Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credential stealing. Show all posts

Data-Stealing Malware Infections Surge by 600% in Three Years, Kaspersky Reports

 

The digital landscape has become increasingly treacherous, with a startling surge in data-stealing malware compromising millions of devices worldwide. According to cybersecurity firm Kaspersky, the number of devices infected with data-stealing malware has skyrocketed by over 600% in the past three years alone. This alarming trend underscores the urgent need for heightened vigilance and robust cybersecurity measures to safeguard personal and corporate data in an era plagued by relentless cyber threats. 

Kaspersky's Digital Footprint Intelligence data paints a grim picture, revealing that the number of compromised devices reached a staggering 10 million in 2023, marking a 643% increase since 2020. The threat posed by data-stealers has escalated exponentially, posing a significant risk to both consumers and businesses alike. What's particularly concerning is the sheer volume of log-in credentials pilfered by cybercriminals from infected devices. 

On average, each compromised device surrenders a staggering 50.9 log-in credentials, encompassing a wide array of sensitive accounts ranging from social media and online banking services to cryptocurrency wallets and email accounts. This abundance of stolen credentials fuels the illicit underground economy, where cybercriminals peddle stolen data for profit. The actual scope of the problem may be even more extensive than reported, as Kaspersky's data draws insights from infostealer malware log files traded on underground markets. 

The clandestine nature of these transactions makes it challenging to quantify the full extent of the threat landscape accurately. According to Sergey Shcherbel, a cybersecurity expert at Kaspersky Digital Footprint Intelligence, the dark-web value of log files containing login credentials varies depending on their appeal and the method of sale. These credentials may be sold through subscription services, aggregators catering to specific requests, or exclusive shops offering freshly acquired login credentials to select buyers. 

Prices typically start at $10 per log file, highlighting the lucrative nature of stolen data in the cyber underground. The impact of data-stealing malware extends beyond individual devices, with a staggering 443,000 websites worldwide falling victim to compromised credentials in the past five years alone. In the .in domain associated with India, compromised accounts surged to over 8 million in 2023, underscoring the global reach and pervasive nature of the threat. 

As the threat landscape continues to evolve, organizations and individuals must prioritize cybersecurity as a fundamental aspect of their digital hygiene practices. Proactive measures such as robust antivirus software, regular software updates, and user education can help mitigate the risk of data breaches and protect sensitive information from falling into the wrong hands. 

The exponential rise in data-stealing malware serves as a stark wake-up call for individuals and organizations worldwide. By staying vigilant, informed, and proactive in combating cyber threats, we can collectively fortify our defenses and safeguard against the perils of the digital age.

Facebook :"Is that you?" 500,000 People Were Victims of this Phishing Scam

 

Facebook has often been a favorite hunting ground for cybercriminals who delight in preying on the naive members of the internet community. While addressing a very prevalent fraud known as "Is that you?" cybernews has conducted research. It's a type of video phishing scam in which the attacker delivers a link to a fictitious video in which the victim appears. When you click, the trouble begins as soon as you enter some personal information and log in. 

Researchers were recently rewarded for such diligence when they received a warning from fellow cyber investigator Aidan Raney – who originally contacted them after the original results were released – that malicious links were being sent to users. Upon further investigation, it was discovered that thousands of these phishing links had been circulated via a devious network spanning the social media platform's back channels. If left unchecked, hundreds of thousands of naive social network users might fall prey to the shady connections - the "Is That You?" scam was said to have ensnared half a million victims before researchers discovered it. 

Raney explained, "I worked out what servers did what, where code was hosted, and how I might identify additional servers." "I then used this information, as well as urlscan.io, to seek for more phishing sites with similar features to this one." 

A thorough examination of the servers linked to the phishing links revealed a page that was transmitting credentials to devsbrp. app. A banner believed to be attached to a control panel was discovered with the wording "panelfps by braunnypr" printed on it. A second search using keywords led the study team right to the panel and banner designer, whose email address and password variations were also identified  neatly turning the tables on fraudsters who prey on unwary web users' credentials. 

Cybernews accessed a website which proved to be the command and control hub for most of the phishing assaults linked to the gang, known to include at least 5 threat actors but could have plenty more, using the threat actor's personal details. This gave our brave investigators a wealth of information about the culprits of the Facebook phishing scam, including the likely country of residence  the Dominican Republic.

