Powered by MOMENTUM MEDIA

Breaking news and updates daily. Subscribe to our Newsletter!

Breaking news and updates daily. Subscribe to our newsletter

Proofpoint ID's 'Balikbayan Foxes', a new cyber criminal threat actor

By Nastasha Tupas
29 October 2021 | 1 minute read

Proofpoint threat researchers have identified a new, highly active cyber criminal threat actor TA2722, and have colloquially named the cyber threat group as the 'Balikbayan Foxes'.

The cyber criminal group impersonates Philippine health, labour and customs organisations as well as other entities based in the Philippines. A series of campaigns impersonated multiple Philippine government entities including the Department of Health, the Philippine Overseas Employment Administration (POEA) and the Bureau of Customs.

Other related campaigns masqueraded as the Manila embassy for the Kingdom of Saudi Arabia (KSA) and DHL Philippines. The messages were intended for a variety of industries in North America, Europe and Southeast Asia, with the top sectors including shipping, logistics, manufacturing, business services, pharmaceutical, energy and finance.

Advertisement
Advertisement

Proofpoint has assessed this actor is targeting organisations directly or indirectly engaged with the Philippine government based on a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities.

For example, the shipping, transportation and logistics companies would frequently engage with customs officials at ports of call. Additionally, the manufacturing and energy companies support and maintain large supply chain operations, likely requiring correspondence with both labour and customs organisations.

All the campaigns distributed either Remcos or NanoCore remote access trojans. Remcos and NanoCore are typically used for information gathering, data theft operations, monitoring and control of compromised computers. While the malware’s associated infrastructure changed over time, the sender emails were reused for a long period of time.

PROMOTED CONTENT

In 2020, the Philippine government entities issued multiple alerts warning users of the activity related to lures using themes such as COVID-19 infection information in the Philippines and the POEA labour information.

[Related: Cyber attack shuts down Iranian petrol stations, threat actors unknown]

Nastasha Tupas

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. She started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.

Proofpoint ID's 'Balikbayan Foxes', a new cyber criminal threat actor
cyber_criminal_threat_csc.jpg
lawyersweekly logo
newsletter
cyber security subscribe
Be the first to hear the latest developments in the cyber security industry.