Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Crypto Mining. Show all posts
Phishing Attacks
Crypto Mining Crypto-Miner malware Malware Delivery. Phishing Attacks

Hackers Use Auto-reply to Deliver Crypto-miner Via Malicious Emails

Hackers Use Auto-reply to Deliver Crypto-miner Via Malicious Emails

Threat actors use new techniques to distribute malware, which is evolving constantly. In a recent attack, they used malicious e-mail auto-replies to deliver crypto-mining malware. Russian cybersecurity firm F.A.C.C.T. said that threat actors breached e-mail accounts and set up automatic replies containing links to cryptocurrency mining malware.

Auto-replies for Malware Distribution

In traditional malware distribution attacks, hackers used malicious downloads, compromised websites, and phishing emails. But the new attack method uses auto-replies, experts from F.A.C.C.T explained that the new technique was employed in delivering the Xmrig crypto-miner to workers at Russian tech companies, insurance firms, financial businesses, and retail marketplaces. Experts found 150 emails that contained Xmrig earlier this year. 

Cybercriminals Using New Methods

Dmitry Eremenko, senior analyst at F.A.C.C.T said “This method of malware delivery is dangerous because the potential victim initiates communication first. This is the main difference from traditional mass mailings, where the recipient often receives an irrelevant email and ignores it.” 

Despite not looking convincing, E-mails sent through auto-replies didn't raise suspicions. To avoid detection, the hackers used a scan of a real invoice for equipment payment, different than subject mail. It means the companies as well as users who are in contact with the breached mail can become targets. 

Use of cryptocurrency mining software

Xmrig is an open-source cryptocurrency mining software mainly used for mining Monero (XMR). Cybercriminals have been using new techniques to deliver Xmrig to target devices. For instance, in one campaign, the hackers used a pirated version of Final Cut Pro (a video editing software) to deploy the crypto-miner on Apple computers.

F.A.C.C.T doesn't have any information regarding the main culprit behind the attack and their success. Experts do believe that the breached email accounts had a history of their credentials leaked on darknet, including their data. Breached accounts include construction companies, a furniture factory, a farm, and small trading firms. 

To stay safe, the report suggests “do not save passwords in browsers, install unlicensed software, because it may contain stealers, do not follow dubious links in the mail and do not enter your data on dubious sites (phishing)

Read more »
Oracle Weblogic Server
Crypto Mining DDOS Attacks Hadooken Malware malware Oracle Weblogic Server

Crypto Mining and DDoS Threats: How Hadooken Malware Targets Oracle Web Logic Servers

Crypto Mining and DDoS Threats: How Hadooken Malware Targets Oracle Web Logic Servers

Threat actors were found exploiting poorly secured Oracle WebLogic servers for mining cryptocurrency, building a DDoS botnet, and other malicious activities. 

The Discovery

Researchers from Aqua Cybersecurity found various attacks in the wild and decided to catch culprits by running a honeypot (a cybersecurity technique that creates a decoy system to trick and trap threat actors). Soon after, the experts found a threat actor breaking through weak passwords, and installing a malware called “Hadooken.”

The malware was used in a few other attacks in recent times, and it has two primary functions- a DDoS botnet and cryptocurrency mining. Besides this, the malware gives threat actors complete control over the compromised endpoint. 

About Hadooken Malware

Oracle WebLogic is a Java-based application that allows the management, development, and deployment of enterprise-level apps. It is generally used in financial and banking services, telecommunications, public services, and government organizations. Because of its popularity, WebLogic has also become a major target for threat actors as has “various vulnerabilities” The Register reports. 

Impact on Organizations

Until now, the experts found threat actors use Hadooken for mining crypto, while other functions are yet to be used. Experts also believe that Hadooken has hints of ransomware functions. “It could be the threat actor will introduce this attack to a Linux ransomware as well, or it is already introduced if the malware runs on the system longer than a sandbox execution,” the experts said.

