Deep and Dark Web Round Up
Weekly Highlights
Malware/Ransomware
A North Korean-linked espionage group being tracked as UNC2970 is leading a phishing campaign targeting victims in the aerospace and energy industries. The group has been observed using job recruitment lures by posing as recruiters and specifically targeting senior-level and manager-level employees to obtain confidential information. The attack chains have been dubbed “Operation Dream Job,” and function by building trust with the victim via email or WhatsApp before sending a malicious ZIP archive file disguised as a job description. The group is currently utilizing the new backdoor malware MISTPEN.
The Federal Bureau of Investigation (FBI) has disrupted a Chinese state-sponsored botnet dubbed Raptor Train. The botnet—“a network of computers infected by malware”—had infected more than 260,000 devices to target critical infrastructure in the U.S. and abroad and steal data. The botnet notably targeted victims in the “military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors.”
Threat Actor Activity
On September 16, the U.S. Attorney’s Office for the Northern District of Georgia announced that 39-year-old Song Wu, a Chinese national, was indicted on charges of wire fraud and aggravated identity theft, and for conducting a multi-year spear-phishing campaign to obtain “computer software and source code created by the National Aeronautics and Space Administration (“NASA”), research universities, and private companies.” Song was an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate. According to the Attorney’s Office press release, Song sent phishing emails to employees of U.S. government organizations, private companies, and universities, in which he impersonated acquaintances of the targets to request source code and software.
In a September 16 press release, the U.S. Department of the Treasury announced the sanctioning of five individuals and one entity linked to the Intellexa Consortium for the development of Predator spyware. Intellexa Consortium is a network of decentralized companies responsible for creating highly invasive spyware products that have been marketed under the “Predator” brand. Predator spyware is notably used by state-sponsored actors and governments to gain access to sensitive information on victim’s devices. As highlighted in the press release, previous targets of the spyware have included “government officials, journalists, policy experts, and opposition politicians.”
Notable Leaks and Breaches
领英推荐
On September 18, a threat actor on BreachForums claimed to have leaked data belonging to PetroChina, a Chinese oil and gas company. The compromised data reportedly includes full names, job titles, email addresses, server IP logs, passwords, and phone numbers.
On September 17, a threat actor on BreachForums claimed to have leaked data belonging to the Ministry of Human Resources and Social Development, a government ministry in Saudi Arabia.
Suggested Further Reading
About DarkOwl
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?
DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?
For more information, visit www.darkowl.com.