ScanBox

The malicious URLs provided in the emails also appear to use values that are customized for each target... the number string that follows it... appears to be a unique identifier for each recipient... This may be an attempt by the threat actor to correlate traffic to its servers... with custom user identifiers which targets received within the URLs via email.

The framework can collect information from a website’s visitors by using JavaScript to record keypresses and harvest the profiles of the OS, browser, and browser plugins from the client environment.

Earth Empusa also employs watering hole attacks to compromise iOS devices. The group injected their malicious scripts on websites that their targets could potentially visit and load the injected script from it.

“It appears to have started with CVE-2014-3393, a vulnerability in… the Cisco Clientless SSL VPN portal… [allowing] an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal…”

Beginning on 12 April 2022, and continuing through mid-June 2022, Proofpoint identified several waves of a phishing campaign... The phishing campaign involved URLs delivered in phishing emails, which redirected victims to a malicious website posing as an Australian news media outlet.

Earth Empusa also used social engineering lures to trick its targets into visiting the phishing pages.

All pages were injected with a script to load the cross-site scripting framework BeEF.

“Following the theme… are hostnames of other popular Japanese companies… in an effort to make the traffic blend in with legitimate traffic.”

“The file 1.js was a variant of an online script called ‘xss.js’ that was designed to steal form data.”

The framework can collect information from a website’s visitors by using JavaScript to record keypresses

“Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login…”

Every 30 seconds, ActionSpy will collect basic device information like IMEI, phone number, manufacturer, battery status, etc., which it sends to the C&C server as a heartbeat request.

Victim browser plugins Identification: This plugin gathers the name, filename, and description of any legitimate browser plugin installed in the victim’s browser... Browser fingerprinting plugin... checks whether Java is installed, and if so what version; The version of ActiveX installed; Whether specific Java web applications are installed...

“The file 1.js was a variant of an online script called ‘xss.js’ that was designed to steal form data.”

The framework can collect information from a website’s visitors by using JavaScript to record keypresses

“Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login…”

The initial script harvests several types of information from visitors... Sending Information about the victim’s browser back to the C2, including: Version of Flash installed; Location; Referrer; User-Agent; Cookie; Character encoding; Screen width and height; Underlying Operating System; Language; Screen’s colour depth.

The modular ScanBox architecture works by sending data to different responsive PHP scripts hosted on a same server-side folder... /i/v.php?m=b Send victim information back to the C2 ... /i/v.php?m=plug URL that plugins send gathered data back to

“…malicious JavaScript… hosted on the compromised website of a legitimate NGO… leveraged a valid SSL certificate, which kept all communications encrypted.”

Both initial infection vectors delivered first-stage downloader malware to targets. The downloaders retrieved XOR-encoded versions of Meterpreter shellcode.