Executive Summary
Proofpoint has identified two new cybercriminal threat actors, TA2726 and TA2727, responsible for web inject campaigns that distribute malware through compromised websites, according to a recently published report. TA2726 and TA2727 actors operate traffic distribution services (TDS) to redirect users to fake update lures, leading to the installation of malware on Windows, MacOS, and Android devices. A newly discovered MacOS malware, FrigidStealer, was deployed via these campaigns, highlighting the increasing sophistication of threats targeting Apple systems.
Community Impact
The retail and hospitality industries are prime targets for web inject campaigns, as these sectors rely on customer-facing websites and e-commerce platforms that can be compromised and used to spread malware. Attackers can redirect unsuspecting shoppers or employees to malicious fake update pages, leading to the theft of payment information, credentials, and other sensitive data. RH-ISAC Core Member Organizations should ingest the intelligence included in this report, the original Proofpoint report, linked above, and review and ingest the provided Indicators of Compromise, included below.
Technical Analysis
Proofpoint’s research revealed that TA2726 and TA2727 operate complex, multi-step malware delivery chains using web injects. These campaigns utilize traffic distribution services (TDS) to filter and redirect users based on their operating system, location, and browser type, ensuring they receive a tailored malicious payload.
Key malware variants distributed include:
- Lumma Stealer (Windows) & DeerStealer (Windows): Credential-harvesting malware targeting Windows users.
- FrigidStealer (MacOS): A new info-stealing malware targeting Mac users, harvesting browser cookies, Apple Notes, and cryptocurrency-related files.
- Marcher (Android): A banking trojan that tricks users into providing financial login credentials.
The attack chain involves fake update lures that prompt users to download malicious files disguised as legitimate software updates. In the case of MacOS, the DMG file installs FrigidStealer, leveraging Gatekeeper bypass techniques to evade detection. Additionally, Windows variants utilize DLL side-loading to execute payloads discreetly.
Indicators of Compromise
Proofpoint has provided the following Indicators of Compromise below:
IOCs | Description |
askforupdate[.]org | FrigidStealer C2 |
rednosehorse[.]com | TA2726 TDS |
blackshelter[.]org | TA2726 TDS |
deski[.]fastcloudcdn[.]com | Serving TA2727 lure |
slowlysmiling[.]fastcloudcdn[.]com | Serving TA2727 lure |
e1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214 | FrigidStealer (Safari Themed) |
274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973 | Frigid Stealer (Chrome Themed) |
ca172f8d36326fc0b6adef9ea98784fd216c319754c5fc47aa91fce336c7d79a | Marcher (Android) |
fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b | DOILoader into Lumma Stealer |
d34c95c0563c8a944a03ee1448f0084dfb94661c24e51c131541922ebd1a2c75 | DOILoader into DeerStealer |
