A threat group impersonated Trend Micro to launch a targeted spear-phishing campaign against critical infrastructure, leveraging the vendor’s branding to deceive victims. This operation appears to be linked to the cybercriminal group Void Rabisu, showcasing a mix of old and new attack techniques. #SHADOWVOID042 #VoidRabisu
Keypoints
- The attack involved spear-phishing emails impersonating Trend Micro with urgent security advisories.
- Victims were directed to decoy websites mimicking Trend Micro’s corporate style, hosted under “TDMSEC.”
- The campaign used a multi-stage, tailored approach targeting specific machines and delivering intermediate payloads.
- Links were associated with exploits, including one for a 2018 Chrome vulnerability, indicating selective use of zero-days.
- Signs suggest the attack group is linked to Void Rabisu, a Russian-aligned cyber espionage and cybercrime threat actor.