Advanced persistent threat groups El Machete, Lyceum, and SideWinder have exploited the ongoing Russian invasion of Ukraine in spearphishing campaigns targeted at organizations across various sectors around the world last month, The Hacker News reports.
Check Point Research noted that different lures have been leveraged by the attackers depending on the targets and region.
"Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks," said Check Point Research.
Spanish-speaking APT El Machete has used macro-laced lures that facilitate the deployment of the Loki.Rat malware with keystroke, credential, and clipboard data harvesting capabilities.
The report also showed that the phishing campaign of Iranian APT group Lyceum involved the delivery of messages regarding "Russian war crimes in Ukraine" that allow first-stage Golang and .NET dropper distribution.
On the other hand, state-sponsored hacking group SideWinder has leveraged a document exploiting a Microsoft Office Equation Editor vulnerability for info-stealing malware spread.
"This war affects multiple regions around the world and has potentially far-reaching ramifications. As a result, we can expect that APT threat actors will continue to use this crisis to conduct targeted phishing campaigns for espionage purposes," Check Point Research said.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.
Threat actors have leveraged the ZeroFont phishing attack technique, which initially involved the insertion of hidden characters or words in emails to evade security detection systems, to modify message previews as shown on Microsoft Outlook and other email clients, BleepingComputer reports.
BleepingComputer reports that individuals who have filed claims against bankrupt cryptocurrency lender Celsius have been subjected to phishing attacks involving the impersonation of the lender's claims agent, Stretto.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news