Posted on Mastodon yesterday. Curious if anyone can confirm this? Via https://infosec.exchange/@threatinsight/113641860084873613
Between December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP. All of the observed targeted entities peer with the spoofed ISP and phishing emails were sent to contact addresses present in the AS's WHOIS records, indicative of a highly deliberate targeting effort. Each spearphishing email was personalized to the target based on their Autonomous System Number (ASN) and purported to relate to a detected BGP (Border Gateway Protocol) flapping session within the target’s network. The email contained a password protected RAR archive named “Detailed Explanation of AS Relationships and the Impact of BGP Flapping on Upstream Networks.rar”. The RAR contains a Microsoft Shortcut (LNK) file which executes a Portable Executable (PE) file contained in a hidden folder named “_MACOSX”. Following execution, the target is shown a decoy document related to BGP Flapping, and the executable file uses indirect syscalls to load shellcode into memory before it deletes itself from disk. We are raising early awareness of this campaign given the coordinated effort to target network infrastructure administration personnel across a broad range of AS owners. More at https://infosec.exchange/@threatinsight/113641860084873613