"We were able to distribute the user list for everyone who has signed up for this panel," the Cybernews researcher explained. "We started unearthing the identities with as many people on the list as we could using the usernames on the list, but there is still more work to be done." Researchers provided the appropriate information to the Dominican Republic's Cyber Emergency Response Team (CERT) at the time, as evidence suggested that the campaign had started there as well.

3 Hacking Teams Working Under the Umbrella of TA410 Group

 

Recently, a campaign has been discovered wherein threat actors are noted to be victimizing a variety of critical infrastructure sectors in different regions such as Africa, the Middle East, and the United States. The group that has been identified as TA410, has been using an improved version of a remote access trojan designed with information-stealing capabilities. 

TA410 is an umbrella group comprising of three teams named FlowingFrog, LookingFrog, and JollyFrog. 

In regard to the incident, the Slovak cybersecurity firm ESET has reported that "these subgroups operate somewhat independently, but that they may share intelligence requirements, and access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure." 

Following the incident, it has been observed that the TA410 shares behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) which has a history of targeting U.S.-based organizations in the utility sector as well as diplomatic entities in the Middle East and Africa region. 

Moreover, the group has also targeted many firms in different regions all across the world including a manufacturing company in Japan, mining business in India, a charity foundation in Israel, and unnamed victims in the education and military verticals. 

Im 2019, TA410 was recorded by Proofpoint for the first  time when the members of the group executed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack. 

The group made a comeback with a new backdoor codenamed FlowCloud, also delivered to U.S. utility providers that Proofpoint described as malware that gives attackers full remote control over targeted systems. 

"Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control," the company reported in June 2020. 

Cybersecurity firm Dragos, which is investigating the activities of the group under the moniker TALONITE, said that the adversary has a penchant for blending techniques and tactics in order to ensure a successful intrusion. 

"TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure," Dragos said in April 2021.

A Phishing Attack Impersonates the US DoL in Order to Steal Account Credentials

 

Many phishing attacks seek to defraud individuals by mimicking and imitating legitimate companies and organizations. A phishing email that looks to be from an official government agency is particularly deceiving since it exudes authority. Inky discovered a harmful campaign in the latter half of 2021 that spoofs the US Department of Labor in order to steal the account credentials of unwary victims. 

In a blog post published on Wednesday, Inky describes a series of phishing assaults in which the sender address on the majority of the emails looked to come from no-reply@dol.gov, the Department of Labor's legitimate domain. A couple of the emails were spoofed to appear to be sent from no-reply@dol.com, which is not the department's actual domain. The remainder came from a collection of newly formed look-alike domains, including dol-gov[.]com, dol-gov[.]us, and bids-dolgov[.]us. These phishing emails claimed to be from a senior DoL employee in charge of procurement and asked recipients to submit bids for "ongoing government projects." 

A PDF attachment accompanying the email appeared to be an official DoL document, complete with all the necessary images and branding. On the second page of the PDF, a BID button led to what looked to be the Department of Labor's procurement platform but was actually a rogue website impersonating the department. 

When the victim closed the document, they saw an exact replica of the official DoL website. The smart phishers simply copied and pasted HTML and CSS from the original site onto the phishing site. 

The website then displays a "Click here to bid" button as the following step in the process. Anyone who clicks on that button will be directed to a credential harvesting form with instructions on how to submit a bid using a Microsoft account or another business account. The victim would be informed that their credentials were incorrect after entering them. The credentials, however, had been stolen by the attacker. If the user tried to input their credentials again, they would be sent to the official DoL page, which would further trick them. 

The phishers were able to send their phishing emails via abused servers supposedly managed by a non-profit professional membership group in the majority of these attacks (the ones in which the spoofed sender was either no-reply@dol[.]gov or no-reply@dol[.]com). 

Inky suggested a few tips to safeguard customers from this type of phishing scam, such as the fact that US government domains normally end in .gov or .mil rather than .com or another suffix, the US government does not usually send cold emails to collect bids for projects, and to check SMTP server settings. SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

Redline Malware Stealing Web Browser Stored Credentials

 

The RedLine malware steals information from popular internet browsers such as Chrome, Edge, and Opera, highlighting why saving passwords in browsers is a terrible idea. 

This malware is a commodity information-stealer that can be obtained on cyber-crime websites for around $200 and deployed with very little understanding or effort. 

