Several new malware campaigns have been identified recently that are being used to deliver a range of malicious payloads, including malware downloaders, information stealers, remote access Trojans (RATs), backdoors, and ransomware. These threats are delivered through a range of attack vectors, including email, SMS messages, and even over the telephone.

An as-of-yet-unknown malicious actor has been conducting a phishing campaign that distributes PureCrypter malware as the first stage of an attack that involves other malicious payloads. PureCrypter is an advanced, fully featured malware downloader that was first identified in March 2021 and is now being provided to threat groups under the malware-as-a-service model. The operator rents out access to other threat actors to allow them to deliver a range of malicious payloads, the majority of which are information stealers and RATs.

The latest campaign, identified by researchers at Menlo Security, primarily targets government entities in North America and the Asia Pacific region. The attacks start with a malicious email that includes a Discord app URL. If the link is clicked, a password-protected ZIP archive is downloaded from Discord, containing an executable file that delivers the PureCrypter downloader.

While the payloads change, the latest campaign is being used to deliver AgentTesla malware, which is hosted on a legitimate but compromised domain belonging to a non-profit organization. AgentTesla is an advanced backdoor that can steal passwords from browsers, the content of the clipboard, log keystrokes, and perform screen captures. That information is then exfiltrated to a command-and-control server located in Pakistan. PureCrypter has also been used to deliver the RedLine information stealer, the Blackmoon banking Trojan, and Eternity and Philadelphia ransomware.

Email campaigns distributing malware and links to phishing URLs are still common, but threat actors have branched out and are using a range of other methods for distributing malware and stealing credentials. SMS-based phishing campaigns have been soaring as threat actors take advantage of poor protections against SMS-based phishing attacks, and telephone-orientated attack delivery (TOAD) attacks are growing at an incredible rate.

TOAD attacks usually see initial contact made via email, yet the emails contain no malicious content or malware. They have a plausible call to action and provide a telephone number for the recipient to call to resolve a pressing problem. These emails can be very difficult for email security solutions to identify as they contain no malicious content. The phone lines are manned by the threat actor, oftentimes from call centers in India, and the telephone operators convince victims to download a malicious file, which provides the attacker with remote access to their device. The malicious files are typically remote access software or malware downloaders such as BazarLoader, which like PureCrypter, are used to deliver a range of malicious payloads, especially ransomware.

With such a variety of threats to defend against, and the difficulty of identifying these threats using standard cybersecurity solutions, security awareness training has never been more important. Employees need to be made aware of these threats and be trained how to recognize them.

If you want to improve your defenses against increasingly sophisticated attacks targeting employees, give the TitanHQ team a call to find out more about how the SafeTitan security awareness training platform can be leveraged to greatly improve your security posture by addressing the human vulnerabilities that threat actors are so often exploiting.