When researchers tracked the IP addresses of the Hadooken malware, they came across tow IP addresses, one IP belongs to a UK hosting company, but it is registered in Germany. Earlier, the address was associated with TeamTNT and Gang 8220, but this link is not strong evidence to connect these attacks with threat actors, according to the experts. The second IP address belongs to Russia, registered with the same hosting company, but currently inactive.

How Hadooken Works

Haddoken abuses flaws in the Oracle WebLogic servers. These flaws come from unpatched misconfigurations or unpatched software. Once the malware gets access, it makes a foothold in the system, letting threat actors perform remote commands. 

Hadooken’s ability to steal passwords is a concern, it captures login credentials, and threat actors can move laterally inside a network, gaining access to other systems and data. It can cause more data breaches and ransomware attacks.
Read more »
malware
Crypto Mining Cryptojacking Endpoint security GhostEngine malware

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Recently found malware uses advanced techniques to defeat antivirus safeguards, delete signs of infection, and permanently infect devices with cryptocurrency-mining software, experts said. 

"The first goal of the GhostEngine malware is to disable endpoint security solutions and specific Windows event logs, such as Security and System logs, which record process creation and service registration," said Elastic Security Labs researchers, who found the attacks.

The Anatomy of GhostEngine

  • Targeting Endpoint Security Solutions: GhostEngine specifically aims at endpoint security solutions, which include antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools. By disabling these defenses, the attackers gain a foothold within the victim’s system.
  • Driver Exploitation: The attack exploits vulnerable drivers from popular security software providers, such as Avast and IOBit. These drivers are essential for communication between the operating system and hardware components. GhostEngine manipulates them to gain access to the kernel, a privileged area of the system.
  • Silent Disabling of EDR: Once inside, GhostEngine silently disables the EDR system. This step is crucial because EDR tools monitor system behavior, detect anomalies, and respond to threats. By neutralizing EDR, GhostEngine ensures that its activities remain undetected.
  • Cryptocurrency Mining Payload: With the defenses down, GhostEngine deploys its payload: XMRig, a popular Monero (XMR) mining software. Monero is favored by cybercriminals due to its privacy features, making it difficult to trace transactions. The compromised system becomes a silent miner, contributing computational power to the attacker’s mining pool.

About GhostEngine

A function in the primary payload called GhostEngine disables Microsoft Defender or any other antivirus or endpoint security software that may be running on the targeted computer, which is critical to the extraordinarily complicated malware system's operation. It also masks any signs of compromise. 

When GhostEngine first starts, it checks machines for any EDR, or endpoint protection and response, software that may be running. If it detects any, it loads drivers known to have vulnerabilities that allow attackers to gain access to the kernel, which is severely restricted to prevent manipulation. 

Modus operandi

One of the susceptible drivers is Avast's anti-rootkit file aswArPots.sys. GhostEngine utilizes it to shut down the EDR security agent. A malicious file named smartscreen.exe then deletes the security agent binary using “iobitunlockers.sys” IObit driver.

Once the susceptible drivers are loaded, detection opportunities diminish drastically, and businesses must identify affected endpoints that stop submitting logs to their SIEM, according to the researchers. SIEM stands for security information and event management. Their research is consistent with recent findings from Antiy.

After the EDR has been terminated, smartscreen.exe downloads and installs XMRig, a genuine tool for mining the Monero cryptocurrency, which is frequently abused by threat actors. A configuration file is included, which causes all money generated to be put into an attacker-controlled wallet.

The infection chain begins with the execution of a malicious binary masquerading as the genuine Windows file TiWorker.exe. That file executes a PowerShell script that obtains an obfuscated script called get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server.

File execution to enable the virus

GhostEngine also executes various files that enable the virus to become persistent, which means it loads every time the infected machine restarts. 

