Cybersecurity

Sophisticated Phishing Attack Discovered Targeting Industrial Services Company

Cybersecurity researchers have discovered a sophisticated phishing attack distributing the More_eggs malware, targeting an industrial services company, while also identifying separate campaigns involving the Vidar Stealer malware and Cobalt Strike, as well as a new phishing kit known as V3B targeting banking customers in the European Union, with Microsoft issuing a warning about potential abuse of Azure Service Tags.

At a glance

  • A sophisticated phishing attack distributing More_eggs malware was discovered.
  • The attack targeted an industrial services company in May 2024.
  • The More_eggs malware is a dangerous modular backdoor capable of harvesting sensitive information.
  • The attack chain involves responding to LinkedIn job postings with a link leading to a fake resume download site.
  • Additional threats include a drive-by download campaign distributing Vidar Stealer malware and social engineering campaigns deploying Cobalt Strike malware.

The details

Cybersecurity researchers have recently discovered a sophisticated phishing attack. This attack has been distributing the More_eggs malware. The malware was disguised as a fake resume.

The Attack

The attack targeted an unnamed industrial services company in May 2024. More_eggs is a dangerous modular backdoor capable of harvesting sensitive information, making it a significant threat to organizations.

Attack Chain

The attack chain used by the malicious actors is complex. It involves responding to LinkedIn job postings with a link. This link leads to a fake resume download site. Upon clicking the link, a malicious LNK file is retrieved.

This file is used to retrieve a DLL. The DLL is then executed to establish persistence and drop additional payloads.

More_eggs campaigns are reportedly still active.

Operators are using social engineering tactics to deceive victims.

In addition to More_eggs, a separate drive-by download campaign has been identified. This campaign uses fake websites offering the KMSPico Windows activator tool. It distributes the Vidar Stealer malware.

Cybercriminals are also setting up social engineering campaigns. They use lookalike sites to impersonate legitimate software.

They deploy the Cobalt Strike malware. A new phishing kit known as V3B also targets banking customers in the European Union. It aims to steal credentials and OTPs.

The V3B kit features customized templates. These templates mimic authentication processes. They can execute QR code login jacking attacks.

The phishing kit has been active since March 2023 and is offered through a phishing-as-a-service model on the dark web.

Hundreds of cybercriminals are estimated to be using it to target European financial institutions.

Microsoft has issued a warning about the potential abuse of Azure Service Tags. Malicious actors could use these to gain unauthorized access to cloud resources. The Microsoft Security Response Center has emphasized a key point.

Service tags should not be considered a security boundary. They should only be used as a routing mechanism with validation controls.

Cybersecurity firm Tenable discovered a critical vulnerability. It could bypass Azure customers relying on Azure Service Tags for firewall rules. There is currently no evidence of this vulnerability being exploited in the wild. However, it poses a significant risk. It allows attackers to control server-side requests and impersonate trusted Azure services.

Microsoft has updated its documentation. It now states, “Service Tags alone aren’t sufficient to secure traffic without considering the nature of the service and the traffic it sends.” Customers are advised to review their use of service tags. They should ensure they have implemented adequate security measures. These measures should authenticate only trusted network traffic for service tags.

Article X-ray

Facts attribution

This section links each of the article’s facts back to its original source.

If you suspect false information in the article, you can use this section to investigate where it came from.

securityweek.com
– Cybersecurity researchers have identified a phishing attack distributing the More_eggs malware by posing as a resume
– The attack targeted an unnamed company in the industrial services industry in May 2024
– More_eggs is a modular backdoor capable of harvesting sensitive information
– The attack chain involves malicious actors responding to LinkedIn job postings with a link to a fake resume download site
– The LNK file is used to retrieve a malicious DLL and execute it to establish persistence and drop additional payloads
– More_eggs campaigns are still active and operators use social engineering tactics to trick victims
– A drive-by download campaign uses fake websites for the KMSPico Windows activator tool to distribute Vidar Stealer
– Social engineering campaigns have set up lookalike sites impersonating legitimate software to deploy Cobalt Strike
– A new phishing kit called V3B targets banking customers in the European Union to steal credentials and OTPs
– V3B features customized templates to mimic authentication processes and can execute QR code login jacking attacks
– The kit is offered through a Phishing-as-a-Service model on the dark web and has been active since March 2023
– Hundreds of cybercriminals are estimated to be using the V3B kit to target European financial institutions
thehackernews.com
– Microsoft has warned about the potential abuse of Azure Service Tags by malicious actors to gain unauthorized access to cloud resources
– The Microsoft Security Response Center stated that service tags should not be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls
– Cybersecurity firm Tenable found that Azure customers whose firewall rules rely on Azure Service Tags could be bypassed
– There is no evidence that the feature has been exploited in the wild
– The vulnerability allows an attacker to control server-side requests and impersonate trusted Azure services
– Ten Azure services have been found vulnerable to this issue
– Microsoft has updated the documentation to explicitly note that “Service Tags alone aren’t sufficient to secure traffic without considering the nature of the service and the traffic it sends”
– Customers are recommended to review their use of service tags and ensure they have adopted adequate security guardrails to authenticate only trusted network traffic for service tags.

What's your reaction?

Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0

You may also like

Comments are closed.