Universities in the United States have seen a new wave of phishing attacks targeting students and staff. The email messages used the theme of online dating to trick the victim into downloading a Remote Access Trojan (RAT) onto their device so that the attackers can steal sensitive information. The RAT being used is named Hupigon RAT and was previously used by Chinese state-backed threat actors as early as 2010. The RAT was originally using zero-day vulnerabilities which affected versions 6, 7, and 8 of Internet Explorer. The current phishing campaign is believed to be the work of financially motivated criminals, not a state-sponsored threat group. The email includes pictures of two women and asks the victim to select one to connect with on a dating website. Once the link to the online dating profile is clicked, an executable used to install Hupigon is downloaded to the victim’s machine. The campaign was most active from April 14-15, 2020, and sent approximately 80,000 messages to different victims at that time. In total, the campaign sent 150,000 emails throughout 60 different countries, with almost half of the emails targeting education establishments.
It is not likely that these attacks are coming from Chinese-backed actors even though the tool used was first used by them. It is common for old malware to be re-used by different threat groups after it becomes outdated. At this time, there is no indication of who was behind the attack. Colleges and universities will always be targeted by threat actors because students are likely to click links from email and install programs on computers with no security controls or monitoring to protect them. After the threat actors manage to infect the victim, they could have access to the victim’s name, email address, passwords, screenshots, audio recordings, and webcam. The malware could be used to gain full control over the computer. The use of online dating to trick people into downloading the RAT shows how threat actors evolve and adapt to their target-pool to create the highest rate of infection.
More information can be read here: https://www.bleepingcomputer.com/news/security/us-universities-targeted-with-malware-used-by-state-backed-actors/