Search This Blog

Showing posts with label Spear Phishing. Show all posts

Hacking Group Earth Wendigo Exploits Emails via Spear-phishing Attacks


As per the cybersecurity experts, the cyberattacks are related to Earth Wendigo, a cyber criminal currently not linked to any of the hacking groups. At the start of May 2019, Trend Micro reported that multiple organizations were attacked by Earth Wendigo. The targets include research institutions, government organizations and universities. The cyberattack used spear-phishing mails to exploit its victims, which include activists and politicians based in Hong Kong, Tibet and Uyghur region. 

Trend Micro reports, "we discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.” 

Earth Wendigo deployed spear-phishing emails that contained obfuscate Java script code, using initial attack vectors, Java script loaded corrupted scripts from remote servers controlled by attackers. The scripts were built for stealing Webmail session keys and browser cookies, spread the malicious scripts through appending code with the target's email signature, and exploiting an XSS (cross-site scripting) vulnerability in the Javascript injection Webmail server. "The Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a JavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail server and then send the content and attachments of the emails back to the WebSocket servers," says Trend Micro. 

The XSS vulnerability exploit exists in system shortcut feature of webmail, which allows the threat actor to put craft payload shortcut that replaces webmail system page's parts by corrupted JavaScript codes. "Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan, which this report covers," reports Trend Micro.

Users Might be Under Risk of DNS Vulnerability


What is DNS?

It is an essential element in the network (online infrastructure) that allows users to watch or access content on the internet by building a link between an IP address and the respective website with the help of a database. Hackers can use it as an opportunity to disturb the service, which causes altering in the domain registrars. Also known as DNS hijacking, altering domain registrars can cause DDoS attacks, DNS Tunneling, cache position, etc.


About the DNS Risk 

  • In a recent incident, a cryptocurrency exchange Japanese company named Coincheck was a victim of DNS Hijacking. The attack costed the company exposure of around 200 clients' private information and e-mails. The hackers first altered the basic DNS entry by using the company's account and Oname.com- the company's domain registrar provider. After this, the hackers used a spear-phishing technique to steal information and e-mails from the 200 clients. 


  • In another DNS hijacking incident last month, a group of experts from Israel found an "NXNS Vulnerability." The vulnerability in the DNS servers can cause massive scale DDoS attacks if exploited by hackers. To lessen the impact of the attack, Microsoft recently issued a security advisory about the vulnerability. 
It is not all; the DNS vulnerability issue is just one thing. According to cyber experts, there is another DNS threat out in the wild, and the pressing issue is that very few people know about it.

Concerns regarding DNS 

In present times, the most pressing problem, according to cybersecurity experts, is the exploitation of unattended domains. In other words, domains that are no longer in use but still exist on the internet. It happens under the circumstances of dissolved firms, mergers, and partnerships, as the companies leave out their old domains because of the rebranding. If a domain is left out to expire, the following things can happen:

  • If the hackers re-register the expired domains and make a new e-mail server, they can have access to confidential organizational information.
  • Left out domains of stores can be re-built, and the hackers can use it to receive orders and steal the money.

Researchers Discover the Existence of the New APT Framework “Darkuniverse”



A new APT Framework named "DarkUniverse" was recently discovered by researchers via tips from a script that was utilized in the NSA breach in 2017 wherein the well-known hacking tools leak 'Lost in Translation' was published by shadow brokers.

Researchers believe that the "DarkUniverse" APT Framework was active in at least 8 years from 2009 until 2017, and the traces show that it's likewise tied with ItaDuke, an actor that utilized PDF exploits for dropping previously unknown malware.

There are various versions of the sample been utilized for this campaign between 2009 to 2017, and the most recent rendition of the malware utilized until 2017. The further examination uncovers that the battle is for the most part utilizing the spear-phishing emails to convey the malware through the weaponized Microsoft Office document attachment.

As indicated by Kaspersky investigate, “DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.”

The DarkUniverse campaign is said to gather different sensitive information including Email conversations, files from specific directories, screenshots, information from the Windows registry, sends a file to the C2, credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and more.

The malicious framework targeted on different nations including Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates and the victims included both non-military personnel and military associations.