Attackers pose as German, Italian & US gov't agencies to spread malware

Attackers pose as German, Italian & US gov't agencies to spread malware

Since October, a threat actor has been impersonating governmental agencies in phishing emails designed to infect American, German and Italian organizations with various forms of malware, including the Cobalt Strike backdoor, Maze ransomware and the IcedID banking trojan.


Business and IT services, manufacturing companies, and healthcare organizations make up a large share of the targets in this operation, said a blog post today from Proofpoint, which calls the group TA2101. In many cases, the emails are sent from addresses that are made to look authentic at first glance, only they end in the .icu top-level domain.


The Proofpoint Threat Insight Team observed TA2101 campaigns targeting German on Oct. 16 and 23, and then again on Nov. 6, during which time the actor pretended to be the Bundeszentralamt fur Steuern, aka the German Federal Ministry of Finance. The adversary sent hundreds of emails with lures designed to entice recipients into opening Word documents containing malicious macros. These macros executed a PowerShell script that delivered Cobalt Strike, a legitimate attack simulation tool that in the wrong hands can be ..

Support the originator by clicking the read the rest link below.