A new analysis by AhnLab ASEC, on the other hand, cautions that the ease of using the auto-login function on web browsers has become a significant security problem, impacting both enterprises and individuals. 

In one case given by the analysts, a distant employee handed over VPN account credentials to RedLine Stealer actors, who utilized the information three months later to attack the company's network. 

Whilst an anti-malware program was installed on the affected computer, it was unable to identify and eradicate RedLine Stealer. The malware attacks the 'Login Data' file, which is found on all Chromium-based web browsers and contains an SQLite database containing usernames and passwords. 

While browser password stores, that are also used by Chromium-based browsers, are secured, information-stealing malware can programmatically decode the store as long as they are logged in as the same user. Because RedLine operates as an infected user, it can collect passwords from their browser profile. 

"Google Chrome encrypts the password with the help of CryptProtectData function, built into Windows. Now while this can be a very secure function using a triple-DES algorithm and creating user-specific keys to encrypt the data, it can still be decrypted as long as you are logged into the same account as the user who encrypted it," explains the author of the 'chrome_password_grabber' project. 

"The CryptProtectData function has a twin, who does the opposite to it; CryptUnprotectData, which... well you guessed it, decrypts the data. And obviously, this is going to be very useful in trying to decrypt the stored passwords." 

Even if users decline to save their credentials in the browser, the password management system will nonetheless add an entry indicating that the specific site is "blacklisted." 

While the malicious actors may not have had the credentials for this "blacklisted" account, it does inform them of its existence, allowing them to undertake credential stuffing or social engineering/phishing attacks. 

Threat actors either utilize the obtained credentials in subsequent assaults or attempt to monetize them by selling them on darknet marketplaces. 

The emergence of the '2easy' dark web marketplace, where 50% of all traded data was taken via this software, is an illustration of how popular RedLine has become among hackers.

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.

A Phishing Campaign in Germany is Attempting to Steal Banking Credentials

 

Credential phishing attacks aimed at obtaining German banking credentials have become more widespread, according to Proofpoint researchers. Proofpoint analysts have identified multiple high-volume operations imitating large German institutions, such as Volksbank and Sparkasse, employing customized, actor-owned landing sites, since August 2021. Hundreds of organizations are affected by the activity, which is still ongoing.

The commercials were aimed at a variety of industries, with a focus on German companies and foreign workers in Germany. Each campaign, which included tens of thousands of letters, had an influence on hundreds of organizations. Account administration information is included in the phishing emails, but they also contain links or QR codes that lead to a geo-fenced credential harvesting website. Targeted information includes banking branch details, login identity, and PIN. The threat actor used a number of URL redirection tactics to spread the infected URLs. In various efforts, the threat actor used hacked WordPress websites to redirect users to phishing landing pages. 

To spread malicious URLs for phishing and malware assaults, threat actors regularly use WordPress plugins and websites built using WordPress software. Feedproxy URLs and QR codes were also identified being exploited to redirect to phishing pages. Only German visitors are directed to the phishing website. The threat actor's employment of geofencing measures is to blame. Threat actors are utilising IP geolocation checks to determine the location of a target, according to Proofpoint. If the user is not in Germany, they are directed to a website clone ostensibly providing tourist information for Dusseldorf's Rhine Tower. If the user is in Germany, they will be directed to a website that resembles a bank's website. 

Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with "spk-," whereas Volksbank clones begin with "vr-." Some samples of the domains used by this threat actor are, vr-mailormular[.]com/Q20EBD6QLJ, vr-umstellungssystem-de[.]com/FLBSEKZ9S3, spk-security-spk[.]com/P84OZ3OIS2, spk-systemerneuerung-spk[.]com/CJ4F6UFR0T. 

This campaign cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration. Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims.

TA406 APT Group, Which is Tied to North Korea, has Increased its Attacks

 

In 2021, a North Korean-linked threat actor known as TA406 ramped up its attacks, including credential harvesting activities, according to Proofpoint. The adversary, also known as Kimsuky, Thallium, and Konni by security researchers, has been attacking companies in sectors like education, government, media, and research, as well as other businesses. According to Proofpoint, TA406 is the most closely associated with Kimsuky activity, which is tracked by the security firm as three distinct threat actors: TA406, TA408, and TA427.

