Researchers at IBM X-Force are tracking a phishing campaign by the criminal threat actor “Hive0145” that’s using stolen invoice notifications to trick users into installing malware.
Hive0145 acts as an initial access broker, selling access to compromised organizations to other threat actors who then carry out additional cyberattacks.
“Over the past year, Hive0145 has demonstrated proficiency in evolving tactics, techniques, and procedures (TTPs) to target victims across Europe,” the researchers explain. “Italian, Spanish, German, and Ukrainian victims continue to receive weaponized attachments that entice the victim to open the file.
The actor’s campaigns present the victim with fake invoices or receipts and often a short, generic message of urgency for victims to address. Upon loading the attached file, the victim unwittingly executes the infection chain leading to Strela Stealer malware.”
Notably, the threat actor has begun using real, stolen invoice notifications to add legitimacy to its phishing operations.
“In July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the short and generic messages being replaced with what appeared to be legitimate stolen emails,” the researchers write.
“The phishing emails exactly matched official invoice communication emails and, in some cases, still directly addressed the original recipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a variety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely that the group sourced the emails through previously exfiltrated credentials from their prior campaigns.”
Strela Stealer is a strain of malware designed to exfiltrate email credentials. X-Force notes that these credentials can be used to launch business email compromise (BEC) attacks within the targeted organizations.
“Hive0145’s use of stolen emails for attachment hijacking is an indicator that a portion of stolen email credentials may be used to harvest legitimate emails for further distribution,” the researchers write. “Both stolen and actor-created emails used by Hive0145 predominantly feature invoices as themes, which points towards potential financial motivation. It is possible that Hive0145 may sell stolen emails to affiliate partners for the purposes of further business email compromise.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
SecurityIntelligence has the story.
How BreachSim works:
