Researchers uncovered a new malware operation, dubbed Red Deer, that uses phishing emails to target users in Israel. The campaign is attributed to Aggah APT and has been active since the last year, with minor shifts in tactics and techniques.

Modus operandi

The phishing email impersonates the Israeli postal company, Israel Post, whose logo is a red deer.
  • Attackers use social engineering tactics to pressurize recipients into opening an attachment by claiming that a package is waiting for them and that they need to choose their preferred delivery method.
  • The attachment is an HTML file that will automatically open on the user’s browser when clicked. Once opened, an ISO file is downloaded automatically. We also refer to the process as HTML Smuggling.
  • In the final stage of the campaign, 3losh RAT, the modified version of the AsyncRAT, is deployed on victims’ systems. 

Security experts claimed to have witnessed similar incidents earlier with each occurrence showing slight variations in the execution flow.

Change in tactics

  • In an attack observed in October 2022, the .iso file was replaced by a .zip archive. The archive contains a .wsf script file, instead of the obfuscated VBS file, to download the malware.
  • Furthermore, SSL certificates are hosted on several IPs/domains so that the threat actor can maintain and work with only one operating server while creating multiple hosts. 

Recent phishing attacks against Israelis

  • CERT-UA discovered a phishing operation attributed to the UAC-0063 threat actor, which displayed potential interest in targeting Israel, Mongolia, Kazakhstan, Kyrgyzstan, and India. 
  • In another instance, the Iranian state-sponsored Educated Manticore group was observed deploying an updated version of the PowerLess backdoor via phishing emails to target Israeli entities.

Conclusion

Numerous Israeli organizations across sectors have been falling victim to Red Deer campaign. As the threat becomes more sophisticated, it’s crucial that organizations must continually educate their employees about online phishing campaigns and how to spot them. Additionally, security teams can have a look at the IOCs to analyze the attack for effective mitigation.
Cyware Publisher

Publisher

Cyware