Skip to content

At The Identity Organisation, we're here to help!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Criminal Threat Actor Uses Stolen Invoices to Distribute Malware

    Researchers at IBM X-Force are tracking a phishing campaign by the criminal threat actor “Hive0145” that’s using stolen invoice notifications to trick users into installing malware.

    Hive0145 acts as an initial access broker, selling access to compromised organizations to other threat actors who then carry out additional cyberattacks.

    “Over the past year, Hive0145 has demonstrated proficiency in evolving tactics, techniques, and procedures (TTPs) to target victims across Europe,” the researchers explain. “Italian, Spanish, German, and Ukrainian victims continue to receive weaponized attachments that entice the victim to open the file.

    The actor’s campaigns present the victim with fake invoices or receipts and often a short, generic message of urgency for victims to address. Upon loading the attached file, the victim unwittingly executes the infection chain leading to Strela Stealer malware.”

    Notably, the threat actor has begun using real, stolen invoice notifications to add legitimacy to its phishing operations.

    “In July 2024, X-Force observed a mid-campaign change in the emails being distributed by Hive0145, with the short and generic messages being replaced with what appeared to be legitimate stolen emails,” the researchers write.

    “The phishing emails exactly matched official invoice communication emails and, in some cases, still directly addressed the original recipients by name. X-Force was able to verify that the emails were in fact authentic invoice notifications from a variety of entities across financial, technology, manufacturing, media, e-commerce and other industries. It is likely that the group sourced the emails through previously exfiltrated credentials from their prior campaigns.”

    Strela Stealer is a strain of malware designed to exfiltrate email credentials. X-Force notes that these credentials can be used to launch business email compromise (BEC) attacks within the targeted organizations.

    “Hive0145’s use of stolen emails for attachment hijacking is an indicator that a portion of stolen email credentials may be used to harvest legitimate emails for further distribution,” the researchers write. “Both stolen and actor-created emails used by Hive0145 predominantly feature invoices as themes, which points towards potential financial motivation. It is possible that Hive0145 may sell stolen emails to affiliate partners for the purposes of further business email compromise.”

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

    SecurityIntelligence has the story.


    Free BreachSim Tool

    How easy is it for bad actors to penetrate your system and exfiltrate your data? Pinpoint vulnerabilities, take action and build stronger cyber defenses with KnowBe4’s Breach Simulator “BreachSim.” Based on techniques outlined in the MITRE Att&CK framework, BreachSim launches 12+ simulated scenarios to uncover the stark reality of what happens when employees unknowingly fall for an attack.

    How BreachSim works:

    • 100% harmless simulation of real breach and data exfiltration attacks
    • Provides secure .txt, .doc, and .bmp test files for the simulation
    • Tests 12+ realistic data exfiltration scenarios following the MITRE Att&CK framework
    • Just download the installer, upload the secure test files, and run

    Results in a few minutes!

    Try It Nowhttp://Try it Now!https://info.knowbe4.com/breached-password-test-partner?partnerid=001a000001lWEoJAAWt Now!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: http://Try it Now!https://info.knowbe4.com/breached-password-test-partner?partnerid=001a000001lWEoJAAWt Now!

    Sign Up to the TIO Intel Alerts!

    Back To Top