A sophisticated spear-phishing campaign, likely linked to APT MuddyWater, is targeting CFOs and finance executives across multiple continents. The attackers use Firebase-hosted phishing pages with custom CAPTCHA challenges, malicious VBS scripts, and multi-stage payload delivery to deploy NetBird, a legitimate remote-access tool, for persistent system control. The campaign employs social engineering tactics, impersonating a Rothschild & Co recruiter to lure victims. Analysis revealed evolving infrastructure, updated payload paths, and overlaps with known MuddyWater activities. The attackers abuse legitimate tools like NetBird and AteraAgent for remote access and monitoring, while using sophisticated techniques such as AES encryption and math-based CAPTCHA lures to evade detection. Author: AlienVault
Related Tags:
cfo
AteraAgent
NetBird
T1102.003
T1078.003
T1136.001
remote-access
T1059.005
T1585.002
Associated Indicators:
64225F7730CE9169273133038501F32EA02E11DE
F359F20DBD4B1CB578D521052A1B0E9F
7DDC947CE8999C8A4A36AC170DCD7505
2CDDC7A31EA289E8C1E5469F094E975A
23DDA825F91BE93F5DE415886F17AD4A
5325DE5231458543349152F0EA1CC3DF
0AA883CD659EF9957FDED2516B70C341
my2cloudlive.com
my1cloudlive.com