🎣 Phishing Campaign
====================

🎯 Threat Intelligence

Executive summary: RevengeHotels, tracked as TA558, has launched a new campaign focused on targets in Latin America. The operation combines social‑engineering lures generated or refined with LLMs and a multi‑stage payload delivery that includes VenomRAT as a secondary implant.

Technical details: The research attributed to Kaspersky GReAT describes an initial infection vector using convincing lures (reports indicate use of large language models to craft messages and
attachments) followed by deployment of a malicious implant and a second loading step that delivers VenomRAT. Additional behaviours reported include USB spreading and anti‑kill mechanisms intended to maintain persistence and hinder remediation.

Analysis & impact: The group’s historical goal of payment‑card harvesting aligns with observed tooling and TTPs; VenomRAT provides remote access and data‑collection capabilities that enable payment‑card skimming and exfiltration. Use of LLMs to tailor lures increases phishing efficacy and may broaden victim scope across industries in the region.

Detection: Monitor for anomalous post‑delivery processes and new persistence artifacts, uncommon USB autorun or device enumeration activity, and network connections associated with known VenomRAT command‑and‑control patterns. Endpoint telemetry showing staged downloads after opening social‑engineering attachments is a high‑value detection signal. No precise IoCs were included in the supplied excerpt.

Mitigation: Enforce multi‑layer controls: block known malicious file types at mail gateways, apply strict device control policies for removable media, enforce EDR detections for process injection and persistence modification, and treat unsolicited attachments with elevated suspicion, especially those leveraging sophisticated social engineering likely crafted by LLMs.

References & caveats: Findings are derived from a Kaspersky GReAT report; technical artifacts and IoCs were not fully available in the supplied text. Further validation against full indicators is recommended.

🔹 RevengeHotels #VenomRAT #TA558 #LLM

🔗 Source: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

Every threat actor group has its own unique tactics, techniques, and procedures (TTPs). For example, during #taxseason, #TA558 pivots from its typical reservation-themed email lures to target financial firms with tax-related lures.

#TA2541 is known to consistently target organizations in the aerospace, manufacturing, and defense industries using remote access trojans (RATs).

#TA582's TTPs feel like a digital jigsaw puzzle, with simultaneous email, web inject, and compromised site vectors.

Stream this DISCARDED podcast episode to hear all about the chaotic brilliance of mid-tier eCrime actors. https://www.proofpoint.com/us/podcasts/discarded#143240

Crypters And Tools. Часть 2: Разные лапы — один клубок

Всем салют! Вновь на связи киберразведчики из экспертного центра безопасности (PT ESC) с новой порцией находок, связанных с Crypters And Tools. В первой части мы рассказали о крипторе, который мы обнаружили в процессе исследования атак различных группировок. Отчет концентрировался на внутреннем устройстве и инфраструктуре самого криптора. В этой части мы расскажем о хакерских группировках, которые использовали его в атаках, их связях, уникальных особенностях, а также о пользователях Crypters And Tools, часть из которых связана с рассматриваемыми группировками.

https://habr.com/ru/companies/pt/articles/905308/

#cybersecurity #киберразведка #хакерские_инструменты #apt #крипторы #ta558 #вредоносное_программное_обеспечение #расследование_инцидентов #mitre #латинская_америка

https://somedieyoungzz.github.io/posts/ta558/
New blog alert! 🚨 Just dropped a deep dive into TA558's latest campaign targeting Brazil. Unraveling their obfuscated JavaScript and malicious PDF payloads
#TA558 #MalwareAnalysis #ThreatIntel #APT

I left the AsyncRAT analysis
https://x.com/IdaNotPro/status/1828716720560971869

#TA558 hackers are using steganography to hide and distribute #malware like Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm in love-themed documents to target different industries.

https://thehackernews.com/2024/04/ta558-hackers-weaponize-images-for-wide.html

#hacking #cybersecurity

Do you like attack cycles of #malware ?

Then #TA558 threat actor may excite you.

The malware starts from marketing spam link , to download a zip, which contains a WSF(Windows Script File).The job of WSF is to download a PowerShell which does reflective injection in AddInProcess32.exe to load AsyncRAT in the process and perform theft and report back to c2.

Ignore the ~ in the image and you can see addinprocess32.exe

Sample https://bazaar.abuse.ch/sample/355440683f3a5acfa576e278ae407edf38a17d2350ec5359de49c37b714fe4ef/

#CyberSecurity #Infosec