Google’s Threat Analysis Group (TAG) revealed on Thursday that it has worked to block as many as 36 malicious domains operated by hack-for-hire groups in India, Russia and the United Arab Emirates.
Similar to surveillanceware ecosystems, hack-for-hire firms equip their clients with capabilities to target corporates as well as activists, journalists, politicians and other high-risk users.
Where the two stand apart is that when customers purchase spyware from commercial vendors and then install it themselves, the operators behind the hack-for-hire attack are known to manage intrusions on behalf of their clients to obscure their role.
“The hire-for-hire landscape is fluid, both in terms of how attackers organize themselves and they follow broad targets in a single campaign under the direction of different clients,” said Shane Huntley, director of Google TAG. Says In a report
“Some hack-for-hire attackers publicly advertise their products and services to anyone willing to pay, while others sell more discreetly to a limited audience.”
A recent campaign mounted by an Indian hack-for-hire operator reportedly targeted an IT company in Cyprus, a Nigerian educational institution, a fintech company in the Balkans and a shopping company in Israel, indicating the breadth of the victim.
Indian Apparel, which Google TAG says it has been tracking since 2012, has been linked to a string of certificate phishing attacks aimed at collecting login information associated with government agencies, Amazon Web Services (AWS) and Gmail accounts.
The campaign involves sending spire-phishing emails with a rogue link that, when clicked, launches an attacker-controlled phishing page designed to chip in credentials entered by suspicious users. The targets include the government, healthcare and telecom sectors in Saudi Arabia, the United Arab Emirates and Bahrain.
Google TAG blames Indian hack-for-hire actors on a firm called Rebsec, which according to its latent Twitter accountIs short for “Rebellion Securities“And located in the city of Amritsar WebsiteIt also claims to offer corporate intelligence services for “maintenance” such as writing.
A similar set of certificate theft attacks targeting journalists, European politicians and nonprofits has been linked to a Russian actor named Void Balaur, a cyber-hired group that was registered in November 2021 by Trend Micro.
Over the past five years, Gmail, Hotmail, and Yahoo! And regional webmail providers such as abv.bg, mail.ru, inbox.lv, and UKR.net.
Finally, TAG details the activities of a group based in the UAE and has links to the original developers of a remote access Trojan. njRAT (Aka H-worm Or Howdy)
Phishing attacks, as previously revealed Amnesty International In 2018, governments in the Middle East and North Africa, including educational and political organizations, used the temptation to reset passwords to steal certificates from targets.
After compromising the account, the threat actor perseveres by providing an OAuth token to a valid email application like Thunderbird, creating one App password To access the account via IMAP, or to link the victim’s Gmail account with a counterparty account of a third-party mail provider.
The results came a week after Google TAG RCS Lab released details of an Italian spyware company whose “Hermit” hacking tool was used to target Android and iOS users in Italy and Kazakhstan.
