Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cryptomining Scam. Show all posts

Hackers are Now Utilizing Office Documents to Launch the Regsvr32 Utility

 

Regsvr32, a Windows living-off-the-land binary (LOLBin) used to propagate trojans like Lokibot and Qbot, is seeing a surge in abuse recently, according to researchers. 

LOLBins are genuine, native utilities which are used on a regular basis in a variety of computing settings, yet are utilized by cybercriminals to avoid detection by merging in with typical traffic patterns. Regsvr32 is a Windows command-line program signed by Microsoft which lets users register and unregister DLLs (Dynamic Link Library). Information about a DLL file is uploaded to the centralized registry so the Windows may use it. 

This makes things simpler for other programs to take advantage of the DLLs' features. This broad reach is appealing to cybercriminals, who may exploit the utility through Squiblydoo, which has been a utilized malware by known APT groups, such as in spear-fishing efforts against Russian firms, and more recently in certain crypto mining events. 

Unlawful utilization of Regsvr32 has been on the rise recently in the Uptycs data, with cybercrooks attempting to register specifically. As a group, we. ActiveX controls are code blocks designed by Microsoft that allow applications to perform specified functions, such as showing a calendar, using OCX files. 

Uptycs EDR employs a multi-layered detection strategy that not only analyzes threats using the Squiblydoo technique but also prioritizes them according to a specific composite score and severity. This helps analysts focus on key situations first, reducing alert fatigue. 

The majority of such Microsoft Excel files found in the attacks have the.XLSM or.XLSB prefixes, which indicate files contain embedded macros. Using the formulas in the macros, hackers normally download or operate a malicious payload from the URL during the campaign. 

Conventional security systems and security personnel tracking this operation for malicious actions face a problem because regsvr32 is frequently utilized for regular daily tasks. The following aspects can be monitored by security teams: 

  • The parent/child program relations where regsvr32 is run alongside a Microsoft Word or Excel parent process. 
  • Locating  regsvr32.exe operations that load the scrobj.dll, which performs the COM scriptlet, to identify it.

Cloud Cryptomining Scam in Google Play Rakes in Cash

 

Researchers stated that fraudulent crypto mining applications available for download on Google Play have scammed more than 93,400 people so far, taking at least $350,000. 

The applications, which are divided into “BitScam” and “CloudScam” variants, market themselves as delivering bitcoin mining services for a charge, according to Lookout. 

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in an analysis released on Wednesday. 

“They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.” 

In addition to charging for the “apps,” the fraudsters push extra services and upgrades that users may buy within the apps, either directly by transferring Bitcoin to the creators' wallets (the BitScam version) or through the Google Play in-app billing system (the CloudScam version). On the official Google Play store, there were 25 similar apps, with a total of 170 when third-party app shops are included. Although the crypto mining applications have been deleted from Google Play, there are still hundreds more accessible for side-loading, according to Gasparis. 

He said in the report, “Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto-mining service that is really a scam. Cybercriminals have set up similar schemes to steal from desktop users, [but this is] the first scam that packages this scheme into mobile apps.” 

Working of mobile, socially engineered cryptomining scams: 

After downloading the app and creating an account, users are presented with an activity dashboard that claims to show the “available hash mining rate.” It also has a counter for the number of coins the victims are supposed to have earned. 

“The hash rate displayed is typically very low to lure the user into buying upgrades that promise faster mining rates,” Gasparis noted. Such “virtual hardware” upgrades can range from $12.99 to $259.99, Lookout found. Other “upgrades” include spendier subscription plans with lower minimum withdrawal balances and higher supposed mining rates. Users also are told they’ll earn “20 percent” of their friend’s earnings if they refer someone to the app, and are offered “daily rewards.” 

In terms of the coin counter, the applications just show a fake balance. The counter progressed only when the app was running in the foreground in some of the applications examined, and it was reset to zero when the mobile device was rebooted or the app was resumed. Some of the totals were limited: After counting to 10 on the CloudScam software "BTC Cash," for example, the counter resets to zero. 

“If cloud mining was actually taking place in either BitScam or CloudScam, we would expect the coin amount displayed to be stored in a secure cloud database and queried via an API,” Gasparis stated. 

Users are also prevented from withdrawing any coins unless they achieve a certain minimum balance in the applications (not that any coins actually exist). Even if such balance is purportedly attained, the applications merely display a notification informing the user that the withdrawal transaction is pending while simultaneously resetting the user's coin balance to zero. The user may receive an error message stating that the balance is inadequate for withdrawal in some situations. 

According to Gasparis, the first samples of these crypto-scam apps were disseminated through third-party app stores in the second half of 2019. He went on to say that it's possible that since then, rival entities have emerged to market their products in this area. 

He added, “My conclusion that CloudScam and BitScam are run by competing groups is based on the fact that each family has completely different codebases. There are a lot of mentions of Android bitcoin miners in general on the Dark Web, though nothing specific to the apps we found.” Gasparis informed Threatpost that he had no idea how to fix the applications, including how to halt subscriptions and reclaim any costs. 

“Purchasing goods or services online always requires a certain degree of trust in the vendor or at least the app store processing the transaction,” Gasparis noted in the report.

“While this is true for any online transaction, it is even more important with respect to financial services such as cryptocurrency investments. The scammers running this scheme were able to tap into the existing frenzy created by the hot cryptocurrency market. But no matter how high cryptocurrency valuations climb, there is no substitute for appropriate due diligence before purchasing a cryptocurrency mining app.” 

Lookout has five suggestions for identifying bitcoin scammers: 

1.Get to know the app's creators. What certifications or credentials do they have, what other applications have they created, do they have a website, and can you contact them? 

2.Install it from a reputable app store. While it's difficult to identify fraud, downloading from an official shop decreases your chances of getting malware. 

3.Take the time to read the terms and conditions. The majority of scam applications contain fictitious information or lack any terms. 

4.Use the app's reviews from other users to your advantage. When it comes to spotting frauds, reading other users' experiences with the app may be eye-opening. 

5. Understand the app's permissions and functions. Examine the app's actions for any red flags. Is the program requesting rights that it doesn't require to function? Is there a sudden crash or reset of the app, a sudden reset of the bitcoin balance, and a sudden reset of the displayed numbers? 

Cryptoming Scam Apps:

The scam apps that were available on Google Play and may still be installed on victims’ phones are:

1. BitScam (18): Top Coins, Mr Bitcoin, Star BTC, Bitcoin Burn, Moon BAT, Bito Holic, Bito Hash,  BitHash, Multi Coins, BitcoinCash Miner, Airdrop, Bright Miner, Pink BTC, XMR Miner, COIN Master, ETHMINER PRO, crypto cloud mining pro and Btc Miner pro.

2. CloudScam (7): Bito Miner, Mining Machine, BTC CLOUD, BTC Cash, Black Crypto, Cloud Mining, and Crypto Pro-Miner.