[MART] - Daily Diary #484 - PDF Phishing Campaigns Targeting Brazilian Organizations

CTAS-MAT ctas-mat at appgate.com
Mon Apr 4 21:04:26 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

04/04/2022 - Diary entry #484:

Last week, our team found a campaign involving a specific Brazilian bank, delivering Phishing via PDF files attached to emails. When victims open the PDF and click on the link, they are redirected to a web page hosted on Microsoft Azure, a cloud computing service. Next, this web page redirects to a malicious website to steal victims' credentials.

Using a legit website is a smart way to make campaigns last longer. The legit website needs only to redirect to the phishing website. When the phishing is taken down, it just needs to redirect to a new one, becoming more difficult to report that specific Azure website as malicious. A similar approach was used by Emotet to deliver their malware, hosting malicious files on Azure, as we covered in our Daily Diary #404.

Although the phishing URLs were offline during our analysis, we could identify the same modus operandis attacking other targets. We identified the campaigns targeting Brazilian organizations since, at least, January 2022. All PDF files are distributed with a design impersonating the organizations, to lure the victims to open the document and click on the link.

Among the identified targets, there are mostly banks and payment startups, followed by an insurance company, a real state startup, and even a phishing targeting WhatsApp users. This suggests that the same threat actors are targeting multiple organizations, revealing a clever way to distribute phishing via SPAM.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220404/20a3dc88/attachment.htm>

More information about the MART mailing list