To accomplish this, the file get.png creates the following scheduled tasks with SYSTEM, the highest system privileges in Windows:

  • OneDriveCloudSync uses msdtc to start the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes.
  • DefaultBrowserUpdate will launch C:\Users\Public\run.bat, which downloads and executes the get.png script every 60 minutes.
  • OneDriveCloudBackup will run C:\Windows\Fonts\smartsscreen.exe every 40 minutes.

Why GhostEngine Matters

  • Financial Gain: GhostEngine’s primary motive is financial. By harnessing the victim’s computing resources, the attackers mine Monero, potentially yielding substantial profits. The longer the attack remains undetected, the more cryptocurrency they accumulate.
  • Resource Drain: Cryptojacking strains system resources—CPU, memory, and electricity—leading to slower performance and increased energy bills. Users may notice sluggishness but remain unaware of the underlying cause.
  • Corporate Impact: In corporate environments, widespread cryptojacking can disrupt business operations. Overloaded systems affect productivity, and IT teams must allocate resources to investigate and remediate the issue.

Read more »
Malicious actor
Blockchain Crypto heist Crypto Mining cryptocurrency Dark Web Data Breach DeFi Platforms Ethereum Malicious actor

BitBrowser Hackers Launder 70.6% of Stolen Funds

Hackers were able to transfer a remarkable 70.6% of the stolen BitBrowser cash through the eXch crypto mixer in a recent cyber robbery that startled the cryptocurrency world. Concerns regarding the security of digital assets and the increasing sophistication of thieves have been sparked by this bold action.

The attack, which targeted BitBrowser, a decentralized finance (DeFi) platform, first came to light when users reported unauthorized transactions and missing funds. The hackers managed to siphon off a substantial amount of cryptocurrency before the breach was discovered. According to reports, the stolen funds included 236 ETH (Ethereum), which were promptly moved through the eXch crypto mixer to obfuscate their origins.

The eXch crypto mixer, known for its privacy-centric features, allows users to mix their cryptocurrencies with those of other users, making it difficult to trace the source of the funds. This tool has become increasingly popular among hackers looking to launder stolen digital assets.

The BitBrowser hack and subsequent use of the eXch crypto mixer highlight the ongoing battle between cybersecurity experts and cybercriminals. As blockchain technology and cryptocurrencies gain mainstream adoption, they also attract malicious actors seeking to exploit vulnerabilities.

Cybersecurity experts and law enforcement agencies are working tirelessly to track the stolen funds and identify the hackers responsible. However, the use of crypto mixers and other privacy-enhancing tools complicates these efforts. These tools are not inherently illegal, as they also serve legitimate purposes, such as protecting user privacy and enhancing fungibility in cryptocurrencies.

This incident underscores the importance of robust security measures for cryptocurrency platforms and the need for continued innovation in the field of blockchain forensics. Blockchain analysis companies are developing advanced techniques to trace the flow of cryptocurrencies through mixers and dark web marketplaces, but it remains a challenging endeavor.

Cryptocurrency exchanges and DeFi platforms must prioritize security and invest in state-of-the-art cybersecurity measures to protect their users' assets. Additionally, regulatory bodies around the world are tightening their grip on cryptocurrency-related activities to prevent money laundering and illegal financial activities.


Read more »
Sensitive data
Crypto Mining Cyber Security Decryption Key Email Frauds Malicious Software Phishing Attacks Ransomware Sensitive data

3 Vital Cybersecurity Threats for Employees

Cybersecurity is no longer just the IT department's job in today's digitally connected society. Protecting confidential firm information is the responsibility of every employee, from the CEO to the newest intern. Cybercriminals are growing more skilled, and their methods are changing. It's crucial that every employee is knowledgeable of potential hazards if your company is to be protected. The following three cyber threats are ones that every employee should be aware of:

1. Phishing Attacks

Phishing attacks are one of the most common and dangerous threats organizations face. Cybercriminals use deceptive emails or legitimate messages to trick employees into revealing sensitive information, such as login credentials or financial data. These emails often contain urgent requests or appear to be from trusted sources. Employees should be cautious and verify the sender's identity before clicking on any links or providing personal information. Regular training on recognizing phishing attempts is crucial in the fight against this threat.

