CTI Roundup: Callback Phishing, Time-to-Exploit Trends, and PureLogs Infostealer

In this week’s roundup, CTI looks at Intel471’s recent analysis of attacks that combine voice and email phishing. Next, CTI reviews Mandiant’s analysis of 138 exploited vulnerabilities originally disclosed in 2023. Also included is a breakdown of Flashpoint’s analysis of the PureLogs infostealer targeting the Chrome browser.

Threat actors spread malware via callback phishing

Intel471 released its analysis of attacks that combine voice and email phishing — a strategy known as callback phishing, hybrid vishing, or telephone-oriented attack delivery (TOAD).

According to Intel471, these types of attacks have increased, along with a higher demand among threat actors for TOAD services.

What is callback phishing?

A typical attack starts with a phishing email encouraging the recipient to call a specific phone number. The actual social engineering lure used in these campaigns will vary, but all seek to get the victim on the phone with a malicious actor to complete the attack.

The latest data suggests that callback phishing attacks are increasing in frequency. Proofpoint recently revealed that 10 million TOAD attacks occur every month and impact about 67% of organizations globally.

Increasing demand

Along with the increase in these attacks, many threat actors want to expand to TOAD attacks.

Intel471 observed more than 50 actors looking for callers to use in their attack chain. Some of these actors were looking for callers who spoke specific languages.

Ransomware and TOAD attacks

A growing number of ransomware actors are seeking out TOAD-related services for their attacks. These services can be useful in the initial access portion of their attacks.

Intel471 stated that “most ransomware operators seek long-term cooperation with ransom callers and offer monthly fees as well as shares of ransom payments, which indicates such services are valued among threat actors engaged in ransomware.”

Financial gain

These types of attacks are usually carried out by actors seeking financial gain. Successful callback phishing attacks have the potential to generate a large sum of money for the actor and for the caller.

One such caller service, CrimeTalk, charges $10 per call. Intel471 also observed a threat actor seeking out callers who spoke Italian, offering $5,000 per day.

Services

Some actors create more business-like models of their services. An example is the M00N email spamming/phishing service, which offers several ways to deliver phishing emails.

Another service, Quattr0, offers various fraudulent calls, including calls to banks, delivery services, online stores, and more. This group claims to be able to make calls to any country except for Russia.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Actors are increasingly including callback phishing TTPs in their attacks, as evidenced by the high number of related service offerings in the underground market.

Many organizations include basic tips and tricks in their security awareness training for how to identify phishing emails, but it’s likely that not all of them include helpful information on the more hybrid phishing types, like those that include callbacks.

Intel471’s report is a good reminder for organizations to revisit their security awareness training to ensure it includes information on how to identify the latest phishing scams.

Mandiant analyzes time-to-exploit trends

Mandiant analyzed 138 exploited vulnerabilities that were originally disclosed in 2023.

Key takeaways included:

• 70% of the vulnerabilities were exploited as zero-days
• The average time-to-exploit was only five days
• Microsoft, Apple, and Google were the most exploited vendors

Time-to-exploit (TTE)

Mandiant uses Time-to-Exploit, or TTE, to define the average time it takes to exploit a vulnerability before or after a patch is released.

TTE has been declining in recent years, and the largest drop occurred this past year. From 2021-2022, the TTE was 32 days, but in 2023, Mandiant observed an average of only five days.

Zero-day vs. n-day

This year, Mandiant noticed a ratio of 30:70 when comparing n-days (vulnerabilities exploited after patches are available) to zero-days (vulnerabilities exploited before patches are available), which reveals a steady increase in zero-day exploitation compared to the last few years.

[Read also: How to identify, contain, and remediate zero-day risks and get back to your day job in 30 minutes]

Mandiant found that exploitation was most likely to happen during the first month of a patch being released for a previously disclosed vulnerability. Mandiant further found that 12% of n-days were exploited within a single day, while over half of them were exploited within a month.

Exploitation timelines

Mandiant also reported that 30% of vulnerabilities were first exploited after the vulnerability was disclosed to the public.

Looking at vulnerabilities that had exploits available before observed exploitation, Mandiant identified a median of seven days from the date of disclosure of the public exploit.

For vulnerabilities with exploits available after observed exploitation, they identified a median of 15 days from disclosure.

Exploitations by vendor

Mandiant broke down every vulnerability by vendor. They found a 17% increase compared to the previous highest exploited vendor count, noting that Microsoft, Apple, and Google have been the top exploited vendors for a few years now.

Attackers appear to be diversifying targets now, with Mandiant citing an increase in the overall number of exploited vendors.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Patching prioritization is becoming incredibly challenging as vulnerabilities are being exploited quicker and quicker every year.

As such, vulnerability patch management needs to be paired with efficient detection and response to adapt in real time.

Their analysis also indicates that zero-days are becoming increasingly popular, which aligns with recent trends in the threat landscape.

PureLogs targets the Chrome browser

Flashpoint recently investigated the PureLogs infostealer that is actively targeting the Chrome browser to steal sensitive information. Only a few other malware families are currently capable of harvesting data from the Chrome browser, making this threat one to watch.

Flashpoint observed more than 53 million compromised credentials along with 13 million infected devices due to infostealer activity in 2024. This malware first emerged in 2022 and has been in circulation ever since. Its low price point relative to other infostealers likely supports its continued use.

What is PureLogs?

The PureLogs infostealer malware is written in C#. Like many other malware families, it uses several stages of assemblies.

The stealer attempts to harvest sensitive data from the Chrome browser, which Flashpoint notes is a feature “shared by only a few malware, such as Lumma, Vidar, and Meduza.”

The malware maintains a presence on underground marketplaces and on the clearnet with a dedicated marketplace. PureLogs is currently one of the cheaper infostealers on the market, making it even more attractive to threat actors.

In addition to info-stealing malware, the creator also offers access to a cryptocurrency miner, clipboard replacement tools, a botnet, and a hidden virtual network computing client.

How does PureLogs work?

Stage one

Stage one consists of loading and execution. This stage holds a byte array that will be decrypted via the AES algorithm.

Both the AES key and initial value are hardcoded as Base64 encoded strings. The binary is decompressed, resulting in a C# DLL loaded and executed in memory.

Stage two

Stage two will perform anti-sandbox checks before actually loading the final infostealer assembly. It begins by checking for the existence of DLLs currently loaded into the process. It will also check the PPID for the process, as this should not be present because the assembly is designed to be dynamically loaded into the original process’s memory.

Several WMI queries are performed to obtain information about the hardware and check for the existence of “VMware” or “Virtual” strings. The malware will check the monitor size, architecture bitness, and username to determine if it is running in a virtual machine. If not, it will establish a connection with its C2. After making this connection, it will decrypt, decompress, and execute the final stage.

Stage three

During the third and final stage, PureLogs aims to acquire data by stealing:

• Browsing data
• Chrome, Edge, and Opera extensions
• Crypto wallet applications
• Desktop applications
• Machine information

The malware can be further configured to grab folders, files by extension, or files by name and location. Actors also have the option to download and execute additional payloads.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Flashpoint notes, the cyber threat landscape is flooded with numerous infostealers. Threat actors seek out infostealers as a quick and easy way to obtain sensitive information they can sell or use for further nefarious activity.

Since there are so many infostealers to choose from, the barrier to entry is remarkably low. Actors now have a multitude of capabilities and features to choose from.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.