Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Group. Show all posts
Threat Group
Cyber Fraud CyberCrime Cyberhackers CyberThreat Fake Resumes FIN6 Financial Breach Impersonation Attack Threat Group

Fake Resumes Become Weapon of Choice for FIN6 Threat Group

 


The FIN6 cybercrime group, which has been associated with financial breaches in the past, is now launching a sophisticated new campaign targeting corporate recruitment channels. The group, which is known as FIN6 cybercrime, has been associated with high-profile financial breaches for many years. Threat actors are now impersonating qualified job applicants by sending compelling resumes that have malicious payloads embedded in them.

In the majority of cases, these fraudulent applications are accompanied by links to phishing websites that appear legitimate, but are really just a way to trick human resources professionals into downloading malware or disclosing sensitive login information unknowingly. FIN6 uses the trust inherent in the hiring process in order to penetrate enterprise networks through human resources departments, which is regarded as a relatively low-risk vector by cybersecurity frameworks due to their trustworthiness. 

As soon as attackers gain access, they establish persistent backdoors that allow them to harvest credentials, gain access to unauthorised systems, and distribute ransomware or data exfiltration tools. In addition to highlighting the growing scope of social engineering threats, this campaign also exposes a critical omission in the cybersecurity sector, as threat actors exploit the urgency and volume of modern hiring practices as a way to bypass traditional technical defences in corporate security. 

With the rise of e-mail, job portals, and resume sharing platforms, the attack surface for organisations is becoming increasingly broader as they digitise their recruitment workflows. In light of FIN6's latest tactic, it is evident that cybersecurity must extend beyond IT departments and into every aspect of corporate operations—including human resources—in order to remain compliant. This cybercriminal group, known as FIN6, has begun using sophisticated social engineering techniques in their attacks on corporate recruiters, posing as job applicants to recruiters in a sophisticated variation of traditional social engineering tactics. 

Using persuasive resumes and embedded malicious links to phishing websites, the attackers aim to trick human resources personnel into installing malware under the guise of routine candidate screening, as the malware is disguised as a phishing website link. 

In this strategic pivot, the organisation demonstrates its growing reliance on psychological manipulation versus brute force technical intrusions, which capitalises on the inherent trust embedded within recruitment communications to boost the organisation's reputation. FIN6—also referred to in threat intelligence circles as "Skeleton Spider"—first gained attention for its financially motivated attacks, notably the compromise of point-of-sale (PoS) systems to obtain credit card information. 

It is estimated that the group, with its ever-evolving methods, has now expanded its operations to include ransomware attacks. The group collaborates with prominent ransomware strains like Ryuk and Locky to carry out this task. In its recent campaign, FIN6 has been observed to distribute a sophisticated malware-as-a-service (MaaS) tool known as More_eggs, a stealthy JavaScript-based backdoor known as More_eggs. 

Upon being installed, this malware facilitates unauthorised credential harvesting, remote system access, as well as the dissemination of ransomware as a launchpad. In addition to its ability to blend seamlessly into legitimate Windows processes, More_eggs can evade many traditional endpoint detection systems, which makes it especially dangerous. 

In the cyber threat landscape, this group's reliance on this payload highlights a wider trend that is taking place: the integration of social engineering with advanced malware delivery in order to circumvent layered security systems. It is widely known that FIN6 originated as a group that orchestrated large-scale breaches of retail point-of-sale (PoS) systems. 

It has continuously adjusted its tactics since becoming known in 2014 as one of the most dangerous cyber threat groups. Having been doing a deceptive job scam for years, this group has reimagined the classic job scam by building trust with recruiters, not by targeting job seekers as it does with job seekers. This calculated approach has been used to create phishing messages that mention resume links in plain text, rather than hyperlinks that can be clicked on. 

The recipient must manually enter the URLs into their browsers as a result of this, bypassing automated security filters that are designed to detect malicious links in emails. The domains that are used to advertise these campaigns are usually registered anonymously and constructed in a manner that mimics the names of job applicants, who are likely to be genuine or plausible. In spite of being hosted on Amazon Web Services' infrastructure, these sites resemble legitimate portfolios or resumes once accessed. 

