"Governments Targeted by Discord-Based Threat Campaign"

According to security researchers at Menlo Security, an unknown threat actor is targeting APAC and North American governments with info-stealing malware and ransomware.  The researchers noted that the group’s attacks begin with a phishing email containing a malicious Discord link, which points to a password-protected zip file.  That, in turn, contains a .NET malware downloader known as PureCrypter.  The researchers stated that the loader will try to download a secondary payload from the group’s command and control (C2) infrastructure, which is a compromised domain belonging to a non-profit.  Among the malicious payloads observed by the researchers in this campaign are various info-stealers and ransomware variants: Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware.  In the sample analyzed by the researchers, PureCrypter attempts to download AgentTesla, an advanced backdoor designed to steal browser-based passwords, as well as take screen captures and log keystrokes.  The researchers stated that in their investigation, they found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials.  The FTP server appears to have been taken over, and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server.  The researchers noted that the FTP server was also seen in a campaign using OneNote to deliver malware.  Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim’s device.  Altogether, the researchers found 106 files using said FTP server.  

Infosecurity reports: "Governments Targeted by Discord-Based Threat Campaign"