Pakistan has been hit by the Smishing Triad, marking a new chapter in its expansion outside the E.U., Saudi Arabia, the U.A.E., and the U.S.
“The group is now sending out deceptive messages posing as Pakistan Post to mobile carrier customers through iMessage and SMS,” as per a report issued by Resecurity earlier this week. “The objective is to pilfer personal and financial details.”
The threat actors, identified as Chinese-speaking, exploit stolen databases traded on the dark web to dispatch fake SMS messages, enticing recipients to click on links claiming a failed package delivery and prompting them to update their address.
Recipients who fall for the bait and click on the URLs are taken to counterfeit websites that request their financial details under the guise of a service fee for resending the package.
“In addition to Pakistan Post, the group has also been active in uncovering several fraudulent delivery package scams,” Resecurity disclosed. “These scams primarily target individuals expecting genuine packages from reputable courier services like TCS, Leopard, and FedEx.”
In parallel, Google disclosed the details of a threat actor dubbed PINEAPPLE, which utilizes tax and finance-themed baits in spam messages to entice Brazilian users into accessing malicious links or files leading to the deployment of the Astaroth (also known as Guildma) data-stealing malware.
“PINEAPPLE frequently misuses legitimate cloud services in their attempts to distribute malware in Brazil,” mentioned Google’s Mandiant and Threat Analysis Group (TAG). “The group has experimented with various cloud platforms, such as Google Cloud, Amazon AWS, Microsoft Azure, and other providers.”
An important revelation is that Cisco Talos had previously identified the exploitation of Google Cloud Run to distribute Astaroth in a high-volume malware campaign targeting users across Latin America (LATAM) and Europe.
Google also highlighted a Brazil-based threat group monitored as UNC5176, which has been targeting financial services, healthcare, retail, and hospitality industries with a backdoor dubbed URSA capable of extracting login credentials for numerous banks, cryptocurrency platforms, and email services.
The attacks utilize emails and malvertising campaigns to circulate a ZIP file containing an HTML Application (HTA) file that, upon opening, releases a Visual Basic Script (VBS) responsible for connecting to a remote server and fetching a second-stage VBS file.
The downloaded VBS file then executes a series of anti-sandbox and anti-VM checks before establishing contact with a command-and-control (C2) server to retrieve and execute the URSA payload.
Another financially motivated actor in Latin America pinpointed by Google is FLUXROOT, associated with the dissemination of the Grandoreiro banking trojan. Google reported taking down phishing pages operated by this adversary in 2023 on Google Cloud, pretending to be Mercado Pago to steal user credentials.
“Recently, FLUXROOT has continued distributing Grandoreiro, using cloud services like Azure and Dropbox to deploy the malware,” remarked Google.
This disclosure comes alongside the emergence of a new threat actor called Red Akodon, disseminating various remote access trojans such as AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages aimed at harvesting bank account details, email accounts, and other sensitive information.
The campaign, operational since April 2024, targets entities in government, healthcare, education, financial, manufacturing, food, service, and transportation sectors in Colombia.
“Red Akodon’s initial tactic involves phishing emails, framing them as legal notifications and summons from Colombian entities like Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá,” as reported by Mexican cybersecurity firm Scitum.
About Author
