Malware - Fake Screenshot Lures Target Web3 Support Staff
Basically, hackers trick support staff into clicking fake images that install dangerous software on their computers.
APT-Q-27 is targeting Web3 support teams with fake screenshot links that install multi-stage malware. This poses a serious risk to customer service operations and sensitive data. Organizations must stay vigilant and implement protective measures.
What Happened
A threat group known as APT-Q-27 has launched a sophisticated campaign targeting Web3 customer support teams. This group, also referred to as GoldenEyeDog, utilizes fake screenshot links in live chat windows to infect support agents' machines with a persistent backdoor. Instead of exploiting software vulnerabilities, they focus on the human element, making their attacks more deceptive and effective.
The campaign was identified by ZeroShadow analysts after unusual activity was flagged by their partners at 1inch. Support requests from multiple accounts with rotating IP addresses followed a similar pattern, all leading to a shortlink disguised as a screenshot. This innovative approach marks a shift from previous tactics that relied on trojanized software and watering hole attacks.
Who's Being Targeted
The primary targets of this attack are customer support agents in the Web3 sector. These individuals are often the first line of defense against customer inquiries and issues, making them ideal targets for social engineering attacks. By posing as confused customers needing assistance, attackers can bypass traditional security measures and exploit the trust inherent in customer support interactions.
The impact on organizations can be severe. If successful, the malware can compromise sensitive customer data and disrupt service operations. Given the growing reliance on digital platforms in the cryptocurrency and gambling sectors, the potential ramifications are significant.
Signs of Infection
Once the lure file is executed, it downloads a sophisticated multi-stage malware package. The initial file appears innocuous, resembling a standard image, but it actually carries a .pif executable format. This stealthy approach allows the malware to run silently in the background, while the victim sees nothing unusual.
The malware communicates with multiple command-and-control servers, disguising itself as a legitimate Windows service. It also disables critical security features like User Account Control (UAC), further embedding itself into the system. Victims may notice unusual behavior, such as unexpected service listings or changes in system settings, but often remain unaware of the underlying threat.
How to Protect Yourself
Organizations should take proactive measures to defend against these types of attacks. Here are some recommended actions:
- Enable visible file extensions on all workstations to help identify malicious files.
- Block outbound connections on TCP port 15628, which is used by the malware for communication.
- Monitor registry values for suspicious entries like “SystemUpdats,” which indicate active infections.
- Educate support staff about the risks of clicking on unfamiliar links, even in seemingly legitimate contexts.
By implementing these measures, organizations can better protect themselves against the evolving tactics of threat actors like APT-Q-27. Vigilance and awareness are key in the fight against malware attacks targeting the human element of cybersecurity.