AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 02/07/2022

Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan

Chinese state-backed advanced persistent threat (APT) group Antlion has been targeting financial institutions in Taiwan in a persistent campaign over the course of at least 18 months. The attackers deployed a custom backdoor we have called xPack on compromised systems, which gave them extensive access to victim machines. The backdoor allowed the attackers to run WMI commands remotely, while there is also evidence that they leveraged EternalBlue exploits in the backdoor. The attackers appeared to have the ability to interact with SMB shares, and it’s possible that they used mounted shares over SMB to transfer files from attacker-controlled infrastructure. There is also evidence that the attackers were able to browse the web through the backdoor, likely using it as a proxy to mask their IP address. The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks.


U.S. Authorities Charge 6 Indian Call Centers Scamming Thousands of Americans

A number of India-based call centers and their directors have been indicted for their alleged role in placing tens of millions of scam calls aimed at defrauding thousands of American consumers. The indictment charged Manu Chawla, Sushil Sachdeva, Nitin Kumar Wadwani, Swarndeep Singh, Dinesh Manohar Sachdev, Gaje Singh Rathore, Sanket Modi, Rajiv Solanki and their respective call centers for conspiring with previously indicted VoIP provider E Sampark and its director, Guarav Gupta, to forward the calls to U.S. citizens. “Criminal India-based call centers defraud U.S. residents, including the elderly, by misleading victims over the telephone utilizing scams such as Social Security and IRS impersonation as well as loan fraud,” the U.S. Justice Department said in a release.



Business email compromise, or BEC, has become an increasingly dangerous and widely used tool for an adversary to get access to a business email account to spoof the identity of an employee. Unfortunately, This technique has moved beyond email to SMS (Short Message Service) using cell phones, in which the attacker gets the target’s phone for attacks or compromises. The technique is simple: an attacker gets the phone number and then uses the number to entice the user with offers of gift cards, wire transfers and the like. These transactions then trick the user into sharing passwords, PINs and other highly sensitive information. Even more concerning, these attacks also can spoof legitimate two-factor authentication (2FA) methods used by many commerce sites, financial institutions and others, thereby opening up accounts to theft and attack. Many users experienced a flood of these attempted attacks over the recent holidays.


Mac Malware-Dropping Adware Gets More Dangerous

The latest version of a Mac Trojan called UpdateAgent, aka WizardUpdate, provides fresh evidence of the growing effort that some threat actors are putting into targeting Apple technologies. The malware, which impersonates legitimate software, such as support agents and video software, first surfaced in September 2020. It is commonly distributed via drive-by downloads or pop-ups for advertisements and fake updates for tools like the long-discontinued Adobe Flash Player. Since it first emerged, UpdateAgent’s authors have constantly updated it with significant new functionality. The most recent update in October was no exception.


European oil port terminals hit by cyberattack

Major oil terminals in some of Western Europe’s biggest ports have fallen victim to a cyberattack at a time when energy prices are already soaring, sources confirmed on Thursday. Belgian prosecutors have launched an investigation into the hacking of oil facilities in the country’s maritime entryways, including Antwerp, Europe’s second biggest port after Rotterdam. In Germany, prosecutors said they were investigating a cyberattack targeting oil facilities in what was described as a possible ransomware strike, in which hackers demand money to reopen hijacked networks. Oil prices hit a seven-year high last month amid diplomatic tensions with gas supplier Russia, and energy bills are fueling a rise in inflation that has spooked European policymakers.


How Phishers Are Slinking Their Links Into LinkedIn

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it? Spammers, phishers and other ne’er-do-wells are hoping you will, because they’ve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft). At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “ hXXps://www.linkedin.com/slink?code=” followed by a short alphanumeric variable.


Cybercriminals launch campaign targeting Intuit users

Tax season is a notoriously busy time of year for cybercriminals and tax-related security teams. A security notice issued earlier this week is warning TurboTax customers to watch out for e-mails threatening to cancel their tax preparation accounts. The emails, which claim to be from the Intuit Maintenance Team, are phishing attacks attempting to gather sensitive user information. The Intuit security notice, TXP099497, provides customers with the information needed to identify and avoid the recent phishing attempts. It describes the attack’s strategy and provides recommended steps to avoid or resolve any exposure. This type of phishing attack, known as a phishing lure, tries to trick people by impersonating a valid company and sending messages to users on that company’s behalf.

Related Posts