Kaspersky researchers initially discovered the TA406 cyberespionage group in 2013. The US-CERT published a report on Kimusky's latest operations towards the end of October 2020, detailing their TTPs and infrastructure. The APT group primarily targeted South Korean think tanks and organizations, with victims in the United States, Europe, and Russia. 

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said. 

During the first half of the year, Proofpoint noticed weekly attacks against journalists, foreign policy experts, and non-governmental organizations (NGOs), particularly those related to actions that affect the Korean Peninsula. Journalists and academics were also targeted. TA406 targeted high-ranking political figures at numerous governmental institutions, and consultancy firms, defense institutions, law enforcement agencies, and economic and financial organizations, as part of their March 2021 campaign. 

Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. 

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report. 

According to the security experts, TA406 has been involved in financially motivated assaults, such as sextortion and the targeting of cryptocurrency, just like other North Korean state-sponsored actors. “Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

Android Malware BrazKing Makes a Comeback as a Stealthier Banking Trojan

 

The Android banking trojan BrazKing has returned, this time with dynamic banking overlays and a new implementation trick that allows it to operate without seeking potentially dangerous permissions. IBM Trusteer researchers analyzed a new malware sample they discovered outside of the Play Store, on sites where individuals end up after getting smishing (SMS) messages. These HTTPS sites notify potential victims that their Android version is outdated and offer an APK that would supposedly update them to the most recent version. 

BrazKing took advantage of the accessibility service in the previous version to figure out which app the user had accessed. When the malware recognized the launch of a targeted banking app, it displayed an overlay screen pulled from a hardcoded URL on top of the real app. It now makes a live call to the attacker's server, requesting those matches. The virus now detects which app is being used on the server-side, and it sends on-screen material to the C2 on a regular basis. Credential grabbing is then initiated by the C2 server rather than by a command from the malware. 

The added agility here is that the attacker can choose or avoid the following action based on the victim's IP address (Brazilian/other) or whether the malware is being run on an emulator. They have the ability to change what is returned. They can change the target list at any time without having to change the malware.  

BrazKing loads the fake screen's URL from the C2 into a webview in a window when it displays its overlay screen. Users can open links within apps using Android System webview without having to exit the app. When adding the webview from within the accessibility service, BrazKing utilizes TYPE_ACCESSIBILITY_OVERLAY as the type of window. 

Internal resources are protected in the new version of BrazKing by performing an XOR operation using a hardcoded key and then encoding them with Base64. Although analysts can rapidly reverse these procedures, they nonetheless aid the malware's ability to remain undetected when nested in the victim's device. If the user tries to remove the malware, it rapidly taps the 'Back' or 'Home' buttons to stop it. 

When a user tries to start an antivirus app in the hopes of scanning and removing malware, the same method is performed. As Android's security tightens, malware developers quickly adapt to deliver stealthier versions of their tools, as shown by BrazKing's progression.

Sydney Man Detained by AFP, Obliged to Pay AUS $1.66 Million

 

As punishment, a Sydney man who has been selling hijacked subscription service deets must now pay almost $1.66 million in cryptocurrency (and some cash). The 23-year-old had previously been sentenced to two years and two months in prison in April for running the massive illicit operation that sold Netflix, Hulu, and Spotify usernames and passwords. 

According to the AFP, the funds would be allocated by the Department of Home Affairs to assist crime prevention, law enforcement, and community safety activities. The accused will now face a two-year and two-month jail term also. 

The AFP launched an investigation in May 2018 after receiving information from the FBI concerning a now-defunct account-generating website named WickedGen.com. 

WickedGen was a portal that offered stolen login information for internet subscription services such as Netflix, Spotify, and Hulu. The account information belonged to unwitting individuals in Australia and across the world, including the United States. 

The Sydney resident was identified as the site's founder, operator, and major financial beneficiary, as well as the developer, of WickedGen and three additional sites which too provided similar services. The perpetrator had over 150,000 registered members throughout four websites and sold about 86,000 memberships to unlawfully access authorized streaming services. 

In October of last year, the Sydney-based man pled guilty to acquiring these log-ins and passwords. Following the guilty plea, the AFP's Criminal Assets Confiscation Taskforce (CACT) secured restraining orders on the individual's cryptocurrencies, as well as bank and PayPal accounts kept under fictitious identities. 

While comparing to all those who watch free-to-air television, the usage of online subscriptions has increased in Australia, with nearly the same amount of Australians consuming material via online subscription streaming platforms, such as Netflix. 