2. Ransomware

Ransomware attacks have been on the rise in recent years. In a ransomware attack, malicious software encrypts an organization's data, rendering it inaccessible. Cybercriminals then demand a hefty ransom to provide the decryption key. Employees should be cautious about downloading attachments or clicking links from unknown sources. Regularly backing up data and keeping software up to date can help mitigate the impact of a ransomware attack.

3. Social Engineering

Social engineering attacks involve manipulating employees into divulging confidential information or performing actions that compromise security. This can involve impersonating colleagues, superiors, or even IT support. Employees should always confirm the identity of individuals making unusual requests, especially those involving sensitive data or financial transactions. Training programs should include simulations of social engineering attacks to prepare employees for real-world scenarios.

Educating employees about these cybersecurity threats is not a one-time effort; it should be an ongoing process. Regular training sessions, email reminders, and updates on emerging threats are essential components of a robust cybersecurity awareness program. Additionally, employees should be encouraged to report any suspicious activity promptly.

A cybersecurity breach doesn't just result in financial losses, keep that in mind. It may damage a company's reputation and undermine client and partner trust. Organizations can greatly minimize their risk and better safeguard their sensitive data by prioritizing cybersecurity knowledge for all employees.

Each employee must be aware of potential dangers because cybersecurity is a shared responsibility. Among the risks that businesses today must deal with include phishing attempts, ransomware, and social engineering. Employees can become a key line of defense in the ongoing fight against cybercrime by remaining alert and knowledgeable.

Read more »
Ransomware Actors
Crypto Fraud Crypto Mining Cyber Crime Illegal Funds Money Laundering Ransomware Actors

Ransomware Actors are Using Crypto Mining Pools to Launder Money

 

According to a recent analysis by the blockchain forensic company Chainalysis, the use of cryptocurrency mining as a technique to improve money laundering skills extends beyond nation state actors and has particular appeal to regular criminals. 

As per reports, sanctioned nation-states like Iran have turned to cryptocurrency mining as a way to amass money away from the traditional banking system. In a recent development, cybersecurity firm Mandiant also disclosed how the Lazarus Group, a notorious North Korean hacker group, has been utilising stolen cryptocurrencies like Bitcoin to buy freshly-mined cryptocurrency through hashing rental and cloud mining services.

Simply explained, online criminals mine "clean" coins using stolen crypto and then utilise different businesses to launder them. One of these sites, according to Chainalysis, is an unnamed "mainstream exchange" that has been acknowledged as having received "substantial funds" from wallets and mining pools connected to ransomware activity. 

In total, $94.2 million was sent to one of these recognised deposit addresses, of which $19.1 million came from ransomware addresses and the remaining $14.1 million from mining pools. However, Chainalysis found that the ransomware wallet in question was occasionally sending money to a mining pool "both directly and via intermediaries." 

“This may represent a sophisticated attempt at money laundering, in which the ransomware actor funnels funds to its preferred exchange via the mining pool in order to avoid triggering compliance alarms at the exchange,” the report reads. 

Chainalysis further asserts that "ransomware actors may be increasingly abusing mining pools"; citing its data, the company stated that "since the start of 2018, we've seen a large, steady increase in value sent from ransomware wallets to mining pools." 

A total of 372 exchange deposit addresses have received cryptocurrency transfers totaling at least $1 million from mining pools and ransomware addresses. Instances like these, in the opinion of the company, point to ransomware criminals trying to pass off their stolen money as earnings from cryptocurrency mining. 

Chainalysis said that "this sum is certainly an underestimate," adding that "these exchange deposit addresses have received a total of $158.3 million from ransomware addresses since the beginning of 2018. 

