According to the company security Group-IB, One hacking team, active since mid-2019, infringed email accounts belonging to high-ranking executives from more than 150 Companies, in the context of a spear-phishing campaign.
The group, by name PerSwaysion, mainly targets him financial sector (about half of his victims) but also Companies in other industries.
PerSwaysion's operations are not very sophisticated, but they have been extremely successful successful. Group-IB says the intruders did not use vulnerabilities or malware on attacks but relied on a classic spear-phishing technique.
They sent emails to high-ranking executives in targeted companies in the hope of deceiving them and importing Office 365 credentials on fake pages.
Group-IB said that spear-phishing attack on executives consisted of three steps:
- Victims receive an email containing a clean file PDF as attached. If the victims open it file, they will be asked to click on a link to see the actual content.
- The link redirects users to a page Microsoft Sway (newsletter service), where a similar file is requested from victim to click on another link.
- This last link redirects the executive to a page that mimics the Microsoft Outlook login page. If the executives put their credentials, the hackers they will steal them.
PerSwaysion hackers acted quickly after the credentials were stolen and managed to gain access to the infringed accounts e-mail in one day.
"After sending the credentials to their command and control servers, PerSwaysion hackers connect to the compromised email accounts," said Group-IB.
"Finally, they create new phishing PDF files with the full name of the victim, email address, legal name of the company. These archives "PDFs are sent to new people, outside the victim's body, who hold important positions."
Group-IB also said that as soon as hackers send the new spear-phishing emails from a hacked account, they delete the emails from the outgoing folder to avoid detection.
At present, Group-IB does not yet know exactly what they are doing hackers from the moment the emails are stolen.
They can sell access to other criminal groups and more.
Group-IB said the PerSwaysion team appears to be made up of members based in Nigeria and South Africa and use one phishing toolkit, developed by a Vietnamese developer. The "leader" of the team is probably named "Sat».