Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Evil Corp. Show all posts

Evil Corp Faces New Sanctions and BitPaymer Ransomware Charges

 

The Evil Corp cybercrime group has been hit with fresh sanctions by the United States, United Kingdom, and Australia. Additionally, the U.S. has indicted a member for their involvement in BitPaymer ransomware attacks.

Back in 2019, the U.S. had sanctioned 17 individuals and 7 entities linked to Evil Corp, including its leader, Maksim Yakubets. Today, the U.S. Treasury's Office of Foreign Assets Control (OFAC) has placed sanctions on seven more individuals and two additional entities connected to the syndicate. The UK and Australia have joined the U.S. in sanctioning some of these individuals as well, either today or as part of the 2019 sanctions.

The individuals facing sanctions include Eduard Benderskiy (Yakubets’ father-in-law), Viktor Grigoryevich Yakubets (his father), Aleksandr Viktorovich Ryzhenkov, Sergey Viktorovich Ryzhenkov, Aleksey Yevgenevich Shchetinin, Beyat Enverovich Ramazanov, and Vadim Gennadievich Pogodin. The two entities, Vympel-Assistance LLC and Solar-Invest LLC, are owned by Benderskiy.

According to the U.S. Department of the Treasury, Benderskiy, a former Spetnaz officer with ties to Russian intelligence, has played a key role in facilitating Evil Corp's relationship with the Russian state. This partnership allegedly enabled the group to conduct cyberattacks and espionage operations against NATO allies prior to 2019.

Under these new sanctions, assets linked to the individuals have been frozen, and businesses in the U.S., UK, and Australia are prohibited from engaging in transactions with them. Moreover, companies that fall victim to Evil Corp’s ransomware attacks are now restricted from making ransom payments unless approved by OFAC, or they risk violating sanctions.

In another significant development, the U.S. has unsealed an indictment against Aleksandr Ryzhenkov, an alleged Evil Corp member, for his role in ransomware attacks in the U.S. Ryzhenkov is accused of using BitPaymer ransomware in numerous attacks starting in 2017. The indictment states that Ryzhenkov and his co-conspirators gained unauthorized access to victims’ computer networks, deployed the BitPaymer ransomware to encrypt files, and left ransom notes demanding payment to decrypt the data and prevent the release of sensitive information.

The UK's National Crime Agency (NCA) has identified Ryzhenkov as a LockBit affiliate, having carried out several attacks as part of Operation Cronos, an ongoing effort to disrupt ransomware operations.

Evil Corp is notorious for creating the Dridex banking trojan and various ransomware strains. Initially, the gang used Dridex to steal banking credentials and commit financial fraud. As ransomware attacks grew, the group shifted focus, creating BitPaymer in 2017 to target businesses globally. Following U.S. charges against its members in 2019, Evil Corp split, with some members forming a new operation known as DoppelPaymer, which later rebranded as Grief and Entropy.

Despite sanctions, Evil Corp continued its operations by deploying new ransomware variants under different names, such as WastedLocker, Hades, and Phoenix CryptoLocker, among others. However, as these variants shared similar code, they were traced back to Evil Corp. To further evade sanctions, some affiliates began using LockBit ransomware.

Evil Corp-Affiliated Truebot Malware Changes its Strategy to Target RCEs and USBs

 

A growing number of devices are being infected by the threat group Silence with the Truebot malware. The information was discovered by Cisco Talos analysts, who also hypothesized a link between Silence and notorious hacker outfit Evil Corp (tracked by Cisco as TA505). 

In an advisory released last week, the security firm claims that the campaign it tracked led to the development of two botnets, one with infections spread over the globe (especially in Mexico and Brazil), and the other more recently targeted at the US. 

"We detected a number of compromised education sector organizations, albeit we do not have enough information to determine that there is a specific concentration on a sector,” the advisory reads. 

Tiago Pereira, a security researcher with Cisco Talos, thinks that Truebot is a precursor to other dangers that are known to have been behind attacks that resulted in significant losses. 

The attackers show agility in adopting new delivery methods, so readers should think of this as the first phase of what might be a severe attack, Pereira advised. 

Additionally, Cisco Talos added that Silence is moving away from utilizing infected emails as its main mode of delivery and toward new approaches. This is in addition to increasing its targets. 

"A greater percentage of attacks used Raspberry Robin, contemporary malware disseminated via USB devices, as a delivery mechanism in October. We have a mediocre degree of confidence that the attackers began using yet another method to spread the virus in November " the researchers added.

Additionally, according to the technical write-up, post-compromise activities involved data theft and the deployment of the Clop ransomware. 

We discovered what appears to be a completely functional proprietary data exfiltration tool, which we are calling "Teleport," that was heavily used to steal information during one of these attacks while we were studying it. 

The data exfiltration process was made better by Teleport's many capabilities, which included limiting upload speed and file size, encrypting connections with a unique protocol, and having the ability to erase itself after use. Teleport was created in C++. 

A very recent Netwrix vulnerability was also exploited by Silence while Cisco Talos was conducting its study (tracked CVE-2022-31199). 

“This vulnerability had just recently been published, only a few weeks before the attacks, and the number of systems exposed via the internet is believed to be fairly modest," the researchers concluded.

This implies that the attackers are quick to test new infection vectors and incorporate them into their workflow in addition to being on the watch for them. The malware tools mentioned above were not first used by the Silence threat organization. Raspberry Robin was connected to the Clop and LockBit ransomware organizations, according to a Microsoft advisory from October.

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

NRA Reacts to Allegations of a Ransomware Campaign

 

Last year, the National Rifle Association — champion of gun-toting maniacs worldwide, admitted it was hacked by cybercriminals. The organization's political action committee (PAC) confirmed the attack in a filing to the Federal Election Commission on Friday. 

Last October, a ransomware group known as "Grief" boasted to the digital underworld about hacking into the gun lobby's networks and stealing critical internal papers. It released screenshots of documents it claimed to be stolen during the event. The NRA did not confirm or deny it had been hacked at the time. 

"The National Rifle Association does not talk about its physical or electronic security. The NRA, on the other hand, takes exceptional precautions to safeguard information about its members, funders, and operations, and is extremely cautious in doing so." Andrew Arulanandam, managing director of NRA Public Affairs. 

The NRA was added as a new victim on the ransomware gang's data site today, along with pictures of Excel spreadsheets revealing US tax information and transaction amounts. The threat actors also published a 2.7 MB archive called 'National Grants.zip,' which comprises bogus NRA grant applications. After Grief claimed it obtained 13 files supposedly from the NRA's databases, security researchers began posting about the breach on Wednesday. According to an analysis of the documents supplied, it included records from a recent NRA board meeting as well as grant documents. If the NRA did not pay an undisclosed ransom, it threatened to release more files. 

The Grief ransomware group is believed to be linked to Evil Corp, a Russian hacking group. Evil Corp has been active since 2009 and has been involved in a variety of destructive cyber activities, including the spread of the Dridex trojan, which was used to steal online banking credentials and money. 

In 2017, the hacking gang published BitPaymer, ransomware which was later renamed DoppelPaymer in 2019. The US Department of Justice charged members of the Evil Corp with stealing more than $100 million and adding the cyber group to the Office of Foreign Assets Control (OFAC) sanction list after years of attacking US interests. 

Soon after, the US Treasury cautioned ransomware negotiators may face civil penalties if anyone helped gangs on the blacklisted list get ransom payments. To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities on a regular basis since then.WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, quite recently, the Macaw Locker are among the ransomware families.

NRA members should take precautions to protect themselves from any penalties which may occur as a result of this breach, according to Paul Bischoff, a privacy advocate at Comparitech. With the Grief ransomware group emerging, security researchers believe it is another version of DoppelPaymer due to the code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.

Entropy Ransomware Connected to Dridex Malware, as per Sophos

 

The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

BlackCat, a New Rust-Based Ransomware Malware

 

The new ALPHV ransomware operation, dubbed BlackCat, debuted last month and has the potential to be the most sophisticated ransomware of the year, with a highly customizable feature set that allows for attacks on a wide range of corporate setups. The ransomware executable is built in Rust, a language that is not commonly used by malware developers but is gaining popularity due to its great efficiency and memory safety. 

BlackCat, like many other variants before it, operates as a ransomware-as-a-service (RaaS), with the core developers recruiting affiliates to breach corporate environments and encrypt files, but not before stealing the said documents in a double extortion scheme to pressure the targets into paying the requested amount or risk exposing the stolen data if the companies refuse to pay up. 

Affiliates will receive varied revenue shares based on the magnitude of the ransom payment. For example, the affiliate receives 80% of ransom payments up to $1.5 million, 85% of payments up to $3 million, and 90% of payments exceeding $3 million. CNA reportedly paid a $40 million ransom to the Russian hacking outfit Evil Corp to demonstrate the amount of money an affiliate can earn from these RaaS programmes. This would translate to $36 million given to the affiliate under ALPHV's revenue sharing. 

 In a separate analysis of BlackCat, South Korean cybersecurity firm S2W stated that the ransomware conducts its malicious actions by referring to an internal configuration like other RaaS programmes, drawing comparisons to BlackMatter, another ransomware that emerged from the ashes of DarkSide in July only to cease operations in early November. 

 The ALPHV BlackCat malware has a number of innovative features that distinguish it from other ransomware operations. The ransomware is completely command-line driven, human-operated, and highly programmable, with the ability to employ various encryption techniques, propagate across systems, terminate virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery. 

Each ALPHV ransomware executable includes a JSON configuration that allows customization of extensions, ransom notes, how data will be encrypted, prohibited folders/files/extensions, and the services and processes that will be terminated automatically. The threat actor claims that the ransomware may be modified to use four different encryption mechanisms. ALPHV BlackCat can also be programmed to exploit domain credentials to distribute the ransomware and encrypt other network devices. The executable will then extract PSExec to the %Temp% folder and utilise it to copy the ransomware to other network devices before executing it to encrypt the remote Windows machine.

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.

CNA Hit by a Phoenix CryptoLocker Ransomware Attack

 

Insurance giant, CNA had to shut down its systems and temporarily close its website due to a novel ransomware attack. A new version of the Phoenix CryptoLocker malware was used in the attack, which happened earlier this week. The attack is believed to be linked to the Evil Corp hacking group. 

CNA, a Chicago-based company is the seventh-largest commercial insurance provider in the world. According to a statement published on the home page of the website on Sunday, March 21, the company affirmed that they have “sustained a sophisticated cybersecurity attack”. “The attack caused a network disruption and impacted certain CNA systems, including corporate email,” they added. 

Though CNA was the target of recent ransomware named Phoenix CryptoLocker, according to a report, the organization did not comment on the nature of the incident. CryptoLockers are a common form of ransomware that encrypts files on the computers it infects and demands a ransom from the victims in return for the key to decrypt them. 

As per the report, the cybercriminals behind Phoenix CryptoLocker are probably well-known groups, such as the cybercrime group Evil Corp, which lately reappeared after a short break from cybercrime. The effect of the group's most recent attack was so extreme that CNA detached its systems from its network "out of an abundance of caution" and is now offering workarounds for employees wherever possible so that the company can continue to service its customers, according to the company. The ransomware apparently encrypted data on over 15,000 machines on CNA's company network, as well as remote-working employees' computers who were connected to the company's VPN at the time of the attack. 

The ransomware appended ‘the.phoenix’ extension to encrypted files and generated a ransom note called ‘PHOENIX-HELP.txt’ while encrypting computers. Even though sources said CNA will restore from backups, the company has not verified anything. 

According to the report, based on similarities in the code from former ransomware used by Evil Corp, sources assume Phoenix CryptoLocker is a result of the same community. Evil Corp utilized WastedLocker ransomware to encrypt victims' files in past ransomware threats, such as the one against GPS technology provider Garmin last year. Indeed, the cybercriminal organization has made millions of dollars through several nefarious operations, including stealing banking credentials with the Dridex banking trojan and then making illicit money transfers from unsuspecting victims' bank accounts. 

The attack on CNA could also have a huge impact on certain businesses, particularly those who have cyber insurance policies with the organization. Hacking the insurer's network and stealing insurance details about their customers couldn't have been a better way to generate a list of insured companies to strike. It's uncertain if the cybercriminals stole unsecured files before encrypting CNA's devices at this point. However, since ransomware operations have made stealing unencrypted data a standard technique, it's possible that some data was stolen during the attack.