An unknown threat actor is targeting APAC and North American governments with info-stealing malware and ransomware, according to Menlo Security.
The group’s attacks begin with a phishing email containing a malicious Discord link, which points to a password-protected zip file. That in turn contains a .NET malware downloader known as PureCrypter.
The loader will try to download a secondary payload from the group’s command and control (C2) infrastructure, which is a compromised domain belonging to a non-profit, Menlo Security said.
Among the malicious payloads observed by the security vendor in this campaign are various info-stealers and ransomware variants: Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia ransomware.
In the sample analyzed by security experts, PureCrypter attempts to download AgentTesla, an advanced backdoor designed to steal browser-based passwords, as well as take screen captures and log keystrokes.
“In our investigation, we found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials. The FTP server appears to have been taken over and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server,” the report revealed.
“The FTP server was also seen in a campaign using OneNote to deliver malware. Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim’s device. Altogether, the labs team found 106 files using said FTP server.”
AgentTesla has been around for several years but continues to prove popular among threat actors.
The remote access Trojan (RAT) and info-stealer was the most widely used malware in October 2022, accounting for 7% of global detections by Check Point Software.
The malware stood at third place on the vendor’s monthly Global Threat Index report for January 2023.
Editorial credit icon image: Ink Drop / Shutterstock.com