In April, ThreatLabz released a tome covering a full year’s worth of phishing data from the Zscaler cloud; correlated a campaign with Lazarus Group, a sophisticated North Korean APT operation; uncovered a remote access trojan, AsyncRat, targeting travelers visiting Thailand; and, examined the PrivateLoader downloader malware family.
2022 Zscaler ThreatLabz State of Phishing Report
If you have not downloaded the industry report, now is a great time to do it. ThreatLabz examined a year’s worth of global phishing data from the Zscaler cloud to identify key trends, industries and geographies at risk, and emerging tactics. The result is 40 pages of findings, best practices, and guidance on how to better identify and protect yourself against phishing attacks.
Phishing is increasingly used by adversaries who are getting craftier along with the new attackers joining their ranks due to pre-built phishing kits available on the darknet. Among the report findings, cybersecurity professionals in Singapore and Russia contended with a disproportionate onslaught of such attacks followed by France and the UK.
Key findings
- Phishing attacks rose 29% in 2021 compared to 2020.
- Microsoft, Telegram, Amazon, OneDrive, and Paypal topped the growing list of targeted brands.
- The United States, Singapore, Germany, Netherlands, and the United Kingdom were the top five most targeted countries.
- Retail and wholesale were the most targeted industries, experiencing the highest increase in phishing attacks at +436%.
- “Phishing-as-a-service” has contributed greatly to the growth of phishing, offering a marketplace of pre-built tools that reduce technical barriers to entry for criminals.
- Emerging phishing vectors such as SMS phishing are increasing faster than phishing overall as end users become more wary of suspicious emails.
- Attackers continue to capitalize on the news cycle. COVID-19 and crypto-themed phishing attacks were prevalent throughout 2021.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Read more about the 2022 ThreatLabz Phishing Report
Lazarus Group APT targets South Koreans
ThreatLabz recently attributed with a high-confidence level a sophisticated campaign with evolving TTPs that reused critical parts of infrastructure known to be connected with the Lazarus Group, a cybercrime group run by the North Korean state. The team shared the technical details of the attack chains and how they correlated the threat actor to Lazarus.
ThreatLabz discovered that at least one of the IP addresses (222.112.127[.]9) used by the threat actor to log in to the attacker-controlled Dropbox accounts was also used to send spear phishing emails to the victims in South Korea. Spear phishing emails leveraged social engineering tricks such as clicking on password-protected files themed around cryptocurrency investments. By correlating C2 IP addresses, attacker-controlled Dropbox accounts’ registrant email addresses, C2 domains’ registrant email addresses, and other data points, the team concluded that the attack chains were connected to the Lazarus threat actor.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Learn more about Lazarus APT, including a threat attribution analysis
AsyncRAT Trojan ruins travel plans for Thailand Pass
Travel doesn’t always go as planned, especially for victims duped by a spoofed version of the Thailand Pass website. In April, ThreatLabz discovered a malware campaign targeting users applying for Thailand travel passes. Many of the attacks concluded with the payload AsyncRAT, a remote access trojan that can remotely monitor and control other computers through a secure, encrypted connection. The flowchart below depicts the complete execution of the malware campaign:
The ThreatLabz team provides a deep analysis of the malware campaign related to the attacks including malicious URLs, ISO files, the content of the vbs file, compromised AV service, payload execution, and more.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Read more about Thailand Pass and AsyncRAT
PrivateLoader an active distributor for crimeware and malware families
PrivateLoader is a downloader malware family whose primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service. Last month, ThreatLabz team shared technical analysis of the PrivateLoader and how it’s being leveraged by multiple threat actors to “distribute ransomware, information stealers, banking trojans, downloaders, and other commodity malware.”
Expect PrivateLoader to be updated with new features and functionality to evade detection and effectively deliver second-stage malware payloads.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Learn more about PrivateLoader
About ThreatLabz
ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.
The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.
What to read next