Meet Balikbayan Foxes: a threat group impersonating the Philippine gov’t

Experts uncovered a new threat actor, tracked as Balikbayan Foxes, that is impersonating the Philippine government to spread malware. 

Researchers from Proofpoint have uncovered a new threat actor, dubbed Balikbayan Foxes (TA2722) that is impersonating the Philippine health, labor, and customs organizations as well as other entities based in the Philippines to spread Trojan malware such as Remcos and NanoCore.

Both Remcos and NanoCore are used for information gathering, data exfiltration, surveillance, and control of the victims’ computers.  

The group focuses on Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy entities, among others. Victims of the group are located in North America, Europe, and Southeast Asia. 

“Proofpoint assesses this actor is targeting organizations directly or indirectly engaged with the Philippine government based on a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities.” reads the analysis published by the experts.

In other attacks documented by the researchers, Balikbayan Foxes posed as DHL Philippines and the Manila embassy for the Kingdom of Saudi Arabia (KSA).

The threat actors carried out spear-phishing attacks using spoofed email addresses. The researchers noticed that that the sender emails were reused for a long period of time. The attackers used multiple lures, including COVID-19 infection rates, billing, invoicing, and advisories.

The researchers separated campaigns into two distinct threat activity clusters, below are the threat distribution mechanisms observed by the experts: 

• OneDrive URLs linking to RAR files with embedded UUE files
• PDF email attachment with an embedded OneDrive link or other malicious URL leading to compressed executables (.iso files) that download and run malware
• Compressed MS Excel documents containing macros which, if enabled, download malware

The group has been active at least since August 2018, it conducted multiple campaigns per month through October 2020. The threat actors restarted their activity in September 2021, they used phishing messages masqueraded as the Philippines Bureau of Customs CPRS and contained links to a credential harvesting page. 

“Proofpoint assesses with high confidence TA2722 is a highly active threat actor leveraging Philippine government themes and targeting a variety of organizations in Southeast Asia, Europe, and North America. It is likely this threat actor is attempting to gain remote access to target computers, which could be used for information gathering or to install follow-on malware or engage in business email compromise (BEC) activity. ” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Balikbayan Foxes)

[adrotate banner=”5″]

[adrotate banner=”13″]