Curious if anyone can confirm this phish?

[Chris Boyd <cboyd () gizmopartners com>]

Posted on Mastodon yesterday. Curious if anyone can confirm this?

Via https://infosec.exchange/@threatinsight/113641860084873613

Between December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, 
predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a 
prominent European ISP.

All of the observed targeted entities peer with the spoofed ISP and phishing emails were sent to contact addresses 
present in the AS's WHOIS records, indicative of a highly deliberate targeting effort.

Each spearphishing email was personalized to the target based on their Autonomous System Number (ASN) and purported to 
relate to a detected BGP (Border Gateway Protocol) flapping session within the target’s network.

The email contained a password protected RAR archive named “Detailed Explanation of AS Relationships and the Impact of 
BGP Flapping on Upstream Networks.rar”. The RAR contains a Microsoft Shortcut (LNK) file which executes a Portable 
Executable (PE) file contained in a hidden folder named “_MACOSX”.

Following execution, the target is shown a decoy document related to BGP Flapping, and the executable file uses 
indirect syscalls to load shellcode into memory before it deletes itself from disk.

We are raising early awareness of this campaign given the coordinated effort to target network infrastructure 
administration personnel across a broad range of AS owners.


More at 

https://infosec.exchange/@threatinsight/113641860084873613