Behind this facade lies a complicated web of sophisticated evasion methods, including traffic filtering mechanisms that are able to differentiate between human users and automated security crawlers, such as sandboxes. In addition to assessing criteria such as the use of residential IP addresses and browser behaviour that is consistent with the Windows environment, these filters also determine whether a user has successfully completed CAPTCHA challenges. Those users who satisfy all of the requirements are presented with a ZIP archive disguised in the form of a portfolio of the job applicant. 

In the archive is a malicious .lnk file that is crafted to look like a standard resume. When executed, the shortcut triggers the installation of More_eggs, a JavaScript backdoor associated with the cybercriminal Venom Spider. The stealthy malware allows attackers to access remote computer systems, enabling them to steal credentials, collect surveillance footage, and potentially deploy ransomware. 

FIN6 showed tremendous technical proficiency in the execution of this attack, showcasing FIN6’s profound understanding of cyber defence mechanisms as well as human psychology in order to demonstrate that organisations must implement cybersecurity awareness into all aspects of business operations — including human resources — in order to remain competitive. 

With the construction of its attack infrastructure, FIN6 has shown a high level of operational security and technical sophistication in the ongoing campaign. A series of domains have been registered by the group anonymously through GoDaddy, which were hosted on Amazon Web Services (AWS). This trusted cloud provider is rarely flagged by standard security solutions for security reasons. 

Through using Amazon Web Services' reputation and global infrastructure, FIN6 can make its malicious portfolio sites look legitimate, while evading traditional detection mechanisms by using Amazon Web Services' reputation and global infrastructure. As part of the campaign, domain names are cleverly chosen to coincide with the fake personas created by the attackers, thereby lending credibility to their phishing activities.

Examples include: bobbyweisman[.]com, emersonkelly[.]com, davidlesnick[.]com, kimberlykamara[.]com, annalanyi[.]com, bobbybradley[.]net, malenebutler[.]com, lorinash[.]com, alanpower[.]net, and edwarddhall[.]com. This unique design of each domain is intended to resemble the website or portfolio of a legitimate job candidate, aligning with recruiters' expectations as they look for candidates. 

The campaign is protected from discovery and analysis by FIN6's robust environmental fingerprinting and behavioral validation checks, which protect it from discovery and analysis. Typically, recruiters who access the site from their residential IP addresses on Windows systems are the only ones who are able to view the actual malicious content on the site. 

When attempted access is made through virtual private networks (VPNs), cloud-hosted environments, or non-Windows platforms such as Linux and macOS, decoy content is served to the victim, effectively reducing the chances that cybersecurity researchers and automated security tools will see the malicious payload. Those who meet the attacker's criteria are also asked to complete a fake CAPTCHA challenge as an extra layer of social engineering on the landing page. 

A ZIP archive presenting a resume is requested by the attacker once the page has been completed. In reality, the archive consists of a .lnk file that acts as a disguised Windows shortcut that launches the More_eggs malware upon execution. With the use of this JavaScript-based backdoor, threat actors can gain persistence, exfiltrate credentials, and possibly launch ransomware. FIN6’s strong understanding of digital trust signals is reflected in this campaign’s precise targeting and environmental filtering. This campaign has emerged as one of the most technically sophisticated phishing operations that has been seen over the past couple of years. 

Organisations must adopt a multilayered security strategy that incorporates both technical defences as well as human vigilance to effectively mitigate the risk posed by targeted social engineering campaigns such as those orchestrated by FIN6. The fact that human resources professionals and recruiting teams are increasingly being targeted by cybercriminals makes it imperative that they be able to stay informed about cybersecurity. 

The employees of the organisation who have regular contact with external emails and file attachments should receive comprehensive, role-specific security training. As part of this training, participants should learn to recognise phishing indicators, understand social engineering tactics, and understand the proper protocol for reporting suspicious activity, as well as understand the various types of phishing indicators. 

Technically, organisations need to ensure that sandboxing solutions are implemented that allow potentially malicious attachments to be safely exploded and analysed before they can be accessed on production systems through sandboxing solutions. Taking this proactive step can prevent malware from being executed disguised as legitimate files in the future.

A system administrator should also think about disabling or restricting the execution of .LNK shortcut files unless they serve a clearly defined and necessary business function. In addition, phishing attacks frequently exploit these file types as they offer a direct path to executing embedded scripts without being aware of them. 