Illegal money transfers 

Chainalysis cites BitClub as an additional noteworthy instance of cybercriminals using mining pools. BitClub was a notorious cryptocurrency Ponzi scheme that deceived thousands of investors between 2014 and 2019 by making claims that its Bitcoin mining operations would generate significant returns. 

The company claims that BitClub Network transmitted Bitcoin valued at millions of dollars to wallets connected to "underground money laundering services" allegedly based in Russia. These money laundering wallets then transferred Bitcoin to deposit addresses at two well-known exchanges over the course of three years. 

The same period, between October 2021 and August 2022, saw the transfer of millions of dollars' worth of Bitcoin to the identical deposit addresses at both exchanges by an unidentified Russian Bitcoin mining company. 

The cryptocurrency exchange BTC-e, which the U.S. authorities accuse of promoting money laundering and running an illegal money service business, sent money to one of the wallets allegedly linked to the alleged money launderers. Additionally, it has been claimed that BTC-e handled money that was stolen from Mt. Gox, the biggest Bitcoin exchange in the early 2010s. 

These accusations led to the seizure of BTC-e by American authorities in July 2017, the removal of its website, and the arrest of its founder, Alexander Vinnik, in Greece the same month. 

Prevention Tips

According to Chainalysis, mining pools and hashing providers should put strict wallet screening procedures in place, including Know Your Customer (KYC) protocols, in order to "ensure that mining, which is a core functionality of Bitcoin and many other blockchains, isn't compromised."

The company also believes that these verification processes can successfully stop criminals from using mining as a means of money laundering by using blockchain analysis and other tools to confirm the source of funds and rejecting cryptocurrency coming from shady addresses.
Read more »
Security
Botnet Crypto Mining Data DDoS malware Malware Authors Safety Security

Malware Authors Unknowingly Take Down Their Own Botnet

 

It is not often that malware authors go through the difficulties of establishing a malicious tool for botnet assembly, only to discover a way to effectively sabotage it themselves. But that seems to be the case with "KmsdBot," a distributed denial-of-service (DDoS) and crypto mining botnet discovered by Akamai researchers last month infecting systems across multiple industries. 

It has since gone mostly silent due to a single incorrectly formatted command on the part of its author. In DDoS attacks, the malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and employs UDP, TCP, and HTTP POST and GET commands. The malware, according to Kaspersky, is designed to target multiple architectures, including Windows, Arm64, and mips64 systems.

Luxury car manufacturers, gaming companies, and IT firms are among those affected by the malware. The threat actors used KmsdBot to execute DDoS attacks in all of the attacks witnessed by Akamai, despite the malware's cryptomining functionality.

Following Akamai's initial disclosure in November, the company's researchers continued to monitor and analyse the threat. They modified a recent sample of KmsdBot as part of the exercise and decided to test various scenarios related to the malware's command and control (C2) functionality.

Akamai researchers discovered a location in the malware's code that consisted the IP address and port for KmsdBot's C2 server and changed it so that the address pointed to Akamai's IP space.

During the testing, Akamai researchers discovered that the bot abruptly stopped working after obtaining a command to send a large amount of junk information to bitcoin.com in an obvious attempt to DDoS the website. According to Cashdollar, the bot lacks error-checking functionality to ensure that the commands it receives are properly formatted. As a result, the Go binary crashes with the error message "index out of range."

He also claims that Akamai was able to reproduce the problem by sending the bot an incorrectly formatted command of its own.

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Notably, the bot does not support any kind of persistence mechanism. As a result, the malware authors' only option for rebuilding the KmsdBot botnet is to infect systems from scratch. Cashdollar asserts that almost all of the KmsdBot-related activity tracked by Akamai in recent weeks has ceased. However, there are indications that threat actors are attempting to infect systems again, he says.
Read more »
XMRig
Crypto Mining Endpoint Google Translate malware User Privacy XMRig

Cryptominer Malware Posing as Desktop Version of Google Translate

 

While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.
Read more »
Subscribe to: Posts (Atom)