Skip to content

CTI Roundup: Business Email Compromise Groups Go Global

BEC groups target companies worldwide, RedEyes hackers use new malware to steal data, and Devs targeted by W4SP Stealer malware in malicious PyPI packages

Emerging Issue

This week, CTI looks at two business email compromise (BEC) threat groups currently engaged in global, multilingual campaigns. Next up is a breakdown of North Korea’s APT37’s (aka ScarCruft aka RedEyes) latest campaign, in which the threat actor delivers a new evasive M2RAT malware using an interesting combo of steganography and vulnerability exploitation in its cyberespionage operation. And finally, we wrap things up with a breakdown of the latest attack to target an open-source software repository — a campaign involving the publishing of five malicious packages, all containing the W4SP Stealer info-stealing malware, between January 27 and January 29, 2023.

1. BEC groups wage multilingual executive impersonation attacks targeting companies worldwide

Two business email compromise (BEC) groups are now leveraging automated translation tools to facilitate payment fraud and payroll diversion attacks in various languages, simultaneously.

BEC remains one of the fastest-growing and most financially destructive cyber threats. The FBI estimates that BEC scams have resulted in more than $43 billion in losses since 2016 — the same year that BEC attacks first ranked at the top of the FBI’s list of the costliest cybercrimes in the US. It has occupied that spot ever since.

Researchers observe targeted, multilingual attacks

Researchers at Abnormal Intelligence have reportedly identified two groups leveraging executive impersonation while engaging in BEC attacks on global companies. These groups are tracked by the firm as Midnight Hedgehog – which engages in payment fraud – and Mandarin Capybara – a group specializing in payroll diversion attacks.

Altogether, these two groups are responsible for launching BEC campaigns in no less than 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish.

Observed TTPs

Large-scale, multilingual cyberattacks targeting victims across the globe used to be the domain of top-tier threat actors. These were highly skilled, sophisticated cybercrime syndicates with large budgets and access to a significant degree of resources. In fact, creating multiple convincing versions of emails in foreign languages often required these groups to hire linguists or keep native language speakers on staff.

However, recent technological advances make the process much easier and more affordable to deploy. As a result, the obstacles preventing less-sophisticated cybercriminals from engaging in such ambitious operations have steadily eroded.

The availability of effective, low-cost marketing technology and the proliferation of highly accurate translation apps have combined to effectively act as force multipliers, enabling cyber-threat actors to rapidly scale their efforts and engage in financially destructive campaigns at a global scale. In addition, the advent of machine learning and the incorporation of such technology in translation tools for the purposes of improving context and realism has made it easier for attackers to manipulate AI-based platforms like ChatGPT for malicious purposes.

The players

Abnormal Intelligence’s report focuses on the activities of two multilingual BEC groups, each with its own specialty.

Midnight Hedgehog (specialty: global payment fraud)

Midnight Hedgehog primarily makes use of what has become a common tactic in financially motivated social engineering scams, using executive impersonation to trick recipients into making payments for bogus services — usually by posing as a company’s CEO.

Midnight Hedgehog’s actors appear to thoroughly research the duties and responsibilities associated with the roles their targets fill. They gain a full picture of the target’s relationship with the CEO to create highly convincing spoofed email accounts that mimic real accounts.

These attacks typically target finance managers or other high-ranking employees responsible for initiating company transactions, or lower-ranking or inexperienced employees who are also authorized to make financial decisions and initiate payments on behalf of the organization.

Midnight Hedgehog’s activity reportedly dates to at least January 2021. Attacks have originated from accounts hosted by a multitude of free webmail providers such as Gmail, Yandex, Earthlink, and Web.de. Domains created by the group have been registered with NameCheap or GoDaddy. Abnormal Intelligence’s data indicates that the locations of the group’s members span a range of countries, such as the U.K., the U.S., Canada, and Nigeria.

Mandarin Capybara (specialty: global payroll diversion attacks)

Mandarin Capybara also uses a wide range of languages in its attacks to impersonate company executives. However, the main difference is that Mandarin Capybara engages in payroll diversion as opposed to payment fraud. This entails targeting HR employees and convincing them to change direct deposit details associated with accounts under the executive’s control and switching the deposit details to reflect those pertaining to an account under the attackers’ control.

Another difference between the two groups can be found in Mandarin Capybara’s targeting patterns. Unlike the Midnight Hedgehog, which has only been observed targeting companies in Europe with non-English messages, Mandarin Capybara’s victims are scattered across a wide geographic range, impacting companies across the globe.

With regards to Mandarin Capybara’s initial emails, the messages differ little from many of the payroll diversion templates used by BEC syndicates daily. The attacker typically inquires if they may update their payroll account, with the changes to go into effect prior to the next payday.

Interestingly, Abnormal Intelligence reports having observed several instances in which the group launched a BEC campaign in one language, only to initiate a second campaign shortly after, from the same email account (albeit in a second language), targeting a different organization.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“BEC attacks have occupied the top spot as the single most financially damaging form of cybercrime for the last seven years straight. As such, CTI believes that any light we can shed on the methodology of this particular breed of cybercriminal is valuable information — particularly when it pertains to groups like these, which display an affinity for innovation and exhibit a proven desire to employ novel tactics, techniques, and procedures (TTPs).”

