A new threat group is targeting business process outsourcers (BPOs) and large enterprises for extortion using live chat channels, Google has warned. According to Google Threat Intelligence Group (GTIG) principal threat analyst, Austin Larsen, UNC6783 is a financially motivated threat cluster that may be tied to the “Raccoon” persona.
The group has targeted several dozen “high-value corporate entities” across multiple sectors, focusing mainly on their BPOs, but sometimes also hitting their in-house helpdesk and support teams directly. The end goal is to steal sensitive data for extortion, Larsen explained.
The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages, with domains masquerading as the targeted organisation using a domain pattern such as [.]zendesk-support[.]com; their phishing kit is used to bypass MFA by stealing clipboard contents, enabling attackers to enrol their own devices for persistent access.
Alternatively, GTIG has observed UNC6783 using fake security software updates to trick users into downloading remote access malware, and it sometimes uses Proton Mail accounts to deliver ransom notes following data exfiltration. Last year, reports emerged of a campaign using Zendesk phishing domains to harvest employee credentials, with hackers also submitting fraudulent tickets to helpdesk staff to infect them with RATs and other malware.