Guardio Uncovers Sophisticated Email Hijacking Scheme Involving 8,000 Subdomains of Major Brands, Orchestrated by Threat Actor ResurrecAds
Plus, Ukrainian Entities in Finland Targeted in Malicious Campaign Using IDAT Loader to Distribute Remcos RAT
SubdoMailing Campaign Exploits Legitimate Brand Subdomains for Spam Distribution and Click Monetization, Circumventing Standard Security Measures
Guardio Labs has exposed a complex email hijacking operation named SubdoMailing, which exploits over 8,000 subdomains belonging to reputable brands and institutions for the proliferation of spam and click monetization. Tracked since September 2022, the campaign is orchestrated by a threat actor dubbed ResurrecAds, known for reviving defunct domains associated with major brands to manipulate the digital advertising ecosystem for illicit gains.
ResurrecAds manages an extensive infrastructure including hosts, SMTP servers, IP addresses, and private residential ISP connections, leveraging stolen resources to circulate millions of spam and phishing emails daily. The emails, masquerading as legitimate communications, deceive recipients and evade standard security measures by using images instead of text, and employing sophisticated redirection techniques.
Notably, the subdomains targeted belong to prominent brands such as ACLU, eBay, Marvel, and VMware, among others, adding credibility to the malicious emails. By bypassing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) checks, the campaign successfully circumvents email authentication methods designed to prevent spoofing.
Guardio's investigation revealed instances of deceptive email origins, with subdomains like marthastewart.msn.com redirecting to malicious domains through CNAME records. This technique inherits SPF policies, enabling attackers to send emails as if from reputable domains. Furthermore, the hijackers exploit abandoned subdomains with dangling CNAME records or defunct DNS SPF records, seizing control to host malicious content.
To counter this threat, Guardio has launched a SubdoMailing Checker tool to help domain administrators and site owners detect signs of compromise. The operation, meticulously designed to distribute malicious advertisements and maximize click revenue, demonstrates the sophistication and agility of modern cybercriminal networks.
Threat Actor UAC-0184 Utilizes Steganography and War-Themed Lures to Deploy Remote Access Trojans, CERT-UA Reports Additional Attacks via Signal App and PikaBot Malware Resurgence
A malicious campaign targeting Ukrainian entities based in Finland has been uncovered, employing a commercial remote access trojan (RAT) named Remcos RAT, distributed via a malware loader known as IDAT Loader. Tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0184, the attack leverages steganography techniques for defense evasion.
Morphisec researcher Michael Dereviashkin emphasized the role of steganography in evading defenses, as IDAT Loader, associated with the Hijack Loader family, serves payloads like DanaBot, SystemBC, and RedLine Stealer. TA544, another threat actor, has also used IDAT Loader to distribute Remcos RAT and SystemBC via phishing attacks.
The phishing campaign, disclosed by CERT-UA in January 2024, utilizes war-themed lures to initiate an infection chain leading to IDAT Loader deployment, which extracts Remcos RAT using embedded steganographic PNG files.
In a separate development, CERT-UA revealed targeting of defense forces through the Signal instant messaging app, distributing a booby-trapped Microsoft Excel document executing COOKBOX, a PowerShell-based malware attributed to cluster UAC-0149.
Simultaneously, malware campaigns propagating PikaBot malware have resurged since February 8, 2024, using an updated variant with new unpacking methods, heavy obfuscation, and modifications to core module functionality. Elastic Security Labs reported ongoing development of this variant.
The coordinated efforts of threat actors utilizing various attack vectors underscore the evolving nature of cyber threats, demanding continuous vigilance and adaptation of defense strategies to safeguard against malicious activities.
Jobs/Internships
Coinbase - Software Engineer, Frontend - Consumer - Fully Remote
Roku - Senior Product Manager, Ad Measurement - New York, New York · On-site
Amplitude - Staff Software Engineer, Data Pipeline - Vancouver, BC, Canada · On-site
Motorola Solutions - Data Scientist Intern (Summer 2024) - Schaumburg, IL
Adobe - 2024 Intern - Software Engineer - New York, NY · On-site
UBS - Internship 2024, DevOps Developer, UBS Scenario Hub - Zurich, Zurich, Switzerland · Hybrid