The same menace actors could be guiding both of those the ATMZOW JS sniffer campaign and the Hancitor malware downloader.
The link was manufactured early this week by risk intelligence analyst Victor Okorokov from Group-IB, who mentioned ATMZOW properly contaminated at minimum 483 sites throughout four continents considering the fact that the commencing of 2019.
“Group-IB professionals collected facts about ATMZOW’s new activity and found ties with a phishing campaign targeting clients of a US lender based mostly on the same JS obfuscation technique,” Okorokov wrote.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
For context, when Group-IB initial detected the exact same obfuscation strategy on a phishing site, they hypothesized that the approach was not unique to ATMZOW, but that other hackers could be using the exact obfuscator.
“However, even further analysis of the group’s the latest exercise showed further evidence that attacks involving the JS sniffer and the phishing marketing campaign ended up performed by the exact team,” said Okorokov.
Much more specially, whilst examining Prometheus TDS, Group-IB observed a number of scenarios when phishing internet pages concentrating on clientele of the similar lender ended up made use of as a ultimate redirect soon after downloading the malicious payload dispersed by Prometheus TDS.
“In all scenarios, the destructive payload was Microsoft Office environment documents with a macro that dropped Hancitor malware,” Okorokov explained.
Group-IB has also posted a quantity of indicators of compromise (IOCs) linked to the attacks, like a checklist of phishing web-sites with ATMZOW-like obfuscation.
“Based on the same JS obfuscation method and the link amongst the area names employed for the JS sniffer and the phishing domains (the exact email tackle), we can conclude with a superior degree of trustworthiness that equally campaigns were being executed by the exact same risk group,” Okorokov included.
Prior to the most up-to-date Group-IB, a TA using ATMZOW was at the middle of a cyber-attack versus a website set up to take donations for victims of the Australian bushfires in January 2020.
Extra recently, Hancitor malware was utilized as section of Cuba ransomware campaigns.
Some sections of this write-up are sourced from:
www.infosecurity-magazine.com