AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
Yoroi: WayBack campaign targets EU and Italian organizations, The threat actors, maybe linked to Gorgon/Subaat, spread over 900 malware via Internet Archive
“WayBack” is a new cyber espionage large scale campaign designed to delivery over 900 pieces of malware with highly dangerous capabilities. It has been detected by Yoroi cybersecurity experts. The attribution of this operation is far from certainty and such activities could be possibly related to the threat group named Gorgon/Subaat. Anyway, based on the modus operandi, with no doubt this actor is heavily active at least since 2019 and equally certain it is insisting in the European and Italian landscape. The new cybercrime offensive leverages serverless techniques to bypass traditional security defenses to target many European and Italian organizations. Traditionally, the threat actor was heavily abusing Pastebin services to host and drop malicious code, but in the latest campaign it abused Internet Archive, hosting a huge volume of malware inside the “Community Texts” repositories thanks to multiple accounts on the platform, masking them as open books and texts.