Balikbayan Foxes group spoofs Philippine gov to spread RATs

Meet Balikbayan Foxes: a threat group impersonating the Philippine gov’t

Experts uncovered a new threat actor, tracked as Balikbayan Foxes, that is impersonating the Philippine government to spread malware.

Researchers from Proofpoint have uncovered a new threat actor, dubbed Balikbayan Foxes (TA2722) that is impersonating the Philippine health, labor, and customs organizations as well as other entities based in the Philippines to spread Trojan malware such as Remcos and NanoCore.

Both Remcos and NanoCore are used for information gathering, data exfiltration, surveillance, and control of the victims’ computers.

The group focuses on Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy entities, among others. Victims of the group are located in North America, Europe, and Southeast Asia.

“Proofpoint assesses this actor is targeting organizations directly or indirectly engaged with the Philippine government based on a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities.” reads the analysis published by the experts.

In other attacks documented by the researchers, Balikbayan Foxes posed as DHL Philippines and the Manila embassy for the Kingdom of Saudi Arabia (KSA).

The threat actors carried out spear-phishing attacks using spoofed email addresses. The researchers noticed that that the sender emails were reused for a long period of time. The attackers used multiple lures, including COVID-19 infection rates, billing, invoicing, and advisories.

The researchers separated campaigns into two distinct threat activity clusters, below are the threat distribution mechanisms observed by the experts:

OneDrive URLs linking to RAR files with embedded UUE files
PDF email attachment with an embedded OneDrive link or other malicious URL leading to compressed executables (.iso files) that download and run malware
Compressed MS Excel documents containing macros which, if enabled, download malware

The group has been active at least since August 2018, it conducted multiple campaigns per month through October 2020. The threat actors restarted their activity in September 2021, they used phishing messages masqueraded as the Philippines Bureau of Customs CPRS and contained links to a credential harvesting page.

“Proofpoint assesses with high confidence TA2722 is a highly active threat actor leveraging Philippine government themes and targeting a variety of organizations in Southeast Asia, Europe, and North America. It is likely this threat actor is attempting to gain remote access to target computers, which could be used for information gathering or to install follow-on malware or engage in business email compromise (BEC) activity. ” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Balikbayan Foxes)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.