Meet Balikbayan Foxes: a threat group impersonating the Philippine gov't

Proofpoint has uncovered a new, “highly active” threat group that is impersonating the Philippine government and businesses to spread Trojan malware. 

On Wednesday, researchers Selena Larson and Joe Wise said the threat actors, dubbed “Balikbayan Foxes” and tracked as TA2722, are concentrated in the Philippines but are targeting the shipping, logistics, manufacturing, pharmaceutical, business, and energy sectors across the US, Europe, and Asia. 

Balikbayan Foxes has conducted campaigns over 2021 in which the group sent phishing emails claiming to be from Philippine government entities including the country’s department of health, employment agency, and customs. 

In addition, the threat actors have impersonated DHL Philippines — DHL being a common victim of impersonation worldwide as a delivery service — and the Manila embassy for the Kingdom of Saudi Arabia (KSA).

According to the researchers, phishing, spoofed email addresses, and emailed lures are used to snag their victims. These included messages surrounding COVID-19 infection rates, billing, invoicing, and industry advisories.

Some of the targets are involved in large supply chains, and so if compromised, these attacks could have a far-reaching impact. 

Every campaign tracked by Proofpoint was designed to deploy the Remcos and NanoCore Remote Access Trojans (RATs) for the purposes of surveillance and

Read More: