Unit 42 exposed a targeted campaign against Portuguese entities, primarily in government, finance, and transportation, utilizing the Lampion malware. This campaign employs ClickFix social engineering and complex VBS obfuscation, showcasing significant threats to cybersecurity. (Affected: government, finance, transportation)
Keypoints :
- Unit 42 identified a malicious campaign targeting Portuguese organizations.
- The campaign primarily focuses on government, finance, and transportation sectors.
- Lampion malware, an infostealer, aims at sensitive banking information.
- ClickFix lures are employed, prompting users to execute malicious commands.
- The campaign follows previous patterns of Lampion, using similar TTPs.
- The infection chain includes phishing emails with malicious ZIP attachments.
- Obfuscated VB scripts are used to complicate detection.
- The research emphasizes the need for enhanced threat detection capabilities.
MITRE Techniques :
- Phishing (T1566): The attack begins with phishing emails that contain malicious ZIP files.
- Command and Scripting Interpreter (T1059): Malicious PowerShell commands are executed to facilitate infection.
- Obfuscated Files or Information (T1027): Multiple obfuscations are used in VB scripts to hinder detection.
- Scheduled Task/Job (T1053): Tasks are created to trigger secondary infection stages at random times.
- Exfiltration Over Command and Control Channel (T1041): Data is sent to the C2 server for initial reconnaissance.
Indicator of Compromise :
- The article mentions phishing emails as the starting point of the attack vector.
- Hashes of multiple stages of VBS files are provided, indicating different versions of the malware.
- Specific domains and URLs associated with the campaign are identified as known malicious entities.
- IP addresses describe the cloud-hosted C2 servers involved in the campaign.
Full Story: https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/
Views: 62