""The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations," Volexity said in a Wednesday report. "The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload." Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German."
"Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastructure, in some cases, which led to the deployment of malware. However, the follow-on waves have been described as "highly tailored," in which the threat actors resort to building trust with recipients over time before sending the link - a technique called rapport-building phishing."
"Irrespective of the approach used, the links lead to a ZIP or RAR archive that includes a rogue DLL payload that's launched using DLL side-loading. The payload is an actively developed backdoor called GOVERSHELL. It's worth noting that the activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch, with Volexity characterizing GOVERSHELL as a successor to a C++ malware family referred to as HealthKick."
UTA0388 is a China-aligned threat actor conducting spear-phishing campaigns across North America, Asia, and Europe to deliver a Go-based backdoor named GOVERSHELL. Campaigns used fabricated sender identities purporting to be senior researchers and analysts and leveraged multiple languages and lures to entice victims. Initial waves hosted phishing content on cloud services or actor infrastructure; later waves used rapport-building phishing to gain trust before sending malicious links. Links lead to ZIP or RAR archives containing a rogue DLL that is executed via DLL side-loading. GOVERSHELL is actively developed, overlaps with Proofpoint's UNK_DropPitch cluster, and follows a C++ predecessor called HealthKick, with multiple variants observed.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]