Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
Sustained 'Red Deer' Phishing Attacks Impersonate Israel Post, Drop RATsSustained 'Red Deer' Phishing Attacks Impersonate Israel Post, Drop RATs
The "missed package" phishing messages, likely the work of a hacking-for-hire group, bounds into inboxes, bearing ASyncRAT.
June 1, 2023
Israeli engineering and telecommunications companies have been targeted with a sustained phishing message campaign that is convincingly impersonating Israel's postal service.
Research by Perception Point found the phishing email typically appears to be a missed delivery note containing an HTML link. When clicked, it downloads and opens an .html file attachment on the user's browser. This html file then opens an ISO image file that contains an obfuscated Visual Basic script, which ultimately downloads a modified version of the AsyncRAT malware.
Named Operation Red Deer, due to the fact that the logo for the Israel Postal Company (aka "Israel Post") is a red deer — this technique was initially spotted being used in a campaign in April 2022, but last month a similar campaign was spotted wherein the malware version and SSL certificate that was used were the same.
Sustained Phishing Campaign
Several other campaigns in the activity cluster were also detected, including one last June and another last October, where Igal Lytzki, incident response analyst at Perception Point, says the volume of phishing emails was significantly higher than on other days.
Perception Point called the campaign "a sustained and clandestine operation” which targeted numerous organizations from diverse industries, but all based in Israel.
Lytzki says that "hundreds of emails related to this particular campaign" were detected and quarantined before being delivered, and that they've been directed at employees in varying positions and at different levels of seniority, not solely executive and leadership positions.
He also added that the level of care to make the lures look genuine is notable, including the addition of elements such as the logo, correlation of colors, and additional information about the post office's opening hours. "This is a surprising tactic that reveals the depth of sophistication and investment put into this attack," he notes.
Who Is to Blame?
The attacks were attributed to the Aggah threat group, due to the choice of malware, order-related phishing messages, and use of Losh Crypter obfuscated PowerShell scripts. Lytzki says there is no clear evidence of any state-sponsorship or national identity for Aggah, but there is a striking similarity between Aggah's tactics, techniques, and procedures (TTPs) and another threat group known as Gorgon Group, a state-sponsored group under the Pakistani government .
He adds, "Aggah has targeted a variety of countries for espionage, information gathering, and financial gain. I believe that the evidence suggests that this hacking group is for hire, contracting with other governments to launch malicious campaigns on their behalf."
Also, in the past, Aggah has conducted attacks which were primarily focused on organizations within Middle Eastern countries. The Gorgon Group, meanwhile, does not just focus on financial fraud and cybercrime, but also conducts attacks against government organizations and has been linked to attacks against Russia, Spain, the United Kingdom, and the United States.
Read more about:DR Global Middle East & Africa
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023