There should be a strong policy implemented across departments that all downloaded files must be verified before they are opened, backed up by automated scanning tools whenever possible. In addition, it is important to invest in robust endpoint detection and response (EDR) systems. In these tools, the system behaviour is continuously monitored, anomalies are detected, and real-time action is taken to counter threats such as unauthorised downloads, lateral movement, or attempts to set up persistent backdoors are identified. 

It has been demonstrated that organisations can significantly reduce their exposure to advanced, socially engineered attacks through the use of technical safeguards and targeted user education, which will help them safeguard their critical business functions from compromise and reduce their exposure to advanced, socially engineered attacks. 

The sophistication of cyber threats, such as those deployed by FIN6, makes it imperative for organisations to take a strategic and forward-looking approach to protecting all business units, not just their IT infrastructure. Increasingly, cybercriminals are weaponising everyday workflows such as recruitment, requiring security to be embedded in the culture of all departments, particularly those seen as non-technical. 

Developing a culture of cyber resilience requires more than just reactive defences; it demands that proactive risk assessments, threat modelling, and interdepartmental collaboration become an integral part of ensuring cyber resilience. For enterprises to ensure that their defences are future-proof, they need to invest in adaptive security architectures that incorporate behavioural analytics, threat intelligence, and zero-trust access controls.

Recruitment and human resources technologies need to be evaluated from a security-first perspective, ensuring third-party job boards, resume processing platforms, and applicant tracking systems are also rigorously vetted. In order to stay on top of the changing threat landscape, internal processes should constantly be updated to reflect the evolving threat landscape as well as vendor partnerships. 

As the business world embraces the digital transformation of the enterprise, threat actors are also embracing the same. The FIN6 campaign provides a stark demonstration of how trust can be manipulated even in the most unexpected situations. 

Those organisations that are aware of this shift and that respond by building resilience at both a technological and human level will have a much better chance at defending their data as well as their reputation, operations, and long-term stability in an era where every click is accompanied by the consequences it entails.

Read more »
US infrastructure
AsyncRAT command-and-control infrastructure Cybersecurity domain generation algorithm malware open-source trojan Phishing emails Threat Group US infrastructure

This Malware is Assaulting Critical US Infrastructure for Almost a Year

 

Over the course of the last 11 months, a threat group has actively engaged in a phishing campaign targeting employees across various companies, distributing an open-source trojan program named AsyncRAT. The victims of this campaign notably include companies responsible for managing critical infrastructure in the United States.

The cybersecurity division of AT&T, known as Alien Labs, has reported that the attackers employ a domain generation algorithm (DGA) within their command-and-control (C&C) infrastructure. This technique helps them rotate through a large number of domains, making it challenging to block traffic. In an effort to evade detection, the threat actors continually generate new samples of the malicious tool. Researchers have identified over 300 samples and 100 domains associated with this particular campaign.

AsyncRAT, an open-source remote access tool released in 2019 and still available on GitHub, serves as the attackers' weapon of choice. As a remote access trojan (RAT), AsyncRAT offers features such as keylogging, exfiltration techniques, and initial access staging for delivering the final payload.

It's not uncommon for even sophisticated threat actors to utilize open-source malware frameworks, providing advantages such as low development costs and plausible deniability. Interestingly, AsyncRAT had been previously employed in 2022 by an APT group known as Earth Berberoka or GamblingPuppet, as tracked by security firm Trend Micro.

The phishing emails, scrutinized by Alien Labs and other researchers, employ a thread hijacking technique to direct users to a phishing page, eventually dropping a JavaScript (.js) file on users' computers. This script, when opened in Notepad, contains numerous randomly commented-out English words, while variants using Sanskrit characters have also been reported in previous campaigns. The highly obfuscated script aims to download the second-stage payload from a URL encoded using a custom cipher and decimal values.

The second-stage payload is another encoded script in PowerShell, executed directly in memory without being saved to disk. The PowerShell script communicates with a rotating C&C server domain, sending information such as computer hostname and a variable indicating the likelihood of the computer being a virtual machine or sandbox.

If deemed a valid target, the C&C server deploys AsyncRAT. In the case of a potential virtual machine or sandbox, the server redirects the request to Google or launches a different PowerShell script that downloads and initiates a decoy RAT, designed to distract researchers investigating the campaign.

