Full Report
Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.
Analysis Summary
# Threat Actor: Unknown Campaign Targeting Taiwan (Copyright Infringement Lure)
## Attribution & Identity
The threat actor is currently **unknown**.
No specific attribution is confirmed, although metadata from a discovered EPS file led to an identical image on a Vietnamese-language website, this is not considered strong evidence of regional origin.
## Activity Summary
Cisco Talos has observed an **unknown threat actor** conducting a phishing campaign targeting users of **Facebook business and advertising accounts in Taiwan** since at least **July 2024**.
The campaign uses a **copyright infringement lure**, masquerading as legal notices demanding the removal of allegedly infringing content within 24 hours under threat of legal action. The decoy emails and fake PDF filenames are written in **Traditional Chinese**. The actor leveraged templates that impersonated well-known technology, media companies in Taiwan and Hong Kong, an industrial motor manufacturer, and an online shopping store from Taiwan, indicating thorough pre-campaign research.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Phishing emails containing malicious download links.
- **Obfuscation/Evasion:** Code obfuscation, shellcode encryption, hiding malicious code in resource data to inflate file size (over 700 MB), and embedding malware into legitimate binaries.
- **Execution Chain:** Victims download a password-protected RAR file. Extracting the contents reveals a fake PDF executable malware and an image printing file.
- **Lure Technique:** Impersonation of a legal department using copyright infringement claims (Trojans disguised as PDFs).
- **C2/Distribution Infrastructure Abuse:** Abusing Google Appspot[.]com for initial redirection, coupled with a short URL service and Dropbox for final malware delivery.
## Targeting
- **Sectors:** Businesses and users utilizing Facebook for advertising or business purposes.
- **Geography:** Primarily **Taiwan** (language suggests targeting Traditional Chinese speakers).
- **Victims:** Administrators of Facebook pages involved in business/advertising activities.
## Tools & Infrastructure
- **Malware Families Used:** **LummaC2** or **Rhadamanthys** information stealers (embedded into legitimate binaries).
- **Infrastructure (C2, domains, IPs):**
- Delivery mechanism includes the abuse of:
- Google **Appspot[.]com** domains.
- Third-party **short URL** services.
- **Dropbox**.
- The actor uses multiple, undisclosed **Command and Control (C2) domains**.
## Implications
This actor employs sophisticated evasion techniques (large file size obfuscation, encryption, embedding in legitimate files) to bypass network security products and sandbox analysis. The focus on Facebook business/advertising accounts suggests a goal of credential theft, account takeover, or financial fraud related to advertising platforms. The use of localized, researched lures indicates a high level of preparation targeting specific regional commercial endeavors.
## Mitigations
- Implement proactive network security monitoring for connections leveraging chained redirects through Appspot, shorteners, and Dropbox.
- Enable multi-factor authentication (MFA) on critical services like Facebook Business/Ad accounts (Cisco Duo mentioned as a general mitigation).
- Use Secure Web Gateways (SWG) to block connections to known malicious domains used for C2.
- Utilize Endpoint Detection and Response (EDR) tools capable of analyzing embedded or obfuscated code execution.
- Detection via Snort SIDs: **64167-64169**.