An unknown threat actor is targeting Facebook businesses and advertising account users in Taiwan through a phishing campaign, using decoy emails and fake PDF filenames.

These dupes are designed to impersonate a company’s legal team and lure the victim in with its falsified details, convincing them to download and execute malware.

In addition, the bad actors sent phishing emails from a well-known industrial motor manufacturer and a famous online store in Taiwan, claiming copyright infringement by the business.

“The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance,” said Cisco Talos researchers, which observed the scams in action.

They said the threat actors also use a variety of techniques and tools to evade antivirus detection and sandbox analysis, such as shellcode encryption, code obfuscation, and embedding LummaC2 and Rhadamanthys information stealers into legitimate binaries.

Lumma Stealer is a malware designed to exfiltrate information from compromised systems, targeting system details, Web browsers, and browser extensions, among other data.

Rhadamanthys is a sophisticated infostealer sold on underground forums that first emerged two years ago. It gathers system information, credentials, cryptocurrency wallets, passwords, cookies, and data from other applications. 

This phishing campaign has been ongoing since at least July; the initial vector of the campaign is a malware download link included in a phishing email using typical decoys in traditional Chinese, indicating that the target victims are Chinese speakers.

Source: www.darkreading.com