Cybercriminals targeted critical US manufacturers and supply-chain companies to steal intellectual property and deploy ransomware. Attackers initiated contact through organizations' public Contact Us forms to bypass email filters and establish trust, then followed up via email over weeks with questions and a meeting request. The campaign culminated in delivery of a ZIP archive that deploys MixShell, a custom in-memory implant. Many dozens of organizations were targeted beginning in May. Attackers reused long-registered domains that matched US company names, some once legitimate, and used identical, phony websites and About Us content to appear trustworthy and evade detection.
Instead of emailing a malicious link in an unsolicited email, the miscreants initiate contact through the organization's public Contact Us form, tricking the victim into starting the conversation and allowing the attackers to bypass email filters, according to Check Point Research, which uncovered the phishing campaign and dubbed it ZipLine. The attackers followed up via email with a series questions stretched over weeks and a meeting request before finally delivering a ZIP archive that ultimately deploys MixShell, a custom, in-memory implant.
"Many dozens" of organizations were targeted in the still-ongoing campaign that dates back to the beginning of May, Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Register. While the threat-intel team hasn't attributed ZipLine to a particular crew, "this appears to be a highly sophisticated cybercrime operation, capable of acting at scale while simultaneously executing highly targeted, precise attacks within a single campaign - something that is quite unique," Shykevich added.
Collection
[
|
...
]