A brand new threat actor has been detected pretending to be the Red Cross in order to deploy trojans capable of stealing data and running malicious code.
Discovered by cybersecurity researchers from NSFOCUS Security Labs, the threat actor was named as AtlasCross, and is described as having a “high technical level and cautious attack attitude”.
The infection vector is fairly old-school, if not outdated - by yet undiscovered means, the attackers would impersonate the non-profit to distribute a Word document with an embedded macro function. The document would seemingly be coming from the Red Cross and would discuss a blood donation.
Highly robust and mature process
Microsoft has disabled macros in files downloaded from the internet long ago, and users would need to take an extra few steps just to activate them.
Running the macro would trigger the download of a trojan called DangerAds. This is a loader malware, whose main goal is to detect the host environment and run a built-in shellcode used to load the final payload. When detecting the host environment, DangerAds will look for specific strings in user names and local domain names, and would only proceed if it finds them.
“This design indicates that the attacker uses this attack process for intra-domain penetration after successfully intruding into the target network,” the researchers added. The final payload is called AtlasAgent, and its main function is to obtain host information, execute shellcode, download and execute.
So far, the researchers don’t know who the attackers are after. They know that the observed phishing activity is “part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration.”
"At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain," the report said. "However, the attack processes they employ are highly robust and mature."
More from TechRadar Pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.