Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Intel 471. Show all posts

Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Joker's Stash, the Largest Carding Forum Shutting Down

 

Joker's Stash opened in 2014 and was perhaps the most well-known underground carding site which gave new stolen credit card data and a guarantee of card validity. The activity gas has undergone a decline since mid-2020. The normally active administrator, Joker's Stash, had several gaps in communication. Joker's Stash, announced on January 15, 2021, that it is expected to shut down in a month - the stipulated date being February 15, 2021. The news was announced by the site's administrator through messages posted on different underground cybercrime forums where the site normally publicized its services.

Threat intelligence firm Intel 471 posted a blog expressing that Joker's Stash's fall comes after an extremely tempestuous close to 2020, documenting the website's end. In October, the individual who purportedly runs the site declared that he had contracted COVID-19, going through seven days in the hospital. The condition has influenced the site's forums, inventory replenishments, and different tasks. Intel 471 likewise found that the customers of the site were complaining that the shop's payment card data quality was progressively poor. 

The FBI and Interpol held onto four domains operated by the marketplace. During that time, the site's administrators said the law enforcement crackdown left just restricted effect on the site, the domains were just utilized as proxies to reroute clients from landing pages to the genuine marketplace, and that authorities didn't hold onto any servers containing card or client information. Despite the fact that the seizure didn't have a lot of effects, it chiefly influenced the site's reputation and made clients feel that the once-untouchable Joker's Stash was presently an open book for law enforcement agencies. 

The Joker's Stash admin didn't give more insights about the choice to close down the site. They may have chosen to stop as opposed to being taken down by the law enforcement agencies. Nonetheless, that doesn't infer that the site's administrator is now immune to prosecution. Prior to its declaration of closing down, the Joker's Stash was viewed as perhaps the most profitable cybercrime operations today.

As indicated by Christopher Thomas, Intelligence Production Analyst at Gemini Advisory, the shop is assessed to have made countless dollars in illicit profits, despite the fact that this cash also goes to the vendors themselves. Joker's Stash has been working since October 7, 2014. Last year alone, the site had posted more than 35 million CP (card present) records and in excess of 8 million CNP (card not present) records.

The site's administrator intends to wipe all servers and backups when they shut their operations next month.