According to the observations published by the Australian Bureau of Communications, Arts, and Regional Research, the prominence of over-the-top services has been on the surge.

Vidar Stealer Abuses Mastodon to get C2 Configuration Without Raising Alarms

 

The Vidar stealer has reappeared in a new campaign that takes advantage of the Mastodon social media network to obtain C2 configuration without raising alerts. New campaigns of Vidar Stealer's more recent versions suggest a new venue where Vidar receives dynamic configurations and drop zone information for downloading and uploading files. Vidar Stealer previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors.

Vidar, first spotted in October 2018, is a descendant of the former Arkei Stealer, which, due to its simplicity, dynamic configuration methods, and continued development, appears to be one of the most popular stealers at the present. Vidar developers refined and centralized the execution vector, making each stealer independent and eliminating the need for extra executables.

All popular browser information such as passwords, cookies, history, and credit card details, cryptocurrency wallets, files according to regex strings provided by the TA, Telegram credentials for Windows versions, file transfer application information (WINSCP, FTP, FileZilla), and mailing application information are among the data that Vidar attempts to steal from infected machines. 

Vidar's victimology is made up of private individuals, streamers, and social influencers from all over the world. Manufacturing enterprises and financial institutions are targeted in some situations, usually in spam campaigns.

Vidar's usage of Mastodon, a popular open-source social media network, to gain dynamic configuration and C2 connectivity is what makes this campaign unique. The threat actors create Mastodon accounts and then put the IP of the stealer's C2 to their profile's description section. 

The goal is to secure communications from the compromised machine to the configuration source, and because Mastodon is a trusted platform, security tools shouldn't red flag it. At the same time, Mastodon is a relatively unmoderated space, making it unlikely that these malicious profiles will be discovered, reported, and removed. According to Cyberint researchers that uncovered this campaign, each C2 they saw included between 500 and 1,500 separate campaign IDs, indicating Vidar's widespread deployment. 

In preparation for data exfiltration, Vidar Stealer stores all acquired data in a working directory with a random 25-character name, including credentials from a variety of chat, email, FTP, and web-browsing applications, as well as cryptocurrency wallets, a desktop screenshot, and details of the system configuration.

Phishing Attackers Spotted Using Morse Code to Avoid Detection

 

Microsoft has revealed details of a deceptive year-long social engineering campaign in which the operators changed their obfuscation and encryption mechanisms every 37 days on average, including using Morse code, in an attempt to hide their tracks and steal user credentials. 

One of numerous tactics employed by the hackers, who Microsoft did not name, to disguise harmful software was Morse Code, a means of encoding characters with dots and dashes popularised by telegraph technology. It serves as a reminder that, despite their complexity, modern offensive and defensive cyber measures are generally based on the simple principle of hiding and cracking code. 

The phishing attempts take the shape of invoice-themed lures that imitate financial-related business transactions, with an HTML file ("XLS.HTML") attached to the emails. The ultimate goal is to collect usernames and passwords, which are then utilized as an initial point of access for subsequent infiltration attempts. 

The attachment was compared to a "jigsaw puzzle" by Microsoft, who explained that individual pieces of the HTML file are designed to appear innocuous and slip by the endpoint security software, only to expose their true colors when decoded and joined together. The hackers that carried out the attack were not identified by the company.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. “On their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions." 

When you open the attachment, a counterfeit Microsoft Office 365 credentials dialogue box appears on top of a blurred Excel document in a browser window. The dialogue box displays a message requesting recipients to re-sign in since their access to the Excel document has allegedly expired. When a user types in a password, the user is notified that the password is incorrect, while the virus stealthily collects the information in the background. Since its discovery in July 2020, the campaign is reported to have gone through ten iterations, with the adversary occasionally changing up its encoding methods to hide the harmful nature of the HTML attachment and the many assault segments contained within the file. 

According to Christian Seifert, lead research manager at Microsoft's M365 Security unit, the hackers have yet to be linked to a known group. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.

UBEL is the Android Malware Successor to Oscorp

 

As part of a fresh campaign that began in May 2021, an Android malware that was discovered misusing accessibility features in the device to steal user credentials from European banking applications has morphed into an altogether new botnet. Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting users, was revealed by Italy's CERT-AGID in late January. 

