Researchers have uncovered a sophisticated phishing scheme targeting the World Agricultural Cycling Competition (WACC), an annual event in France that combines the agriculture and sports sectors. The campaign involves a fake website, hosted at “wacc[.]photo,” which mimics the official WACC site to trick visitors into downloading malicious software. The attacker meticulously replicated the WACC site’s look and feel, making minor adjustments that make it challenging for users to recognize the fraud. This deceptive tactic aims to capitalize on the recent conclusion of the event, taking advantage of participants and stakeholders who are likely still engaged with WACC-related content.
Launched in July 2024, shortly after the WACC ended in June, the phishing site incorporates a “PHOTO” section, promising users exclusive event photos. This ploy is specifically designed to entice visitors eager to relive moments from the competition, thereby increasing the chance that they will download malicious files. According to Cyble Research and Intelligence Labs (CRIL), the phishing site prompts users to download a ZIP file that supposedly contains photos. However, instead of images, the ZIP file holds three shortcut files (.lnk) masked as image files. When these shortcuts are executed, they trigger a sophisticated infection process, ultimately leading to the deployment of the Havoc Command and Control (C2) framework.
The Havoc C2 framework, an advanced tool used in post-exploitation activities, attempts to connect to a Command and Control (C&C) server via an Azure Front Door domain, which acts as a redirector. This connection would allow attackers to remotely manage infected systems and deploy additional malware. Although CRIL found the C&C server offline during their investigation, which prevented a complete analysis of later attack stages, the presence of Havoc C2 indicates that the attacker likely had plans for further malicious operations within the compromised network. In addition, the phishing site contains an open directory with various malware payloads, suggesting the attacker may be swapping out these payloads to better tailor the attack to specific victims.
To counter such phishing threats, experts recommend that organizations and individuals verify website legitimacy, scrutinize URLs, and avoid interacting with suspicious links. Advanced endpoint protection solutions are essential for detecting malicious DLLs and scripts, while restricting PowerShell execution and running PCs in admin mode only when necessary can further reduce risks. Regular training sessions can help users identify phishing attempts and avoid downloading files from untrusted sources, empowering them to make safer online choices. Implementing network monitoring tools to detect unusual traffic patterns and keeping antivirus software updated are also key to defending against sophisticated phishing campaigns like the WACC scam.
Reference: