21 April 21, 13:03
Quote:A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg’s industry-based services.
Cisco Talos Intelligence researchers discovered the campaign, dubbing it and its perpetrator “Fajan” and asserting it is likely the work of one actor from an Arabic-speaking country.
Researchers have been tracking the e-mail based campaign since Fajan first commenced activity in March, recovering a “relatively low volume” of samples that make it tricky to determine “whether the campaigns are carefully targeted or mass-spammed,” according to a report posted online Wednesday.
Attacks start in the form of what look like targeted emails to clients of Bloomberg BNA, which has since been rebranded Bloomberg Industry Group. The wholly owned subsidiary of Bloomberg LLC aggregates news content in platforms for various industries such as law, tax and accounting, and government and sells them to clients.
“We believe this is the first time anyone’s documented Fajan’s operations in one place,” Cisco Talos researcher Vanja Svajcer wrote in the report.
The emails claim to contain an invoice for clients but instead include an attached Excel spreadsheet that contains macro code to either download the next infection stage or drop and run the final payload, which is always a Javascript- or VB-based RAT “that allows the attacker to take control over the infected system using HTTP over a non-standard TCP port,” he wrote.
Read more: Novel Email-Based Campaign Targets Bloomberg Clients with RATs | Threatpost