Sygnia, a prominent Israeli cybersecurity company, has recently released updated details on the activities of the Casbaneiro attack group, which has been wreaking havoc on organizations globally, with a specific focus on targeting the financial sector in Latin America since 2018.
Sygnia's investigations reveal that the threat actors behind the Casbaneiro campaign have continued their operations for the past five years, making significant changes to their attack techniques, infrastructure, and persistence methods. The continuous operation of the Casbaneiro attack group has gained the attention of the cybersecurity industry, with experts considering it a "substantial threat" to financial institutions worldwide.
Amir Sadon, Director of IR Research at Sygnia, explained that the hackers primarily employ email phishing tactics to target employees within organizations. Once the victims are lured into clicking on malicious links, a "Trojan horse" is deployed, enabling the attackers to harvest sensitive information from the organization's computers. The stolen data may include classified files, screenshots, user information, passwords, and keystrokes.
Sadon noted that Casbaneiro's methods of operation were first detailed in a previous study published by Sygnia in 2018. Despite the passing years, the attack group's modus operandi remains relatively similar.
However, Sygnia's latest findings reveal some crucial changes to their approach. “While in the previous wave of attacks, the hackers sent emails equipped with a malicious PDF file, now it is an apparently legitimate HTML file that leads to the installation of the Trojan horse,” Sadon explained.
Targeted devices
Additionally, the attackers have employed a known method to escalate privileges on targeted computers, further complicating the defense against their attacks. The researchers have also found forensic evidence linking the current wave of attacks to previous ones carried out by the group.
Sygnia recommended that organizations wishing to safeguard themselves against such attacks should implement malicious identifiers and detection rules into their security systems. The company has provided a list of Identifiers of Compromise (IOCs) used by the attack group, along with a set of detection rules to identify new versions of the attack tools. By integrating these measures into their security infrastructure, organizations can hope to achieve immediate detection of attack attempts, effectively preventing unauthorized access to their networks.