A group of hackers called Vendetta has been posing as Taiwan's CDC in a recent campaign aimed at stealing sensitive data from Taiwanese users, according to ElevenPaths, the cybersecurity unit of Spanish telecommunications firm Telefónica Group, which discovered the attacks.
Vendetta is a relatively new player on the cybercrime scene, the first signs of the group’s activity have been spotted in April this year. The researchers say that Vendetta is a prolific group primarily focused on Covid-19-related email campaigns. The group’s attacks have been observed in Australia, Mexico, Egypt, Romania, Austria, and China, with organizations in technological, business and government sectors that handle sensitive information being among the targets.
“Their standard attack procedure consists of sending malicious email attachments containing a malware that allows full control and theft of information from the victim’s system. The highly-accurate design of phishing emails, including details as well and a well-studied and targeted message, takes into account the global context on which the deception is based,” the researchers said.
In early May, ElevenPaths observed a spear phishing campaign targeting Taiwanese users, in which the hackers sent emails to certain Taiwanese targets urging them to get novel coronavirus tests. Attached to the email was a remote hacking tool called Nanocore RAT capable of stealing login credentials and hijacking webcams.
As for the group’s weapon arsenal, the researchers say Vendetta uses custom tools, as well as commercial software, including Nanocore RAT, AgentTesla, Remcos and Formbook, ReZer0, Azolurt, Warzone RAT (Ave Maria) or Hawkeye. The hackers also use different manual packers and known ones such as ConfuserEx, Eazfuscator, IntelliLock or iLProtector.
“It is versatile and with a low detection rate thanks to the use of packers and final payloads in memory,” the experts pointed out.
“Malware weapon installs access point (usually .NET samples) using unknown and known packers in multiple layers that injects different modular RATS in memory. Finally, malware enables the intruder to gain total control and persistent access to target network via C2C. This group also performs additional delivery using hacked websites and proprietary infrastructure.”