Email is often used by bad guys to knock your doors.

Getting into your corporate network isn’t that easy. IDS, IPS are the modern weapons against intrusion. Trained programmers no longer leave that many vulnerabilities in software like the old days.

Nevertheless, everyone reads email every day.  You are exposed naked when reading emails.

Multiple spear phishing campaigns have been launched to United States-based think tanks by the Patchwork, also known as Dropping Elephant, an APT group from Indian, reported by Volexity.

During the three observed spear phishing campaigns, domains and themes are leveraged by the Patchwork to attack those well-known target organizations.

According to Volexity discovery, each e-mail was sent from the attacker-controlled domain This domain was not only used to send the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted messages, an embedded image tag is used to beacon home to the attacker’s domain, containing a unique identifier specific to the recipient.

<img src=”https://<web-portal>/<unique-identifer> width=”0″ height=”0″ />

While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed.

In one attack, the attackers used a domain name similar to the Foreign Policy Research Institute (FPRI), in a message supposedly coming from Council on Foreign Relations (CFR). The spear-phishing emails contained links to files featuring the .doc extension, but which were in fact RTF documents attempting to exploit CVE-2017-8750 and execute code via a malicious scriptlet file embedded in the document.

“The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message…” Volexity notes.

Are you sure the mail you are reading is from the one who claims to be? Are you attempting to click the link in your friend’s email?

Let Mr Post help you. Install it now from Microsoft AppSource.



[2] Photo by NeONBRAND on Unsplash