An ongoing cybercrime campaign that started as early as December 2018, has avoided widespread detection through a combination of stealth tactics and hiding in plain sight. Called MasterMana, the threat is sufficiently sophisticated to avoid automatic detections during infection, but not so sophisticated that it attracts the eye of the APT threat hunters.
Researchers at cyber intelligence firm Prevailion, who detected and named the campaign, avoid direct attribution to specific attacker groups. Nevertheless, they point to some similarities between MasterMana and the tactics, techniques, and procedures (TTPs) of the Gorgon Group, which is thought to originate in Pakistan. In 2018, Palo Alto's Unit 42 research arm described the Gorgon Group as 'slithering between nation state and cybercrime'. This is a reasonable description of the MasterMana campaign -- the attackers likely have advanced capabilities, but have consciously chosen not to use them here.
In September, Prevailion disclosed a North Korean-linked summer campaign that it called Autumn Aperture targeting U.S. Entities.
MasterMana attacks start with phishing and an attached weaponized Office document. The samples found and reported by Prevailion use Excel, but references within the code suggest that the group might have also trojanized Word, PowerPoint and Publisher file formats. The phishing has to trick the victim into enabling macros. Once this is done, the VBS script reaches out to a Bitly link, which leads to an actor-controlled Blogspot (myownteammana[.]blogspot[.]com). The Microsoft macro highlights the actors' stealth approach, while the Blogspot URL shows the 'hiding in plain sight' element of the attack.
The same Blogspot hostname was used by multiple campaigns within MasterMana, with each campaign correlating with different URLs. In just one mini-campaign from late Ju ..
Support the originator by clicking the read the rest link below.