“Unfortunately, there is no vendor or technical solution that can singlehandedly defend yourself and your company against BEC attacks. However, stories like the one above highlight the ever-increasing importance of robust, role-based, targeted, and regularly administered social engineering education and awareness training.”

 2. RedEyes hackers use new malware to steal data from Windows, phones

A recent report by AhnLab Security Emergency Response Center (ASEC) dives into APT37’s latest campaign. APT37, also known as RedEyes, uses a new evasive M2RAT malware and steganography in its cyberespionage campaign.

APT37 is a North Korean state-sponsored group that has been conducting cyberespionage campaigns since at least 2012. The group has previously targeted victims in South Korea, Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other areas in the Middle East. The group is known to steal personal PC information along with mobile phone data from specific individuals.

Campaign overview

In this attack, APT37 leverages an old EPS vulnerability (CVE-2017-8291), along with steganography to distribute malicious code.

The vulnerability used in the attack is notably older and has since been patched. The threat actor appears to have attempted the attack knowing the individual was using an outdated version and was therefore vulnerable. The new malware identified in the campaign has been named M2RAT (Map2RAT) based on the name of the shared memory section leveraged in the attack.

The main functions of the M2RAT are keylogging, data leakage, process execution and termination, and screen capture. The backdoor does not store keylogging data and screen capture records on the victim’s system, but rather sends them to the attacker’s C2 server to not leave a trace on the system.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The M2RAT leveraged in this campaign has some interesting features. Most notably is its use of a memory section to minimize exchanges with the C2. This feature makes analysis even more difficult for security researchers, forcing them to additionally analyze that memory section to get the full picture of commands used by the malware. APT37’s use of this malware clearly indicates its ability to continually refresh its toolset with malware to keep its campaigns from being easily detectable.”

3. Devs targeted by W4SP Stealer malware in malicious PyPI packages

In yet another example of the multitude of threats facing the open-source software supply chain, security researchers at Fortinet have discovered “several new 0-day attacks in the PyPI packages (Python Package Index) by malware author ‘Core1337’, who published the following packages: ‘3m-promo-gen-api’, ‘Ai-Solver-gen’, ‘hypixel-coins’, ‘httpxrequesterv2’, and ‘httpxrequester’.”

The attacks were published during a short time window between January 27-29. The malicious packages each contained W4SP Stealer, which is an information-stealing malware.

Attack details

Five malicious packages were discovered on the PyPI repository — a software repository designed to house packages created in the Python programming language. It is intended to enable developers to find existing packages that satisfy various project requirements, saving time and effort.

The packages have been removed since their discovery, but not before hundreds of developers downloaded the weaponized software. According to researchers at Fortinet, each package had one version and an empty description, and all contained similar malicious code.

Fortinet’s analysis was able to determine that when the packages are installed, they attempt to steal passwords saved in browsers, cookies, and cryptocurrency wallets. BleepingComputer confirmed that the type of information-stealing malware contained in the malicious packages is the W4SP Stealer — a strain of info-stealing malware that has enjoyed heavy rotation in campaigns involving the injection of malicious software packages into open-source software repositories (PyPI in particular).

W4SP Stealer

According to BleepingComputer, the malware takes data from browsers like Chrome, Opera, and Edge. Then, it attempts to lift authentication cookies from Discord, Discord Canary, Discord PTB, and the LightCord client. Then, the malware will attempt to steal the Atomic Wallet and Exodus cryptocurrency wallets and cookies for The Nations Glory game.

The malware also targets a list of websites to retrieve any other sensitive user information that could potentially aid attackers in stealing accounts.

Targeted sites include, but are not limited to, the following:

  • Coinbase.com
  • Gmail.com
  • YouTube.com
  • Instagram.com
  • PayPal.com
  • Telegram.com
  • Hotmail.com
  • Outlook.com
  • Aliexpress.com
  • ExpressVPN.com
  • eBay.com
  • Playstation.com
  • Xbox.com
  • Netflix.com
  • Uber.com

When enough data has been gathered from the compromised host, the malware uploads the pilfered info via a Discord webhook, which it posts to the attacker’s server.

According to BleepingComputer, “Discord webhooks allow users to send messages containing files to a Discord server and are commonly abused to steal files, Discord tokens, and other information.”

As if this weren’t bad enough, Fortinet’s researchers also noticed the existence of functions within W4SP which check files for certain keywords; if found, the malware attempts to steal them via the “transfer.sh” file transfer service. Such keywords relate primarily to financial services: banking passwords, PayPal info, cryptocurrency-related data, and multi-factor authentication (MFA) files.

Some of these keywords are also in French — indicating a possible region of origin for the threat actor or actors behind the attack.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This attack exhibits a certain degree of efficiency. One malware author was able to successfully publish multiple packages, all with different names but containing similar code designed to launch attacks, in most cases using a single Python script and Discord webhooks. This should serve as yet another reminder that open-source software repositories like PyPI are by no means immune to abuse and are still a long way off from being sufficiently secured.”


For further reading, catch up on our recent cyber threat intelligence roundups.

Tanium CTI

Tanium's Cyber Threat Intelligence (CTI) analysts process and extract trends from the daily cyber landscape to curate and deliver current intel to stakeholders around threats impacting business and security.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.

SUBSCRIBE NOW