Multiple Russian-linked threat actors have been observed targeting interested individuals via privacy-focused messaging app signals, gaining unauthorized access to accounts.
“The most novel and widely used technique supporting Russia’s aligned attempts to compromise signal accounts is the misuse of the app’s legal “linked device” feature, which uses signals simultaneously on multiple devices. I’ll make it possible” in the report.
In the attack discovered by Tech Giant’s threat intelligence team, threat actors, including those tracking as UNC5792, enter a malicious QR code that links the victim’s account to an actor-controlled signal instance when scanned. I relied on it.
As a result, future messages will be delivered in real time sync to both victims and threat actors, giving threat actors a permanent way to eavesdrop on victim conversations. Google said UAC-0195 overlaps partially with the hacking group known as UAC-0195.
These QR codes are known to be spoofed as group invitations, security alerts, or legal device pairing procedures from the Signal website. Alternatively, it is known that malicious device link QR codes are embedded in phishing pages that claim to be a specialized application used by the Ukrainian military.
“UNC5792 hosts a modified signal group invitation on the actor control infrastructure, designed to look identical to the legitimate signal group invitation,” Google says.
Another threat actor linked to signal targeting is UNC4221 (aka UAC-0185). It targets signal accounts used by Ukrainian military personnel, using custom phishing kits designed to mimic certain aspects of the Kropyva application used by the military. Ukraine for artillery guidance.
It also uses PinPoint, known as a lightweight JavaScript payload, which allows you to collect basic user information and geolocation data through phishing pages.
Apart from UNC5792 and UNC4221, some of the other hostile populations that trained their vision on the signal are sandworms (aka APT44) that utilize a Windows batch script named Wavesign. Turla operates lightweight PowerShell scripts. and UNC1151 use the Robocopy utility to remove signal messages from infected desktops.
A disclosure from Google has been a month since the Microsoft Threat Intelligence team attributed a Russian threat actor known as Star Blizzard to a spear phishing campaign that utilizes similar device linking capabilities for WhatsApp accounts .
Last week, Microsoft and Volexity have launched a technique called device code phishing for multiple Russian threat actors to log in to victim accounts by targeting them through messaging apps such as WhatsApp, Signal, and Microsoft teams. It has been revealed that it is being used.
“Operational emphasis on signals from multiple threat actors over the past few months serves as a key warning against growing threats to ensure messaging applications that are sure to intensify in the short term,” Google said. I said that.
“This threat to protect messaging applications is not limited to remote cyber operations such as phishing and malware delivery, as reflected in the broader efforts to compromise signal accounts, but threat actors can easily make it easier for them to do so. It also includes close access operations that can be accessed: Unlocked devices on the target.
This disclosure uses fake download pages to disguise popular applications such as Signal, Line, Gmail, Google Translation, and deliver background executables targeting Chinese-speaking users. It also follows the discovery of a new Search Engine Optimization (SEO) addiction campaign that uses download pages.
“Executables delivered via fake download pages follow a consistent execution pattern, including temporary file extraction, process injection, security changes, and network communication,” Hunt.io said, and samples. shows infosealer-like functionality associated with malware strains called. Microcrap.
Source link
