Phishing scam pretends to be the Red Cross to trick victims into installing malware

Flag of the International Committee of the Red Cross over a medical tent during training of rescuers in Kyiv, Ukraine. March 2021.
(Image credit: Shuterstock / paparazzza)

A brand new threat actor has been detected pretending to be the Red Cross in order to deploy trojans capable of stealing data and running malicious code.

Discovered by cybersecurity researchers from NSFOCUS Security Labs, the threat actor was named as AtlasCross, and is described as having a “high technical level and cautious attack attitude”. 

The infection vector is fairly old-school, if not outdated - by yet undiscovered means, the attackers would impersonate the non-profit to distribute a Word document with an embedded macro function. The document would seemingly be coming from the Red Cross and would discuss a blood donation.

Highly robust and mature process

Microsoft has disabled macros in files downloaded from the internet long ago, and users would need to take an extra few steps just to activate them.

Running the macro would trigger the download of a trojan called DangerAds. This is a loader malware, whose main goal is to detect the host environment and run a built-in shellcode used to load the final payload. When detecting the host environment, DangerAds will look for specific strings in user names and local domain names, and would only proceed if it finds them. 

“This design indicates that the attacker uses this attack process for intra-domain penetration after successfully intruding into the target network,” the researchers added. The final payload is called AtlasAgent, and its main function is to obtain host information, execute shellcode, download and execute.

So far, the researchers don’t know who the attackers are after. They know that the observed phishing activity is “part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration.”

"At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain," the report said. "However, the attack processes they employ are highly robust and mature."

Via TheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.