The Oscorp malware, like other Android malware, convinces users to provide them access to the Android Accessibility Service, which allows them to read text on the phone screen, determine an app installation prompt, traverse through the permission list, and install apps on the user's behalf. “Not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages, to blocking the device and possibly to the capture of audio and video,” read the advisory published by Italy’s CERT-AGID. 

Malicious SMS messages were used to spread the malware, with attackers pretending as bank operators to deceive targets over the phone and secretly get access to the infected device using WebRTC protocol, allowing them to execute unlawful bank transfers. While no fresh activities have been detected since then, it appears as Oscorp has returned after a brief hiatus in the shape of the UBEL Android botnet. 

"By analysing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cleafy said on Tuesday, charting the malware's evolution. 

UBEL, like its predecessor, is marketed on underground forums for $980 and asks for invasive permissions that allow it to read and send SMS messages, record audio, install and delete apps, initiate itself automatically after system boot, and exploit Android accessibility services to collect confidential data such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server. 

Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence. Surprisingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account in order to commit fraud. 

"The main goal for this [threat actor] by using this feature, is to avoid a 'new device enrolment', thus drastically reducing the possibility of being flagged 'as suspicious' since device's fingerprinting indicators are well-known from the bank's perspective," the researchers said.

Fake Chrome App is Being Used as Part of a Cyberattack Campaign

 

According to researchers at cybersecurity company Pradeo, a new Android malware has been discovered that imitates the Google Chrome software and has already infected hundreds of thousands of smartphones. The hazard has been labeled a "Smishing Trojan" by the researchers. 
 
According to the researchers, the false Google Chrome app is part of a smartphone attack campaign that uses phishing to steal your credit card information. By downloading the fake software, the device becomes a part of the attack campaign as well. 

“The malware uses victims’ devices as a vector to send thousands of phishing SMS. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. ”, said the researchers in their ‘Security Alert’ post on their website. 

The assault begins with a simple "smishing" gambit, according to Pradeo researchers: targets receive an SMS text telling them to pay "custom fees" to open a package delivery. If they fall for it and press, a message appears informing them that the Chrome app needs to be updated. If they accept the order, they'll be directed to a malicious website that hosts the phony app. It is, in reality, ransomware that is downloaded into their phones. 

After the ostensible "update," victims are directed to a phishing list, which completes the social engineering: According to the study, they are asked to pay a small sum (usually $1 or $2) in a less-is-more strategy, which is of course just a front to collect credit card information.

“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout said. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.” 

The campaign is especially risky, according to Pradeo researchers, because it combines an effective phishing tactic, dissemination malware, and multiple security-solution bypasses. “The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau said. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”

Fake Microsoft DirectX 12 Distributes Malware

 

Cybercriminals have built a bogus Microsoft DirectX 12 download page in order to spread ransomware that steals cryptocurrency wallets and passwords. Despite the fact that the website has a contact form, a privacy policy, a disclaimer, and a DMCA infringement page, the website and the services it distributes are not valid.

Users will be routed to an external website when they press the Download buttons, which will prompt them to download a file. You'll be sent a file called '6080b4 DirectX-12-Down.zip' [VirusTotal] or '6083040a Disclaimer.zip' [VirusTotal] depending on whether you want the 32-bit or 64-bit edition. All of these files contribute to malware that attempts to steal files, passwords, and cryptocurrency wallets from their victims.

When the bogus DirectX 12 installers are launched, they silently download and execute malware from a remote site, as discovered by security researcher Oliver Hough. This malware is a data-stealing Trojan that tries to snatch a victim's cookies, directories, device records, installed programs, and even a snapshot of the current desktop. The malware authors are attempting to steal a number of cryptocurrency wallets for Windows applications, including Ledge er Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero. 

All of the information is gathered in a %Temp% folder, which the malware will zip up and give back to the attacker. The data will then be analysed and used for other nefarious purposes by the attack. To spread malware, threat actors are rapidly building fake websites, some of which are much more persuasive than others.

Ficker ransomware is already spreading across websites impersonating Microsoft Store and Spotify, according to ESET. Details and user accounts stored in web browsers, email applications, and FTP clients are stolen by the malware. It can even rob from your bitcoin wallet, exfiltrate documents, and take screenshots of your running applications. 

