Researchers at NSFOCUS are tracking a phishing campaign by a new threat actor called “AtlasCross” that’s impersonating the Red Cross in order to deliver malware.
“NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics,” the researchers write.
“At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack processes they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to deploy this attack process into larger-scale network attack operations.”
The phishing emails contain documents related to Red Cross blood drives, designed to trick victims into enabling malicious macros.
“At this event, AtlasCross designed a decoy document titled ‘Blood Drive September 2023.docm’ with the United States Red Cross blood donation information as its topic,” NSFOCUS says. “After the bait document is opened, a prompt message…will be displayed by default, requiring the victim to enable the word editing function. If the victim follows the prompt to enable macro functionality, the decoy document will display the hidden content. The hidden content is a promotional file of the United States Red Cross blood donation.”
The researchers conclude that AtlasCross is a skilled threat actor that will continue improving its tactics.
“The new attacker AtlasCross discovered by NSFOCUS Security Labs is a very cautious hacker organization with strong process and tool development capabilities,” the researchers write.
“On the one hand, this attacker can actively absorb various hacker technologies and integrate them into its own technology stack and tool development process; on the other hand, it has chosen the most conservative route in environmental detection, execution strategy, network facility selection, etc., reducing its exposure risks at the expense of efficiency. In addition, the residual debug code in AtlasCross self-developed Trojan can also prove that this attacker is still improving the attack process. These characteristics reflect the high-level threat nature of this attacker, who may continue to organize other cyberattack activities against key targets after this attack.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
NSFOCUS has the story.