Smishing Triad targets mobile and financial sectors
Pakistan has recently fallen victim to the Smishing Triad, a threat actor group extending its operations outside the E.U., Saudi Arabia, the U.A.E., and the U.S.
This group targets mobile carrier customers in Pakistan by sending malicious iMessage and SMS messages, posing as Pakistan Post to steal personal and financial information. Using stolen databases from the dark web, they lure recipients with false package delivery notifications.
Google has identified several threat actors targeting various regions. PINEAPPLE, a group targeting Brazilian users, employs tax and finance-themed spam messages to spread the Astaroth information-stealing malware. They often misuse legitimate cloud services like Google Cloud, AWS, and Microsoft Azure for distribution.
Another threat cluster in Brazil, UNC5176, targets financial services, healthcare, retail, and hospitality sectors. They use emails and malvertising to distribute a ZIP file containing an HTML Application, which drops a Visual Basic Script. This script, after anti-sandbox and anti-VM checks, communicates with a C2 server to execute a backdoor named URSA, stealing login credentials for banks and cryptocurrency websites.
FLUXROOT, also active in Latin America, is linked to the distribution of the Grandoreiro banking trojan. Google took down phishing pages hosted by FLUXROOT in 2023, which impersonated Mercado Pago to steal credentials. Recently, FLUXROOT continued using cloud services like Azure and Dropbox for malware distribution.
Additionally, a new actor, Red Akodon, has been spreading remote access trojans through phishing emails since April 2024. Their campaign targets multiple sectors in Colombia, including government, health, and education, using emails that appear to come from Colombian legal institutions.
