Security researchers have identified a new threat actor, dubbed TA2722, that is impersonating organizations related to health, customs, and labor organizations in the Philippines to lure victims.
What has been observed
Researchers from Proofpoint disclosed that TA2722 attackers (aka Balikbayan Foxes) launched a campaign intended to target a variety of industries across North America, Europe, and Southeast Asia.
Top sectors targeted by these campaigns include manufacturing, shipping, logistics, pharmaceutical, business services, energy, and finance.
Hackers impersonated several government organizations in the Philippines to send messages containing malicious links.
In some campaigns, attackers lured victims by pretending to be DHL Philippines or the Manila embassy for the Kingdom of Saudi Arabia (KSA).
All the campaigns were found distributing Remcos or NanoCore RATs.
Attackers were observed using multiple methods to distribute the threat, including
RAR files with embedded UUE files, which were hosted on OneDrive.
PDF files were sent as an email attachment, which consisted of a malicious URL that would run executable (.iso files) to eventually download malware.
Microsoft Excel documents with embedded macros, which would download malware upon execution.
For better clarity, Proofpoint researchers diversified the threat activities broadly into two clusters.
Researchers named the first cluster Shahzad73 which has been supposedly active since August 2020. It leverages themes and spoofed messages related to the Saudi Arabian Consulate in Manila, labor-related work, and billing or invoices.
The second cluster, named CPRS, has been active since October 2020. It leverages spoofed messages pretending to be from the Philippines Bureau of Customs and has impacted around 150 customers across shipping and logistics, manufacturing, and energy sectors.
Researchers believe that TA2722 is leveraging Remcos or NanoCore RATs to gain access to target devices across a variety of organizations. This could be an attempt to gather information, which could be used for later attacks such as BEC attacks. Alternatively, attackers may be attempting to install secondary malware. In either case, security professionals and organizations are recommended to track this threat to avoid any surprises.