Iranian state-sponsored threat group TA453 has been discovered to be using the novel 'multi-persona impersonation' technique in an effort to facilitate more elaborate and legitimate-looking phishing emails, according to BleepingComputer.
Significantly more effort has been spent by TA453 on its new phishing technique, which uses several fake personas to create realistic conversations, a Proofpoint report revealed.
One of the attacks discovered to utilize MPI involved a phishing email purportedly sent by the Director of Research at the Foreign Policy Research Institute to the target, with a Director of Global Attitudes Research at the PEW Research Center being CCed.
Replies to the email the following day had the spoofed PEW director answer the FRPI director's queries. Attackers have also sent phishing emails to genome research scientists with the CCed persona replying with a OneDrive link containing a malicious macro-laced DOCX document.
"The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls. The macros collect information such as username, list of running processes along with the user's public IP from my-ip.io and then exfiltrates that information using the Telegram API," said researchers.
BleepingComputer reports that recent phishing attacks by the QBot malware operation, also known as Qakbot, have involved the exploitation of a DLL hijacking flaw in the Windows 10 WordPad executable "write.exe."
Microsoft credentials targeted new phishing attacks with RPMSG files New phishing attacks involving compromised Microsoft 365 accounts and encrypted restricted permission message, or RPMSG, files, are being leveraged by threat actors to facilitate the stealthy exfiltration of Microsoft credentials, according to BleepingComputer.
Numerous sectors including government, financial services, media, manufacturing, transportation, and utilities have been targeted by the large-scale credential phishing campaign leveraging the SuperMailer newsletter distribution app, which has expanded by twofold monthly since January, according to SecurityWeek.