1/31/2024 0 Comments Socss form free![]() ![]() These combination of tools and the choice of server to deploy the redirector C&C server makes Water Dybbuk unique and worth monitoring for security teams. The framework can be used to steal credentials and intercept the session cookies of commonly targeted platforms such as Microsoft Office 365, Microsoft Outlook, Facebook, and LinkedIn, among others.Įvilginx2 and the obfuscator are open-source, which along with the off-the-shelf malware toolkit BadaxxBot, means that they can also be used by any other cybercrime group. ![]() It works by setting up a malicious web server that acts as a proxy between the victim and the legitimate website. It is designed to be used in phishing attacks and can be used to bypass two-factor authentication. The redirection ends on a C&C server hosting an Evilginx2 phishing toolkit configured for phishing credentials and session cookies from Microsoft Office 365 accounts.Įvilginx2 is a man-in-the-middle attack framework used to intercept and manipulate web traffic. For example, it was also observed to be part of a campaign targeting banks in the Philippines based off the configuration files shared from VirusTotal. As the tool can be bought and leveraged by other attack groups, it would not be surprising to see this malware used in other BEC campaigns. We observed that the same user was also selling compromised accounts on another Telegram channel. The BadaxxBot toolkit is advertised in a Telegram channel by the user who is responsible for selling the malware. Several options can also be enabled to prevent scripts from being debugged and make them tougher to reverse-engineer. We identified that the threat actors behind this campaign use an open source JavaScript Obfuscator tool which is hosted on. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures (TTPs) used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample.įor several months, Water Dybbuk had been successful in its malicious spam campaign by evading AV detections because of its obfuscated JavaScript malware. We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. The screenshot below in Figure 1 shows an actual malicious spam used in this attack.Īfter a successful phishing attempt, the threat actors will login to their target’s email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc. The threat actors behind this campaign used a malicious JavaScript attachment (detected by Trend Micro as Trojan.JS.DYBBUK.SMG) that redirects users to a fraudulent Microsoft phishing page. Like other typical BEC schemes, the initial stage always involves a spear phishing attack on an individual target. Based on our analysis, we determined this to be a targeted attack based on some of the features that were enabled in the JavaScript (JS) and on the PHP code deployed by the attackers from the server side. This attack leveraged an HTML file (which was JavaScript that had been obfuscated) that was attached to an email. By carefully selecting their target victims and leveraging open-source tools, the group behind this campaign stayed under the radar for quite some time. In September 2022, Trend Micro researchers observed a new potential BEC campaign that was targeting large companies around the world which we believe has been running since April 2022. These schemes, when combined with cybercrime and open-source tools, often lead to BEC campaigns that are highly effective and successful for the scammers. By using these genuine services (but with stolen accounts), scammers can legitimize their emails. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail Transfer Protocol (SMTP) services like SendGrid to send emails designed to bypass the filters from email service providers and security services that protect emails. This amount accounts for a large share of the US$6.9 billion that Americans lost to the combination of ransomware, BEC, and financial scams, based on the FBI report. According to the Federal Bureau of Investigation (FBI), BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. ![]() BEC or Business Email Compromise is a significant problem for businesses around the world.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |