Proofpoint has identified new cybercriminal actors TA2726 and TA2727 associated with web inject campaigns, introducing a new MacOS malware called FrigidStealer. The landscape of web inject campaigns continues to expand with numerous threat actors making tracking increasingly difficult. Affected: cybercriminal threat actors, MacOS users, Windows users, Android users
Keypoints :
- Proofpoint named two new threat actors, TA2726 and TA2727, involved in web inject campaigns.
- A new MacOS malware called FrigidStealer was identified, delivered through these campaigns.
- The web inject threat landscape is dynamic, with many copycat actors complicating analyses.
- Historically, TA569 was a major player in web inject campaigns, predominantly using fake updates.
- TA2726 acts as a traffic distribution service (TDS), enabling malware delivery for other actors.
- TA2727 collaborates with TA569 and employs fake update lures to distribute malware.
- FrigidStealer is a new information stealer targeting Mac users, utilizing sophisticated social engineering techniques.
- The campaign’s attack chain includes malicious injects, traffic distribution services, and end payloads.
MITRE Techniques :
- TA2726 (T1555.003 – Credentials from Password Stores): Compromises websites to distribute web injects.
- TA2727 (T1193 – Spear Phishing Link): Uses phishing emails redirecting users to compromised websites.
- FrigidStealer (T1071.001 – Application Layer Protocol: Web Protocols): Exfiltrates data to the command and control server askforupdate[.]org.
Indicator of Compromise :
- [Domain] askforupdate[.]org (C2 for FrigidStealer)
- [Domain] rednosehorse[.]com (TA2726 TDS)
- [Domain] blackshelter[.]org (TA2726 TDS)
- [Domain] deski[.]fastcloudcdn[.]com (Serving TA2727 lure)
- [Hash] e1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214 (FrigidStealer Safari themed)
Full Story: https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware