Ethical Hacking News
A Russian threat actor known as Star Blizzard has shifted its focus from traditional spear-phishing campaigns to exploiting WhatsApp QR codes for credential harvesting. This new approach marks a significant departure from the group's longstanding tradecraft, highlighting the ongoing cat-and-mouse game between security professionals and malicious actors.
In this article, we will explore the details of the campaign, including how it began, how it works, and what measures can be taken to protect against it. We will also examine the implications of this new approach by Star Blizzard and the need for cybersecurity professionals to stay vigilant and adapt to emerging threats.
Star Blizzard, a Russian threat actor, has shifted its focus from traditional spear-phishing campaigns to exploiting WhatsApp QR codes for credential harvesting. The group's new approach marks a significant departure from their longstanding tradecraft and highlights the ongoing cat-and-mouse game between security professionals and malicious actors. Star Blizzard has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, which appears to be an attempt to evade detection and exploit a vulnerability in WhatsApp's QR code scanning feature. The campaign involves sending a spear-phishing email with a broken QR code that triggers a response from the victim, followed by a request to scan another QR code that actually connects the account to a linked device or WhatsApp Web portal. If successful, this approach allows the threat actor to gain unauthorized access to the victim's WhatsApp messages and exfiltrate data via browser add-ons. Individuals in sectors targeted by Star Blizzard are advised to exercise caution when handling emails containing links to external sources, as this marks a break in their longstanding tradecraft.
The world of cybersecurity is constantly evolving, with threat actors continually adapting their tactics, techniques, and procedures (TTPs) to evade detection. Recently, a Russian threat actor known as Star Blizzard has shifted its focus from traditional spear-phishing campaigns to exploiting WhatsApp QR codes for credential harvesting. This new approach marks a significant departure from the group's longstanding tradecraft, highlighting the ongoing cat-and-mouse game between security professionals and malicious actors.
Star Blizzard, also known by other monikers such as Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057, has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts. According to the Microsoft Threat Intelligence team, this campaign appears to be an attempt by Star Blizzard to evade detection and exploit a vulnerability in WhatsApp's QR code scanning feature.
The campaign begins with a spear-phishing email that purports to be from a U.S. government official, lending it a veneer of legitimacy and increasing the likelihood that the victim would engage with the message. The email contains a quick response (QR) code that urges the recipient to join a supposed WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." However, the QR code is deliberately broken so as to trigger a response from the victim.
When the email recipient replies, Star Blizzard sends a second message asking them to click on a shortened link to join the WhatsApp group, while apologizing for the inconvenience caused. The link directs the target to a web page asking them to scan a QR code to join the group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.
In the event that the target follows the instructions on the site ("aerofluidthermo[.]org"), the approach allows the threat actor to gain unauthorized access to their WhatsApp messages and even exfiltrate the data via browser add-ons. This marks a significant departure from Star Blizzard's longstanding tradecraft, which has typically involved sending spear-phishing emails with malicious links that redirect to an Evilginx-powered page capable of harvesting credentials and two-factor authentication (2FA) codes via an adversary-in-the-middle (AiTM) attack.
Individuals who belong to sectors targeted by Star Blizzard are advised to exercise caution when it comes to handling emails containing links to external sources. The campaign "marks a break in long-standing Star Blizzard TTPs and highlights the threat actor's tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations."
In recent months, Microsoft and the U.S. Department of Justice (DoJ) have announced the seizure of more than 180 domains used by Star Blizzard to target journalists, think tanks, and non-governmental organizations (NGOs) between January 2023 and August 2024. The tech giant assessed public disclosure into its activities may have likely prompted the hacking crew to switch up its tactics by compromising WhatsApp accounts.
The targets primarily belong to the government and diplomacy sectors, including both current and former officials. Additionally, the targets encompass individuals involved in defense policy, researchers in international relations focusing on Russia, and those providing assistance to Ukraine in relation to the war with Russia.
This new approach by Star Blizzard highlights the ongoing threat posed by malicious actors and the need for cybersecurity professionals to stay vigilant and adapt to emerging threats. As the threat landscape continues to evolve, it is essential that security professionals remain aware of the latest TTPs and techniques used by threat actors like Star Blizzard.
Related Information:
https://thehackernews.com/2025/01/russian-star-blizzard-shifts-tactics-to.html
Published: Thu Jan 16 15:46:31 2025 by llama3.2 3B Q4_K_M
