Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crypto Platform. Show all posts

AllaKore RAT: Malware Target Mexican Banks and Crypto Platforms


Mexican financial institutions are suffering attacks by a new spear-phishing campaign, spreading a modified version of an open-source remote access trojan named ‘AllaKore RAT’.

The activity was attributed by the BlackBerry Research and Intelligence Team to an unidentified financially motivated threat actor operating in Latin America. The campaign has been active since 2021, at least.

"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week. "The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."

The attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.

The attack begins with a ZIP file that is either distributed through phishing emails or a drive-by compromise. This file contains an MSI installer file that launches a.NET downloader, which verifies the victim's geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.

"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.

An additional feature added to the malware comprises support for commands from the threat actors regarding banking frauds, targeting banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The campaign's use of Mexico Starlink IPs and the insertion of Spanish-language instructions to the modified RAT payload provide the threat actor with ties to Latin America. Moreover, the lures used are only effective for businesses big enough to submit reports directly to the Department of the Mexican Social Security Institute (IMSS).

"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain[…]This activity has continued for over two years, and shows no signs of stopping," the company stated.

This research comes with a report by IOActive, revealing it has discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) in the Lamassu Douro bitcoin ATMs that might provide physical access to an attacker the ability to take complete control of the machines and steal user data.  

Hackers Steal Around $320M+ from Crypto Firm Wormhole

 

A threat actor abused a vulnerability in the Wormhole cryptocurrency platform to steal $322 million worth of Ether currency. 

Wormhole Portal, a web-based application—also known as a blockchain "bridge"—that enables users to change one type of bitcoin into another, was the target of the attack earlier. Bridge portals transform an input cryptocurrency into a temporary internal token, which they then turn into the user's preferred output cryptocurrency using "smart contracts" on the Ethereum blockchain. 

The attacker is suspected to have taken advantage of this method to deceive the Wormhole project into releasing significantly more Ether (ETH) and Solana (SOL) tokens than they originally provided. The attacker allegedly stole crypto-assets worth $322.8 million at the time of the attack, according to reports. As per reports, the attacker acquired crypto-assets worth $322.8 million at the time of the incident, which have since depreciated to $294 million due to price swings since the breach became public. 

While a Wormhole official is yet to respond to a request for comment on today's incident. The firm verified the incident on Twitter and put its site on maintenance while it investigates. The Wormhole attack is part of a recent pattern of abusing [blockchain] bridges, according to Tal Be'ery, CTO of bitcoin wallet app ZenGo who informed The Record about the Wormhole Attack. 

A hacker stole $80 million from Qubit Finance just a week ago, in a similar attack against another blockchain bridge. As per data compiled by the DeFiYield project, if Wormhole officially acknowledges the number of stolen funds, the incident will likely become the biggest hack of a cryptocurrency platform so far this year, and the second-largest hack of a decentralised finance (DeFi) platform of all time. 

Wormhole offered a $10 million "bug bounty" to a hacker. Be'ery pointed out that, similar to the Qubit hack, Wormhole is now appealing to the attacker to return the stolen funds in return for a $10 million reward and a "whitehat contract," which indicates that the platform will most likely not file any criminal complaints against the attacker. 

As per Wormhole's most recent Twitter update, posted on Thursday, February 3, the vulnerability has been fixed. However, as one former Uber executive discovered, such contracts exonerating hackers are illegal in some areas, and authorities may still investigate the hacker.


NFT Minting Platform Lympo Got Compromised for $18.7M

 

Lympo, a sports NFT minting platform and an Animoca Brands firm, was hacked and lost 165.2 million LMT tokens worth $18.7 million, the platform said in a blog post on 10 January.

According to the short Medium report, the hack exploited ten separate project wallets. Most of the stolen tokens were sent to a single address where the funds were swapped for Ether on SushiSwap or Uniswap before being sent to other addresses. Lympo claims that during the attack the threat actors connected to its internet-facing crypto wallet and used it to send/receive cryptocurrency.

“In response to this attack, Lympo enacted safeguards to ensure that no additional LMT could be stolen by the hackers. We are temporarily removing LMT from various liquidity pools in order to minimize disruption to token prices following the hack,” the company’s blog post read. 

Following the security breach, the price of LMT has dropped to $0.01882, which is the current all-time low of the token, Coinmarketcap reported. 

In response to this, the LMT team tweeted on 11 January that they were trying to stabilize the platform and are temporarily removing LMT from various liquidity pools in order to prevent further disruption of the token’s price. This is a remedial measure since after suspending the liquidity pool of the token, larger order volumes by traders are not fulfilled instantly, and traders also do not face any losses.

Lympo’s parent firm Animoca, a Hong Kong-based game venture capital company, stated that it is ready to support its subsidiary to deal with the challenges caused by the hacking. Animoca’s CEO, Yat Siu, released a statement that read: “We are working with Lympo to assist them on a recovery plan, but we don’t have any specific mechanisms.” 

This is the second hot wallet hack in the last week, with Liechtenstein-based crypto exchange LCX losing $7 million worth of tokens last Saturday. The hacker converted most of the stolen tokens to ETH and then sent them to the privacy mixer Tornado Cash. The team behind LCX has already stated that they will use their own funds to compensate the affected users.