The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Insikt Group: Hactivism as fashion has ended, it’s returning to origins. Large-scale, international hacking operations most commonly associated with hacktivism has risen astronomically, only to fall off just as dramatically after 2015 and 2016
Hactivism as fashion has ended. It has been revealed by Insikt Group cyber security experts, in a report for Recorder Future. According to there document, in the last 10 years, the number of large-scale, international hacking operations most commonly associated with hacktivism has risen astronomically, only to fall off just as dramatically after 2015 and 2016. This constitutes a return to normalcy, in which hacktivist groups are usually small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism. Attack vectors used by hacktivist groups have remained largely consistent from 2010 to 2019, and tooling has assisted actors to conduct larger-scale attacks. However, company defenses have also become significantly better in the last decade, which has likely contributed to the decline in successful hacktivist operations. So, Network defenders should monitor this changing landscape.
The cyber security experts: Hacktivist landscape shifts away from broad public participation and back toward its origins as a practice of smaller groups of dedicated individuals
According to the cyber security experts, overall hacktivist activity is declining, as the hacktivist landscape shifts away from broad public participation and back toward its origins as a practice of smaller groups of dedicated individuals. Furthermore, improvements over the past decade in the defensive posture of large financial institutions, government agencies, and other popular hacktivist targets have likely rendered the use of unskilled volunteers less effective. Insikt Group also assesses with high confidence that nation-state entities have increasingly used hacktivism in association with strategic campaigns, by coordinating with legitimate hacktivists of like mind, and have conducted false-flag operations made to appear as unassociated, independent hacktivist activity. When targeting a country to protest the actions of its government, hacktivists are also likely to target any organization operating from that country to spread chaos.
Insikt Group traced hacktivism-related cyber attacks, across all Recorded Future sources over the last nine years
Using the Recorded Future Platform, Insikt Group pulled all mentions of hacktivism-related cyberattacks, excluding social media as a source, across all Recorded Future sources over the last nine years. These sources include underground forums, technical blogs, and mainstream news, among other forms of communication. These mentions encompassed underground forum announcements of leaked data, news reporting of publicly disclosed attacks, and reports of individuals or hacktivist groups taking credit for individual attacks. Duplicates exist in the data, as operations can span multiple days, and multiple sources may report on the same issue. However, duplicates counted for a small portion of the data set and were left in. Our data and analysis indicates that, similar to research conducted by others over the past year, chatter surrounding hacktivist attacks has been in steep decline since a peak between 2015 and 2016.