As part of a larger ransomware campaign targeting cybersecurity experts, the Lazarus Group has set up a bogus protection firm and social media accounts. For a fictitious Turkish business called SecuriElite, the attackers built a website, as well as a Twitter and LinkedIn account. When the Google security team was focusing on tracking down the state-backed hackers, the firm was allegedly providing offensive security services.

Logins for 1.3 million Windows Remote Desktop Servers Leaked by UAS

 

UAS, the biggest hacker platform for hacked RDP credentials, has leaked the login names and passwords for 1.3 million new and previously infected Windows Remote Desktop servers. Researchers get an insight into a bustling cybercrime economy for the first time thanks to this huge leak of stolen remote access credentials, and they can use the evidence to tie up loose ends from past cyberattacks. 

The Remote Desktop Protocol (RDP) is a stable, interoperable protocol that allows network terminals to build and maintain secure connections between clients and servers or virtual machines. RDP is the most sought-after listing by cybercriminals because it works through many Windows operating systems and applications. Criminals will gain access to an entire business network by launching their attack with completely valid login credentials. This allows the offenders to remotely monitor a device because the system will not know the nefarious activities. After all, no authentication measures will be used, enabling the criminals to have complete and unrestricted access. 

UAS, or ‘Ultimate Anonymity Services,' is a website that offers Windows Remote Desktop login credentials, leaked Social Security numbers, and SOCKS proxy server access. UAS stands out as a wide marketplace that also provides manual authentication of sold RDP account credentials, customer service, and advice about how to keep remote access to a compromised device. 

"The market functions partially like eBay - a number of Suppliers work with the market. They have a separate place to log in and upload the RDPs they hacked. The system will then verify them, collect information about each one (os, admin access? internet speed, CPU, memory etc etc), which is added to the listing. The supplier interface provides real time stats for the suppliers (what sold, what didn't, what was sold but a refund was asked for, etc). They also provide support if for some reason what you bought doesn't work. They do take customer support seriously," a security researcher who wishes to remain anonymous told. 

Threat actors can scan for compromised computers in a specific country, state, area, zip code, ISP, or operating system while buying stolen RDP accounts, helping them to locate the specific server they need.

Fake Microsoft Store, Spotify Distribute Malware to Steal User Data

 

Attackers are promoting sites that imitate the Microsoft Store, Spotify, and an online document converter to spread malware that steals credit cards and passwords stored in web browsers. ESET, a cybersecurity company, detected the attack and posted an alert on Twitter to be on the lookout for the malicious campaign. 

On both desktops and mobile devices, Windows remains vulnerable to a significant number of malware threats, at least more than its peers and competitors. Despite having an official app store, it is almost too easy to infect a Windows PC by merely installing an app. Microsoft advises users to only download applications from the company's official networks, however, some hackers are taking advantage of this by posing as legitimate companies. Microsoft Store is an online store that sells Microsoft products. 

According to Jiri Kropac, ESET's Head of Threat Detection Labs learned that the attack is carried out by deceptive ads that promote what appear to be legitimate applications. One of the commercials used in this attack, for example, promotes an online Chess game. Users are taken to a fake Microsoft Store page for a fake 'xChess 3' online chess application, which is automatically downloaded from an Amazon AWS server when they click on the ad. 

According to this Any.Run report created by BleepingComputer, the downloaded zip file is called 'xChess v.709.zip' [VirusTotal], which is actually the 'Ficker', or 'FickerStealer,' information-stealing malware in disguise. Other ads from this malware campaign imitate Spotify or an online document converter. Their landing pages can also download a zip file containing the Ficker malware when you visit them. Instead of being greeted by a new online Chess program or the Spotify software when a user unzips the file and runs the executable, the Ficker malware would run and begin stealing the data stored on their device. 

Ficker is a data-stealing Trojan that was first posted on Russian-language hacker forums in January before the developer started renting it out to other threat actors. Threat actors will use this malware to steal passwords from web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients. The malware can also steal over fifteen cryptocurrency wallets, steal documents, and take screenshots of active applications running on victims' computers, according to the developer.

U.S. Department of Justice Warns of Fake Unemployment Benefits Websites Stealing Data

 

Recently a department of United States Justice has warned its civilians against threat actors who are imitating state workforce agencies (SWAs) in order to hack Americans’ sensible credentials and other important data. 

