Phishing scams: Chinese malware gang targets India

According to Blackberry’s Research and Intelligence Team, there are three phishing scams targeting Indian nationals. They are apparently coming from a Chinese state-sponsored malware gang.

Phishing scams from old attackers

Blackberry identified an Advanced Persistent Threat as APT41, a group that has been carrying out espionage and financially motivated operations since at least 2012. The targeted industries include travel, telecommunications, healthcare, news, and education.

Blackberry made an interesting discovery in India. They were able to join the dots between phishing and malware called “Cobalt Strike” by monitoring the C2 activity. This activity had similarities to other attacks, but was unique in that it used a bespoke, malleable command-and-control profile.

Researchers found that past and new phishing campaigns are associated with each other. So, according to the study, HTTP GET profile blocks that were identical to those on past campaigns, as well as similarities in beacon configuration data. Unique clusters of phishing campaigns were also found with unique metadata, which the researchers said belonged to APT41.

Hackers hide behind “mistakes”

The cyber attackers didn’t vary the domains they used in their campaigns. The naming conventions used were similar, for example replacing “i” with “l” or omitting a letter. Moreover, these similarities hinted at connections between different campaigns.

The Blackberry Squad found three phishing lures targeting Indian nationals trying to trick them into giving up their personal information. Thus, the attackers disguised the lures as government communication about taxes or COVID-19.

The phishing lure is one of APT41’s favorite tools. But it typically goes hand in hand with information stealers, keyloggers, and backdoors. Once it’s on the user’s machine, the threat blends in by using a customized profile to shield its network traffic.

Dangerous PDFs

So, the gang hid three different phishing in PDFs. One used a self-extracting archive, one a PowerShell script, and the last a zip file.

But the Blackberry could not uncover the additional infrastructure. Still, Blackberry mentioned that according to the findings, the campaign is linked to others, documented by Positive Technologies and Prevailion.

The team at Blackberry noted that the APT41 group is conducting new campaigns, and they will likely continue to do so in the future.