Skip to main content

Trojan operator using colorful and elaborate lures to infect victims

(Image credit: Shutterstock)

Cybercriminals use all kinds of different lures to trick potential victims into falling for their schemes but security researchers at Proofpoint have been tracking a new threat actor that uses localized lures with colorful images to impersonate local banks, law enforcement and shipping services.

The cybersecurity firm has given the new threat actor the designation TA2719 and to date, it has been observed sending low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States and Uruguay. This is quite unusual as cybercriminals typically focus on only a few countries or regions at a time when launching phishing attacks.

Most of the lures used in TA2719's campaigns appear to come from a real person with a connection to the spoofed organizations. The threat actor also uses specific details such as local street addresses combined with an organization's official branding to make their messages appear more legitimate.

TA2719 typically delivers its malware using malicious attachments but in the early campaigns, it also used URLs linking to malicious files. The threat actor also uses the popular commodity remote access trojans (RATs) NanoCore and then later the AsyncRAT.

Local lures

From March to May of this year, TA2719's campaigns were primarily law enforcement-themed. The threat actor used local languages and logos to impersonate Russian police as well as the Royal Thai Police.

In addition to law enforcement-themed lures, TA2719 also spoofed shipping notifications in some of its messages. For instance, one early campaign preyed on users' Covid-19 fears and impersonated the Taiwan Centers for Disease Control by leveraging both malicious URLs and attachments to deliver its payload.

In June, Proofpoint's researchers observed that TA2719 had moved away from law enforcement lures and began to use more common bank, shipping and purchase order lures. However, by mid-July, the threat actor had shifted to exclusively using package delivery lures to impersonate shipping companies.

The Proofpoint Threat Research Team provided further insight on TA2719's operations in a blog post, saying:

“While not the most advanced lures we’ve seen, the localization and inclusion of legitimate street addresses and names of real individuals related to the spoofed entities demonstrate this actor’s attention to detail. Though TA2719 does not appear to target any particular industry, they tailor their messages to various geographies and send medium-volume campaigns several times per month. Their use of free DDNS providers, reuse of infrastructure, and reliance on commodity malware demonstrate the ease with which threat actors can begin and maintain an operation.”