Since the beginning of 2021, Ajax Bash a Google TAG’S Analyst announces on Thursday that it is watching more than 270 government threat actors from more than 50 countries and that it has delivered 50,000 warnings to users about state – sponsored malware. that Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked.
Google reported that the figure includes organisations involved in both cyber espionage and disinformation activities. In 2021, the group hacked the website of the School of Oriental and African Studies (SOAS) at the University of London, and used it to host a phishing kit.
When these groups use spam emails in their attacks , Google send email messages with links to the hacked site inorder to harvest credentials for Gmail, Hotmail and Yahoo . Later Google alerts to the Gmail users who are being targeted.
According to Bash , another organisation APT35 was more active and is also known as Charming Kitten , Newscaster, Ajay Security Team , Phosphorus and Group 83 including a social engineering attack dubbed “Operation SpoofedScholars” aimed at think tanks, journalists, and professors with the goal of getting sensitive information by impersonating scholars from the (SOAS).
Use the company’s free Advanced Protection Program to secure your account from State Sponsored Hackers. Its google’s most secure user account system requiring anyone signing to provide the correct password as well as Security Key to gain access. Later this year, Google plans on automatically enabling the security setting for 150 million users.
In previous attacks, a botnet VPN programme was released to the Google Play Store and used to collect personal information such as call logs, text messages, contacts, and location data from infected devices once installed. Furthermore, APT35 used Telegram to tell the attackers when scam sites under their control were seen in real-time through malicious JavaScript placed in the pages, which was a unique strategy.
As part of a phishing attack to attract persons into visiting illegal websites, the threat actor is believed to have impersonated policy officials by sending “non-malicious first contact email messages” fashioned after the Munich Security and Think-20 (T20) Italy conferences.
Bash Concluded that , Earlier this year Proofpoint documented campaign was done by checking the users to activate an invitation to a fake webinar. The hacking toolkit will also ask for Second – Factor Authentication codes given to the devices.
Threat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.
Indicators of Compromise:
Indicators from APT28 phishing campaign:
service-reset-password-moderate-digital.rf[.]gd
reset-service-identity-mail.42web[.]io
digital-email-software.great-site[.]net
Indicators from APT35 campaigns:
Abused Google Properties:
https://sites.google[.]com/view/ty85yt8tg8-download-rtih4ithr/
https://sites.google[.]com/view/user-id-568245/
https://sites.google[.]com/view/hhbejfdwdhwuhscbsb-xscvhdvbc/
Abused Dropbox Properties:
https://www[.]dropbox[.]com/s/68y4vpfu8pc3imf/Iraq&Jewish.pdf
Phishing Domains:
nco2[.]live
summit-files[.]com
filetransfer[.]club
continuetogo[.]me
accessverification[.]online
customers-verification-identifier[.]site
service-activity-session[.]online
identifier-service-review[.]site
recovery-activity-identification[.]site
review-session-confirmation[.]site
recovery-service-activity[.]site
verify-service-activity[.]site
service-manager-notifications[.]info
Android App:
Android App C2:
communication-shield[.]site
cdsa[.]xyz
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 