“`
A new wave of phishing attacks by a Russian-speaking threat actor uses Cloudflare-branded pages to deliver malware disguised as PDFs. The attacks leverage the ms-search protocol and involve Telegram for IP reporting, with various open directories exposing malicious infrastructure.
Affected: phishing, cybersecurity, online users
Affected: phishing, cybersecurity, online users
Keypoints :
- Phishing lures impersonating the Electronic Frontier Foundation were observed.
- Recent attacks utilize Cloudflare-branded phishing pages themed around DMCA notices.
- Malware downloads a malicious LNK file using a double extension.
- Victim’s IP is sent to an attacker-operated Telegram bot.
- Infrastructure includes exposed open directories and multiple domains.
- Actors are targeting specific communities with DMCA pressure tactics.
- Incremental changes in malware payload and delivery tactics noted.
MITRE Techniques :
- Credential Dumping (T1003): Used to gather credentials from the infected host through the PowerShell script.
- Command and Control (T1071): Communication via Telegram for IP reporting and Pyramid C2 for further instructions.
- Exploitation for Client Execution (T1203): Delivery of the LNK file masquerading as a PDF to exploit user interaction.
- Data Encrypted for Impact (T1486): Charging the malware to encrypt files to maintain control and extract sensitive information from victims.
Indicator of Compromise :
- [IP Address] 104.245.241[.]157
- [IP Address] 213.209.150[.]191
- [Domain] idufgljr.procansopa1987[.]workers.dev
- [Filename] kozlina2.ps1
- [SHA-256] b542033864dd09b2cff6ddec7f19ac480ab79e742481a14ae345051d323f58e7
“`
Full Story: https://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2