Trellix Advanced Research Center: Digest #18
BLOG: A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment
On May 15th, Trellix's email security products alerted on a highly targeted spear-phishing operation aimed at CFOs and finance executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard based remote-access tool on the victim's computer. In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network. The initial call-to-action URL in the email is blocked by Trellix’s URL defense engine because of suspicious captcha behaviour rules.
While portions of the infrastructure overlap with at least one other nation-state spear-phishing campaign that delivers and installs remote access tools and backdoors, Trellix Advanced Research Center has not, at this time, attributed the current activity to any known threat group.
Authored by the Trellix Advanced Research Center, this report highlights insights, intelligence, and guidance gleaned from multiple sources of critical data on cybersecurity threats and develops expert, rational, and reasonable interpretations of this data to inform and enable best practices in cyber defense. This edition focuses on data and insights captured primarily between October 1, 2024 - March 31, 2025.
BLOG: Demystifying Myth Stealer: A Rust Based InfoStealer
During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust. Upon further investigation, we discovered that it was Myth Stealer which was being marketed on Telegram since late December 2024. Initially, it was offered for free for trial, and later evolved to a subscription-based model.
Our investigation revealed that this infostealer is distributed through various fraudulent gaming websites. Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background. The infostealer targets both Gecko-based and Chromium-based browsers, extracting sensitive data including passwords, cookies, and autofill information. It also contains anti-analysis techniques such as string obfuscation and system checks using filenames and username.
The malware authors regularly update stealer code to evade AV detection and introduce additional functionality such as screen capture capability and clipboard hijacking.
🎧 Tune in to Head of Threat Intel, John Fokker talk to David Monnier about Why Ransomware Groups are Fragmenting on the Team Cymru podcast - LISTEN NOW.
In the news...
Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals - Wired
Check Call: Cybersecurity threats come from everywhere - Freight Waves
CFOs, financial execs in crosshairs of ‘highly targeted’ spearphishing campaign - CFO Dive
Demystifying Myth Stealer: An ‘InfoStealer’ that targeted video games - GamesBeat
Don't miss out – register for your region today!
Test your skills in a series of real-world scenarios and see how Trellix Wise outperforms chatbots to investigate 100% of your alerts to leave no alert behind. Register here.
Eby Prasad