To further complicate detection, the attackers regularly randomize the script code and malware samples, and they rotate C&C domains weekly. Despite these efforts, Alien Lab researchers managed to reverse-engineer the domain generation algorithm, providing insights into historical samples and enabling the development of detection signatures for future infrastructure identification. The AT&T Alien Labs report includes detection signatures for the Suricata intrusion detection system and a list of indicators of compromise (IOC) for building detections on other systems.
Read more »
Threat Group
Cybersecurity Dark Web Internet Security. malware PureCoder TG Soft Threat Group

Multiple Malware Being Sold on Darkweb Forums


Researchers have recently discovered a new threat group, PureCoder, apparently selling numerous malware on the dark web. They listed malware such as miners, information stealers, and crypters, used by threat actors for their campaigns. 

Spread of PureLogs/PureCrypt 

Two of the most efficiently advertised malware, sold by Purecoder include PureLogs and PureCrypt.

The threat actors as well have posted details of the aforementioned malware in cybercrime forums in order to garner the interest of their customers. 

PureLogs and PureCrypt

  • PureLogs: A malicious DotNET program created for stealing browser data, crypto wallets, and other applications. Reportedly, these malwares are being sold at $99 for a year subscription. 
  • PureCrypter: This malware distributes multiple RATs and stealers. It is being sold for $59, for a one-month subscription and $245 for a lifetime subscription. 

Used by Other Threat Groups 

Most recently, an Italian cybersecurity company TG Soft discovered that PureLogs information stealer was being used by Alibaba2044 threat actors, that was being utilized for launching a spam campaign targeting Italian online users.

  • Fraudulent emails attached with a link were being used to download the password-protected zip file. 
  • The email contained a cabinet file that was disguised as a batch file and contained a malicious executable and the password to open the file. 
  • The batch file, once opened by the targeted victims, will further lead to the (PureLogs stealer) being executed on their systems. 

Various Tools on Offer 

Moreover, the PureCoder group is offering various additional malicious software besides PureLogs and PureCrypter, such as: 

  • PureMiner: The cost of the tool is $99 for a year of access and $199 for lifetime access. It functions as a covert, stealthy, and silent miner. 
  • BlueLoader: A significant number of bots are managed by the BlueLoader botnet, which may be purchased for $99 for a year or $199 for a lifetime. 
  • PureHVNC: A hidden stealth VNC to control systems, sold for one-year use at $99. 

Easy and affordable access to such malicious tools is a serious matter of concern to online users. As a precautionary measure, users are advised to avoid opening suspicious links and email attachments. Moreover, use reliable anti-malware and Internet security software.  

Read more »
Threat Group
Black Axe Gang Cyber Crime Interpol Interpol Operation South Africa Threat Group

Cybercrime Gangs Are Expanding Across Africa: Investigators Warns


Police and investigative experts of the sub-Saharan region of Africa have cautioned of cyber criminal gangs, that are recently advancing in size and power by exploiting the vulnerabilities caused during the global economic crises and the Covid-19 pandemic. 

As claimed by the authorities, both of the mentioned situations have given rise to newer opportunities for online criminals to rake in large assets without risking being caught. 

This growth has a direct impact on the rest of the world, where many victims of “hugely lucrative” fraud live, a senior police official says. 

According to Prof. Landry Signé, a senior scholar and study author at Brookings Institution, the Covid-19 crisis has apparently resulted in the growth of digitalization globally. As online activities boosted, criminals, targeted critical digital infrastructure. 

“The Covid-19 pandemic has accelerated digitalization around the world, but as life has shifted increasingly online, cybercriminals have exploited the opportunity to attack vital digital infrastructure […] States across Africa have emerged as a favorite target of cybercriminals, with costly consequences,” says Professor Signé. 

Nigerian Black Axe Gang

Interpol describes online frauds like banking and credit card frauds as the most pervasive and severe cyber threat across Africa. The Covid-19 pandemic has resulted in a sustained rise in the number and advancement of cyber-attacks, with more than half being targeted at online banking platforms, as per the analysts.

A major operation organized by Interpol this month, across 14 countries, emphasises the scale of cybercrimes across the continent and beyond. 

Police later detained more than 70 alleged fraudsters in connection with the Nigerian cyber threat group known as ‘Black Axe’ in South Africa, Nigeria, and Ivory Coast, as well as in the Middle East, Europe, south-east Asia, and the US. 

Moreover, about 50 residents were being investigated, with $1 million confiscated from bank accounts. Additionally, an apartment building, three vehicles, tens of thousands of dollars, and about 12,000 sim cards were seized. 

