Venom RAT Phishing Offensive Unleashed by TA558 Across Diverse Sectors in Latin America
Charles M. Walls | April 2, 2024 | Views: 114
In a striking revelation, the cybercriminal group known as TA558 has been implicated in a sprawling phishing operation aimed at a host of sectors throughout Latin America, with the deployment of Venom RAT as their primary objective.
This sophisticated campaign has notably targeted industries including hotels, travel, finance, manufacturing, and even government sectors across a broad swath of countries such as Spain, Mexico, the US, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.
TA558 is no stranger to the cybersecurity scene, having actively pursued targets in the LATAM region since 2018 to disseminate various forms of malware including Loda RAT, Vjw0rm, and Revenge RAT.
Perception Point's researcher Idan Tarab highlights that this latest wave of attacks begins with phishing emails. These emails serve as a conduit for introducing Venom RAT—a derivative of Quasar RAT equipped with advanced functionalities for data theft and remote system control—into the victims' systems.
In the broader context of cybersecurity trends, the spotlight also falls on the DarkGate malware loader, especially post the law enforcement clampdown on QakBot last year, which has seen a pivot towards targeting financial institutions in Europe and the U.S.
According to EclecticIQ's Arda Büyükkaya, "Ransomware syndicates are leveraging DarkGate to establish a beachhead for the injection of an array of malevolent software into corporate frameworks." This encompasses info-stealers, ransomware, and tools for remote management, all with the aim of expanding the infection's reach and the amount of data pilfered.
Additionally, the cybercrime arena has witnessed the rise of malvertising campaigns orchestrating the dissemination of malware variants such as FakeUpdates (also known as SocGholish), Nitrogen, and Rhadamanthys.
GeoEdge, an ad security firm based in Israel, recently shed light on the activities of the infamous malvertising collective ScamClub. According to their findings, ScamClub has turned its attention towards video malvertising attacks, triggering a spike in deceptive VAST-forced redirect incidents starting February 11, 2024.
These attacks employ Video Ad Serving Templates (VAST) tags—integral to video advertising—to unwittingly reroute users to fraudulent or scam-laden pages, but only after successfully navigating through specific client-side and server-side verification mechanisms.
The U.S. bears the brunt of these assaults, accounting for over 60% of the victims, followed by Canada, the U.K., Germany, and Malaysia among others, highlighting the global reach and sophistication of today's cyber threats.
