named TOUGHPROGRESS to exploit Google Calendar for command-and-control (C2). Discovered in late October 2024, the malware was hosted on a compromised government website and was used to target several other government entities. APT41, known by various aliases including Axiom, Blackfly, and Barium, is notorious for its extensive history of targeting government bodies and private organizations across technology, logistics, and media. The attack began with spear-phishing emails that included a ZIP file hosted on the compromised government site, which, when opened, initiated the malware's execution chain. The ZIP contained a directory with files masquerading as images, including fake files that triggered encrypted payloads and DLL files designed for further malicious actions. The malware’s attack chain included three key components: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS. Once deployed, TOUGHPROGRESS interacted with an attacker-controlled Google Calendar, using it to send and retrieve encrypted commands. These commands were placed in zero-minute events on the calendar, where the malware would poll and execute them on the compromised host. The results were then returned to new calendar events for the attackers to retrieve. Google responded swiftly by taking down the malicious calendar and terminating the associated Workspace projects, neutralizing the operation. This sophisticated use of cloud services for C2 highlights the growing trend of adversaries leveraging trusted platforms to bypass traditional security measures. This is not the first time APT41 has weaponized Google services, as previous attacks have also involved Google Drive and Google Sheets for C2 operations.
OneDrive File Picker Flaw Exposes User Data Due to Overly Broad OAuth Scopes
Oasis researchers have uncovered a flaw in Microsoft's OneDrive File Picker that could allow malicious websites or applications to access a user’s entire cloud storage, even though only a specific file was intended for upload. The issue arises from the OneDrive File Picker requesting extensive OAuth permissions, specifically read access to the entire OneDrive storage, regardless of whether a single file or multiple files are selected for upload. This flaw is compounded by vague consent screens that fail to inform users about the extensive access granted. Although this is a flaw rather than a vulnerability, it poses significant security risks, including potential data leakage and compliance violations, as users might unknowingly grant far more access than intended. The flaw is assessed to affect multiple apps that integrate with OneDrive, including ChatGPT, Slack, Trello, and ClickUp, which could unknowingly expose user data. The main problem is the lack of fine-grained OAuth scopes, which would otherwise limit access to only the selected files, leaving users vulnerable to exploitation. Threat actors are not actively abusing this flaw, but its low complexity and ease of exploitation make it a significant concern. The flaw could be exploited by malicious apps or websites that trick users into granting unnecessary access to their cloud data. While Microsoft has acknowledged the issue, no fix has been implemented yet. In the meantime, researchers recommend workarounds, including removing the option to upload files via OneDrive OAuth or disabling refresh tokens, which could provide malicious apps with ongoing access to user data. A more secure option would be to ensure that OAuth tokens are stored securely, not in plaintext, in the browser's session storage, and to discard tokens when they are no longer needed. This flaw highlights the importance of more granular OAuth permission scopes and better user interface prompts to avoid confusion and potential misuse of sensitive data.
UNC6032 Group Exploits Popular AI Tools to Spread Malware
The UNC6032 hacking group, operating from Vietnam, has been actively leveraging the surge in AI tool popularity to lure unsuspecting users to fake websites masquerading as legitimate AI video and image generators, Mandiant reports. The group’s widespread campaign has been running since at least mid-2024, using social media platforms like Facebook and LinkedIn to distribute over 120 deceptive ads, which reached millions of users, including more than 2.3 million in the European Union. These ads, often promoted through attacker-created or compromised Facebook accounts, direct victims to fake AI websites that promise advanced text-to-video and image-to-video generation. Once users are drawn in, they are tricked into downloading a ZIP file that contains a malicious executable designed to install malware on their systems. The infection chain utilizes DLL side-loading, process injection, and in-memory droppers, making detection difficult. The malware delivers a series of backdoors, including Rust-based Starkveil, XWorm, Frostrift, and the [.]NET downloader Grimpull. The malware dropped by fake AI websites can steal sensitive information and provide attackers with backdoor access to infected systems. XWorm, in particular, is designed to log keystrokes and collect system information, including usernames, operating system details, hardware identifiers, and antivirus information. Frostrift, on the other hand, checks for specific messaging applications, browsers, and browser extensions, further aiding the attackers’ reconnaissance efforts. Some victims also experienced the Noodlophile Stealer, which was sometimes bundled with XWorm. Mandiant’s research highlights the growing trend of AI-based cyberattacks, noting that AI tools have expanded the scope of potential victims beyond just graphic designers. To mitigate risks, Mandiant advises users to verify the legitimacy of AI websites and exercise caution when interacting with ads or unknown platforms.
