HQ/EMEAFind out how we can help your business
The Russian-backed cybercriminal threat group Star Blizzard is allegedly operating a new spear-phishing campaign to infect the WhatsApp accounts of high-profile personalities.
Reports revealed that this new cybercriminal activity targets government personnel, diplomats, defence policy officials, international relations professionals, and Ukrainian humanitarian organisations.
Moreover, the campaign was first observed in mid-November last year and shows a tactical transition for the Russian state-sponsored threat group in response to the recent disclosure of the threat actor’s TTPs.
Star Blizzard distributes malicious WhatsApp invitations.
Russia’s Star Blizzard hacking group starts its campaign by impersonating a US government official in an email to the target. The bait is an invitation to join a WhatsApp group dedicated to non-governmental projects that would aid Ukraine.
The invitation includes a deliberately damaged QR code to force a response from the recipient demanding a different option for accessing the attachment, such as an alternate link.
If the victim responds, the group will send another email with a short link that redirects the recipient to a fake webpage that looks like a legitimate WhatsApp invitation page and includes a new QR code.
However, the new QR code is intended to connect a new attacker-controlled device linked to the victim’s WhatsApp account. If the target follows the instructions on the page, the threat actor will gain access to the messages in their WhatsApp account.
Additionally, these threat actors could exfiltrate this data using existing browser plugins designed to export WhatsApp messages from an account accessed through WhatsApp Web.
Since the campaign primarily relies on social engineering tactics and there is no malware for AV software to identify, users should be wary of unsolicited messages and exercise extreme caution when getting requests.
This new spear-phishing activity from Russian threat actors shows they are seeking new methods to infect their targets after suffering major interruptions from various authorities last year.
The public, especially the earlier-mentioned personalities, should be wary of unwanted communications as threat actors are currently using WhatsApp to execute their cybercriminal activity.
