![]() Once the document is open, users must click on “Enable Editing” to access the content. xlam) containing embedded malicious content. The initial emails come with an attached Excel file (formats such as. This blog details one of the active campaigns related to a recent incident in September, detected in collaboration between Metabase Q Threat Intel and SOC Teams. The emails are written in Spanish, Portuguese and sometimes English, although depending on the type of campaign, Excel, compressed or ISO files are attached. JUDICIAL BRANCH OF PUBLIC POWER_SENTENCE OFFICEįigure 4: Email with Excel attachment from July 2023įigure 5: Email with ZIP attachment from August 2023. ![]() CIRCULAR OF LEGAL PROCESS THAT IS PROVIDED AGAINST YOU.ADMISSION NOTIFICATION AND RAD HEARING PROCEEDINGS #-2023.The initial infection starts with the spam email containing an Excel attachment with the following file names, such as: Here is the infection chain in a glimpse: Uses dynamic DNS (DDNS) for command and control (C2).Discord CDN, Firebase Storage, MediaFire, and Google CDN) and malicious domains. Hosts payloads on legitimate services (e.g.It uses underground encryption services to protect and execute payloads.Campaigns often culminate in commodity RATs, including AsyncRAT, Babylon RAT, Revenge RAT, VenomRAT, Vjw0rm, or Xworm.The installation chain typically consists of several intermediate downloaders.Windows Shortcut (LNK), Open Document Text (ODT), PowerPoint, and Compiled HTML The first stage payloads include ISO, Office Open XML (DOCX), Microsoft Publisher (PUB), It delivers first-stage payloads via malicious phishing email attachments and/or links.Take advantage of topics related to the hospitality and travel industry.Tactics, Techniques and Procedures (TTPs) Spain, Mexico, United States, Colombia, Portugal, Brazil, Dominican Republic, Argentina. Hotel, Travel, Trading, Financial, Manufacture, Industrial, Government ![]() The adversary leverages clandestine services to conduct its operations, including Alosh and Fsociety Crypter-as-a-Service (CaaS) providers.įigure 2: Victims worldwide Affected sector They often culminate in remote access tools (RAT) and distribute one of at least 15 different malware payloads such as Remcos, AgentTesla or LimeRAT. ![]() These campaigns usually comprise long installation chains consisting of several intermediary downloaders. However, recent emails were found referring to: Transfers, fines, invoices or legal processes. These emails employ various reservation-themed lures, with a common disguise as hotel room reservations. TA558 campaigns are spread via spam emails, which are often sent in Portuguese, Spanish, and English. However, the adversary has also targeted other lower-volume verticals, including the financial and manufacturing sectors. TA558 is an eCrime adversary that primarily targets the hospitality and travel sectors, especially in Latin America (LATAM). Using the Cyber Threat Diamond Model, we seek to gain a complete and detailed understanding of cyber threats, empowering organizations to proactively safeguard themselves and mitigate associated risks. Victims: In this last quadrant, we identify potential victims of cyberattacks. Infrastructure: This quadrant examines the infrastructure employed by adversaries to execute their attacks.Ĭapabilities: In this section, we evaluate the skills and technical knowledge of adversaries. It is structured around four primary components: adversaries, infrastructure, capabilities, and victims:Īdversaries: In this category, we identify and analyze various malicious actors that could pose a threat to a system or organization. The Cyber Threat Diamond Model is a methodology employed to analyze and comprehend cyber threats from diverse perspectives. The Diamond Model visually organizes key aspects of malicious activity in a diamond-shaped structure, simplifying the comprehension of the relationships between these key aspects. This information is presented using the Diamond Model for intrusion analysis. The purpose of this blog is to provide information about the TA558 adversary, who has been very active across different sectors in Mexico.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |