A threat actor that is relatively new to the scene relies on open-source tools for spear-phishing attacks designed to steal credentials from government and educational institutions in the Middle East. The group is being tracked as DarkHydrus by researchers at Palo Alto Networks Unit 42, who observed it using Phishery in a recent credential harvesting attack. Previous campaigns utilized Meterpreter, Cobalt Strike, Invoke-Obfuscation, Mimikatz, PowerShellEmpire, and Veil. The typical method employed is to weaponize Office documents that retrieves malicious code from a remote site when executed.
Commenting on this, Tim Helming, director of product management at DomainTools said:
“Threat actors using open source components for phishing attacks show that available tools on the Internet have enormous potential to be used for both helpful and nefarious purposes. We have seen open source tools used to carry out ransomware attacks such as WannaCry and NotPetya in the past, and this attack shows the same information can be leveraged for a credential stealing phishing campaign. The prospective targets involved – those holding governmental or educational office in the Middle East – should be exceptionally cautious about unsolicited links, and should make sure to double-check the legitimacy of a domain before entering any kind of information into it. Spear phishing attacks can be incredibly hard to spot, but even the most skilled threat actors are likely to leave some trace of their true intentions, and those traces can help potential victims or incident responders.”