A press release has been released on 5th March; it reported that the department has received informative reports on the cyber attacks. Further, it added that there were certain threat actors who were mimicking real websites which looked like those genuinely belonging to the state workforce agencies (SWAs). 

The entire purpose of this attack is to pursue users into believing that they are actually applying for unemployment benefits and submitting their information and other sensitive credentials on the right platform. However, after collecting identifiable data of consumers’ hackers use this information for their private advantages such as to commit theft. While doing so, threat criminals usually send spam messages and emails with a link to a spoofed SWA website in order to make victims access these fake websites. 

“Unless from a known and verified source, consumers should never click on links in text messages or emails claiming to be from an SWA offering the opportunity to apply for unemployment insurance benefits,” said the department. 

Department further added that anyone who wants to submit their application for unemployment benefits should directly go to an official SWA website. Around 10 million people in the USA who are trying to take unemployment benefits are also advised that they should watch out for phishing attacks and do not take any communications they receive at face value. 

“Carefully examine any message purporting to be from a company and do not click on a link in an unsolicited email or text message. Remember that companies generally do not contact you to ask for your username or password,” said the department. 

Officers said, if you find yourself being unsure about any messages whether the entity sending the email is authentic or not, you must be contacting the department of the National Center for Disaster Fraud (NCDF) and report the communication but you must not rely on any contact information given in the fraudulent messages.

Masslogger Campaigns Exfiltrates Clients Credentials

 

Assailants are continually reinventing approaches to monetize their tools. Cisco Talos as of late found an intriguing campaign affecting Windows systems and focusing on clients in Turkey, Latvia, and Italy, albeit similar campaigns by the same actor have likewise been focusing on clients in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October and November 2020. The threat actor utilizes a multi-modular approach that begins with the underlying phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. However, it can likewise be a shortcoming, as there are a lot of chances for defenders to break the kill chain. 

Conveyed through phishing emails, the Masslogger trojan's most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla's security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.” 

CHM is an arranged HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Each phase of the infection is obfuscated to avoid detection using simple signatures. The subsequent stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders appear to be facilitated on undermined authentic hosts with a filename containing one letter and one number linked with the filename extension .jpg. For instance, "D9.jpg". 

Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco's analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

Meet Oski Stealer: In-depth Analysis Of the Popular Credential Stealer


In the current scenario credential theft malware is one of the most frequently employed malware in cyber hacking. Many government and non-government organizations are becoming victims of such attacks as employees are being attacked for their credentials. 

The main objective of this malware is to actively acquire confidential and sensitive data, consisting of users' official names, passwords of their systems, and financial information. 

Credential theft Malware is something that can cause destruction to a computer system and its network. The threat actors just don’t use this malware to steal passwords, but also to delete files and render computers inoperable. Potentially, malware can lead to infections which in turn can cause many problems that affect daily operations and the long-term security of affected organizations. 

‘The Oski stealer’, is a credentials stealer, first, it was reported in November 2019. As the name suggests, ‘the Oski stealer’ works as a big information stealer consisting of personal and sensitive information from its victims. 'Oski', the name has been derived from an old Nordic word, meaning ‘Viking warrior’, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its targets.  

As per the sources, “the ‘Oski’ stealer’ is a classic information stealer platform that is being sold on Russian underground hacking forums at a low price of $70-$100. The stealer is written in C++ and it has all the typical features of credential theft malware”. 

According to the research, ‘Oski’ targets sensitive information including: 

• Login credentials from different applications 
• System information 
• Browser information (cookies, autofill data, and credit cards) 
• Screenshots 
• Crypto wallets 
• Different user files 

Besides, the stealer can also work as a Downloader to download a second-stage malware with modification of tools. 

Every infection involving three parties: 
1. Malware authors 
2. Malware customers 
3. Malware victims 

The customers contact ‘Oski actors’ on underground forums to buy the malware and, once purchased, they customize it and disperse it to their targets. Oski has become popular and has built a strong reputation within the underground community, with many of its buyers on regular basis providing positive feedback and reviews about the functions of the malware. 

While giving further insights, sources from Intelligence said, “Even we have to admit that Oski’s functionality works pretty well. From setting up and checking the environment to stealing information by application type, Oski’s code is written with purpose and care. The code is neat and clean, without any presence of useless code lines, however, it does lack sophisticated anti-analysis tricks like anti-debugging and dynamic anti-analysis tricks”.