An ongoing spear phishing campaign believed to have begun in 2021 has been identified by the Trellix research team, with the most recent attack occurring in March of 2022. The threat actors involved in the campaign are targeting government entities from Afghanistan, India, Italy, Poland, and the United States. Political subject lines are used to catch the potential victim’s attention, and within the email is a malicious attachment or URL. The attachment or URL, if clicked on, will open an Excel sheet that causes a Remote Access Trojan (RAT) to be installed on the victim’s machine. The two RATs being observed in this campaign are AysncRAT and LimeRAT; both will maintain persistence and develop a connection with a Command and Control (C2) server. In an effort to exfiltrate data, both RATs performance malicious actions such as taking screenshots, capturing keystrokes, recording credentials/confidential information, and adding infected systems to botnets. Trellix researchers concluded that the spear phishing email originates from Southern Asia, and further hypothesized that the threat actors reside somewhere in that general area.
Educating users on how to spot phishing emails is always important. However, it is increasingly difficult for users to spot more sophisticated attacks. Email scanning can be a helpful tool when attempting to recognize and quarantine phishing emails. Malicious URL detection can also be used to help block emails that included links to malicious content. Due to the escalating number of known and unknown vulnerabilities on modern computing systems, a defense in depth strategy utilizing post exploitation detection approaches, such as those employed by Binary Defense’s MDR and Threat Hunting services, is highly recommended.