Blog entry by Les Bell

Les Bell
by Les Bell - Saturday, November 5, 2022, 10:02 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


RAT Threat Actor Impersonate Popular Software Download Sites

An increasingly common tactic by threat actors is creating fake download sites for popular software. Copying a web site can be done with just a few commands and a little editing, and a trojaned version of a popular program can easily be created by repackaging the original with the addition of an infostealer, backdoor or remote access trojan. From there, a small investment in Google advertising will ensure that the fake site appears at the top of a search for a software download.

Latest to adopt this tactic are the threat actors behind the RomCom remote access trojan, who have cloned the download sites for the KeePass password manager, PDF Reader Pro, and SolarWinds Network Performance Monitor. As for a previously-seen campaign, which spoofed versions of Advanced IP Scanner software, the primary target appears to be Ukraine, but this time it is possible that some English-speaking countries, including the UK, are also being targeted. As well as cloning the original download site, the threat actor also registers a similarly-named domain and obtains SSL certificates in order to appear legitimate, before running a spear-phishing campaign directed against the targets.

Blackberry Research & Intelligence Team, RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom, blog post, 2 November 2022. Available online at https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass.

Business Email Compromise Actor Targets Law Firm Clients

As reported yesterday, business email compromise attacks are growing rapidly, with the average value of fraudulent transactions also increasing quickly. Specialist email security service provider Abnormal has detailed the emergence of a new threat actor which they call Crimson Kingsnake, targeting companies in the US, Europe, the Middle East and Australia.

The group's tactic is to impersonate major law firms - the kind you really don't want to under-rate and ignore - or even debt recovery companies, sending fake invoices with a covering letter referring to an overdue payment for services performed a year or more ago. Typically, the email appears to be from a typo-squatted domain similar to that of a real law firm, with genuine logos or letterheads, address information and the name and phone number of a real attorney at the real firm. It seems possible that Crimson Kingsnake is using altered versions of legitimate invoices.

However, these emails are sent randomly, in the blind, rather than spear-phishing known clients of the law firms involved. The intention is to rely on social engineering techniques to trick an accounts payable person at the target company into approving payment of the invoice. One of these is to generate a fake email, apparently from an executive at the target company, clarifying the purpose of the invoice, referring to events that supposedly took place some months previously, and 'authorising' the AP person to proceed with payment.

Hassold, Crane, Crimson Kingsnake, BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks, blog post, 4 November 2022. Available online at https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: