March 31, 2023

Security researchers have identified a new threat actor, dubbed TA2722, that is impersonating organizations related to health, customs, and labor organizations in the Philippines to lure victims.

TA2722 attackers also called Balikbayan Foxes launched a campaign intended to target a variety of industries across North America, Europe, and Southeast Asia.


Top sectors targeted by these campaigns include manufacturing,shipping,logistics, pharmaceutical, business services, energy, and finance.Hackers impersonated several government organizations in the Philippines to send messages containing malicious links distributing Remcos and NanoCore RAT. Attackers lured victims by pretending to be DHL Philippines or the Manila embassy for the Kingdom of Saudi Arabia (KSA).

Attackers were observed using multiple methods to distribute the threat, including

RAR files with embedded UUE files, which were hosted on OneDrive.PDF files were sent as an email attachment, which consisted of a malicious URL that would run executable (.iso files) to eventually download malware.Microsoft Excel documents with embedded macros, which would download malware upon execution.

The first cluster Shahzad73 which has been supposedly active since August 2020. It leverages themes and spoofed messages related to the Saudi Arabian Consulate in Manila.

The second cluster, named CPRS, has been active since October 2020. It leverages spoofed messages pretending to be from the Philippines Bureau of Customs and has impacted around 150 customers across shipping and logistics, manufacturing, and energy sectors.

TA2722 is leveraging Remcos or NanoCore RATs to gain access to target devices across a variety of organizations. This could be an attempt to gather information, which could be used for later attacks such as BEC attacks. Attackers may be attempting to install secondary malware. In either case, security professionals and organizations are recommended to track this threat to avoid any surprises.


Indicators of Compromise

  • de5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c
  • 098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
  • de5992f7c92351d1011fbece2d4bf74ecfc3b09f84aedb12997a2c3bf869de2c
  • shahzad73[.]casacam[.]net
  • shahzad73[.]ddns[.]net
  • remcos[.]got-game[.]org
  • cato[.]fingusti[.]club
  • info1@poea[.]gov[.]ph
  • cprs@customs[.]gov[.]ph
  • consulate_ksa_emb@gmail[.]com
  • 66.248.240[.]80

Leave a Reply

%d bloggers like this: