Advanced Persistent Threat Actors Continue “Pleasantly Surprised”-Themed Spear Phishing to Deliver R
Advanced persistent threat (APT) cyber actors on 21 and 27 February 2017 sent a variant of Gh0st remote access Trojan (RAT) malware in “Pleasantly Surprised”-themed spear-phishing emails to target e-mail accounts at the following entities, according to two defense technical advisories.
At least one US Department of Education e-mail account.
At least three US universities, one of which is also a cleared defense contractor and center of academic excellence.
Five US financial institutions.
Four US retailers.
One US entertainment company.
One US publishing company.
Three US insurance providers.
At least one US global semiconductor design and manufacturing company.
One US online social media and social networking provider.
One US online payments system provider.
One US health care provider.
One US legal services provider.
The same APT actors since August 2015 have sent the same Gh0st RAT variant in “Pleasantly Surprised”-themed spear-phishing emails to personnel in critical infrastructure and federal, state, and local government entities, according to separate defense technical advisories.
Variants of Gh0st RAT provide attackers with many ways to control a victim’s system, including the ability to create, manipulate, delete, launch, or transfer files; perform screen or audio captures; enable a webcam; list or kill processes; open a command shell; and wipe event logs, according to a private cybersecurity blog.
Hear are the sending mail headers and information: