Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Translate. Show all posts

BEC Attacks: Google Translate Utilized to Scam Organizations in Any Language


Business Email Compromise (BEC) gangs are carrying out payment fraud scams in a more effective manner by utilizing translation tools and machine learning platforms, successfully dispensing fraudulent emails in multiple languages. 

What are Business Email Compromise Groups? 

BEC attacks entail posing as a senior executive or business partner and convincing a corporate target to wire large quantities of cash to a bank account under the attacker's control. 

Successfully launching the international variant of this cyberattack generally requires a lot of time and effort. The target must be sufficiently researched to make phishing lures plausible. Moreover, native speakers must be hired to translate frauds into other languages. Yet this is all changing as threat actors use free online technologies that reduce some of the need for manual work. 

Midnight Hedgehog and Mandarin Capybara are two BEC groups that best represent the trend, according to a research from Abnormal Security published this week. Both use Google Translate, which enables threat actors to quickly create convincing phishing lures in practically any language. 

Moreover, researchers in the study also cautioned that tools such as commercial business marketing services are aiding the success of less-resourced and less-sophisticated BEC attacks. They are mostly used by sales and marketing teams to find "leads," making it simple to locate the best targets regardless of their region. 

The fact that BEC attacks are already lucrative, causing $2.4 billion in damages in 2021 alone, according to the FBI's Crime Report, and the number of BEC attacks is constantly increasing, is bad news for defenders. Volumes are now likely to increase as some of the cost associated with performing them has been eliminated. 

BEC Groups Scale Fast with Translation, Marketing Tools 

Crane Hassold, director of threat intelligence of Abnormal Security in a report noted that Midnight Hedgehog has been since January 2021 and specialises in impersonating CEOs. 

Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish are among the 11 languages that the company has so far identified in two significant phishing emails from the organization. The emails are lacking the simple mistakes that consumers are conditioned to look out for and regard as suspicious thanks to Google Translate's effectiveness. 

"We've taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack[…]When these are not present, there are fewer alarm bells to alert native speakers that something isn't right," the report said. 

Apparently, Midnight Hedgehog has requested payments ranging from $17,000 to $45,000. 

Mandarin Capybara, the second BEC threat organization mentioned in the report, sends emails posing as communications from business executives but with a twist: Paychecks are transferred to a controlled account via direct deposit by contacting payroll. 

Abnormal Security has noted that Mandarin Capybara targets businesses all over the world with phishing lures in Dutch, English, French, German, Italian, Polish, Portuguese, Spanish, and Swedish. However, unlike Midnight Hedgehog, which the report claimed sticks to non-English-speaking victims in Europe, Mandarin Capybara also targets businesses outside of Europe with phishing emails aimed at English speakers in the US and Australia. 

In some instances, they utilized the same tactics of fraudulent email accounts to distribute emails in multiple languages.

The reason why BEC campaigns are still in trend among threat actors is simply how they operate, where their victims receive these messages, deeming them legitimate, and act upon instructions they think are coming from their ‘boss,’ especially when the emails are written with correct grammar and spelling and the sender's signature style. 

"As email marketing and translation tools become more accurate, effective, and accessible, we'll likely continue to see hackers exploiting them to scam companies with increasing success," said Hassold. 

It is that organizations put procedures in place to make sure that large financial transactions are not approved by only one person and that people should be trained to be on the lookout for payment fraud attacks in addition to deploying appropriate cybersecurity tools to help catch BEC attacks. 

"It's important that organizations use email defenses that look for threats in a more holistic matter to be able to prevent more sophisticated BEC attacks. Defenses that simply rely on static or 'known bad' indicators will have a hard time detecting these attacks, which is why tools that leverage behavioral analytics are better equipped to spot more advanced BEC threats," concludes Hassold.    

Cryptominer Malware Posing as Desktop Version of Google Translate

 

While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware

 

 
The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.