On March 5, 2023, Zscaler researchers reported details of a sophisticated phishing campaign they attribute to a single threat actor, leveraging fake meeting invitations for popular video conference tools to spread remote access trojans (RATs).
Community Impact
The RH-ISAC intelligence team assesses that this and similar campaigns constitute a moderate threat to the RH-ISAC community. Phishing and spearphishing campaigns remain among the top threat vectors reported by members. Additionally, members have specifically reported an influx in campaigns leveraging fake video call invites. Thus, members are advised to take appropriate defensive measures, such as strengthening security awareness training among staff and tightening controls on email gateways.
Technical Details
According to the report, the campaign has been active since late 2023 and the RATs spread in the campaign include SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems. The campaign specifically leverages fake invitations for Skype, Zoom, and Google Meets calls.
Researchers also noted that the attacker utilized shared web hosting, hosting fake online meeting sites on a single IP address, with all of the fake sites were in Russian. In addition, the report noted that the attackers hosted these fake sites using URLs that heavily resembled the actual websites.
IOCs
Researchers provided the following file names as indicators of compromise (IOCs):
- Win32.Backdoor.DCRat
- Win32.Backdoor.NjRat
TTPs
Researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):
Enterprise Matrix
TACTIC | TECHNIQUE ID | TECHNIQUE NAME |
Execution | Scripting PowerShell | |
Persistence | Registry Run Keys / Startup Folder | |
Privilege Escalation | Boot or Logon Autostart Execution | |
Defense Evasion | Deobfuscate/Decode Files or Information Scripting Obfuscated Files or Information Software Packing File Deletion Masquerading | |
Credential Access | Input Capture Credentials from Password Stores | |
Discovery | System Time Discovery File and Directory Discovery System Information Discovery Security Software Discovery Process Discovery Application Window Discovery Remote System Discovery System Network Configuration Discovery Peripheral Device Discovery | |
Collection | Audio Capture Clipboard Data Input Capture Screen Capture Video Capture | |
Command and Control | Remote Access Software Encrypted Channel Non-Standard Port Non-Application Layer Protocol Application Layer Protocol | |
Impact | Network Denial of Service System Shutdown/Reboot |
Mobile Matrix
TACTIC | TECHNIQUE ID | TECHNIQUE NAME |
Persistence | Event Triggered Execution: Broadcast Receivers Masquerade as Legitimate Application | |
Privilege Escalation, Persistence | Abuse Elevation Control Mechanism | |
Collection | Data from Local System Audio Capture Location Tracking Contact and SMS data |