Reportedly the Black Axe gang started out as a student organization, originating in Benin City, in the 1970s and later evolved into a worldwide criminal network, specializing in frauds. As per the US court filings, the group later claimed a regional headquarters in South Africa in the year 2013. 

Authorities reportedly discovered phones and other equipment that were known to be used by Black Axe scammers, in Ireland. While tracing the group’s vocabulary, the investigators linked the group to West Africa. 

A former South African criminal intelligence official says that although the fraudulent activities have comparatively reduced, one cannot assume that the organization has ceased operations. The official continued that these criminals manage their operations very well, and they have found solutions to all the issues. 

A Major Base for Organized Crimes

As reported by The Guardian, South Africa has emerged as a headquarter for organized crimes. 

South Africa apparently hosts the Black Axe organization, while also helping them proliferate worldwide. In this regard, Interpol further said, “as well as hosting Black Axe groups, South Africa also helps enable their spread to other parts of the world … Black Axe members come to South Africa to obtain South African citizenship, which facilitates their travel to the US, Europe or Dubai.” 

Along with other acts of cyber fraud, threat actors in Africa generally targets victims via online dating services and apps, deceiving them into false relationships in order to acquire money or sensitive information about the victims. 

Not only South Africa, Kenya as well has evolved into a significant base for digital extortion schemes, believes the FBI and Interpol. Thus, making the continent a major base for cybercrime activities.  

Read more »
Threat Group
China malware PLA RAT Threat Group

ShadowPad Malware Attacks have been Linked to Chinese Ministry and PLA

 

ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat organizations in recent years, has been revealed by cybersecurity researchers, who have also linked it to the country's civilian and military intelligence services. Since at least 2017, the Chinese government-sponsored BRONZE ATLAS threat organization has been using the ShadowPad sophisticated modular remote access trojan (RAT). 

Since 2019, a rising number of other Chinese threat groups have used it in attacks against firms in a variety of industrial verticals throughout the world. Analysis of ShadowPad samples by Secureworks Counter Threat Unit (CTU) found clusters of activity associated with threat groups affiliated with the Chinese Ministry of State Security (MSS), civilian intelligence agency, and the People's Liberation Army (PLA). 

ShadowPad rose to prominence in 2017 because it was used in software supply chain attacks involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments released in 2020 provide more details on ShadowPad's relationship to BRONZE ATLAS. 

According to the Microsoft complaint, BRONZE ATLAS (also known as Barium) used ShadowPad to steal intellectual property and personally identifiable information in 2017. The malware was only utilised by BRONZE ATLAS at the time. According to the DOJ indictments, Chinese nationals working for the Chengdu 404 network security firm used ShadowPad in a global campaign ascribed to BRONZE ATLAS. 

Traditionally, malware payloads are sent to a host either encrypted within a DLL loader or embedded within a separate file alongside a DLL loader, which subsequently decrypts and executes the embedded ShadowPad payload in memory using a specific decryption technique tailored to the malware version. These DLL loaders run malware after being sideloaded by a genuine executable vulnerable to DLL search order hijacking, a technique that allows malware to run by hijacking the mechanism used to look for required DLLs to load into a programme. 

Secureworks discovered that certain infection chains include a third file containing the encrypted ShadowPad payload, which works by executing the genuine binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL, which then loads and decrypts the third file. 

The incursions in one ShadowPad incident paved the door for conducting hands-on-keyboard attacks, which are attacks in which human hackers manually log into an infected system to execute commands rather than using automated scripts.
Read more »
Thundercrypt
Cyber Attacks Lorenz Ransomware Group Threat Group Thundercrypt

Beware of Lorenz Ransomware Gang Targeting Organizations with Customized Attacks

 

Security researchers have unearthed a new ransomware operation known as Lorenz targeting organizations worldwide with customized attacks and demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since compiled a growing list of victims whose stolen data has been published on a data leak site.

According to Bleeping Computer, Michael Gillespie of ID Ransomware: the Lorenz ransomware encryptor is identical to a previous operation known as ThunderCrypt. However, it remains unclear if Lorenz is of the same group or has purchased the ransomware source code to design its own variant. 

Like other ransomware attacks, Lorenz breaches a network and expands laterally to other devices until it secures access to Windows domain administrator credentials. While expanding throughout the system, it will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims into paying a ransom or to sell the data to other threat actors.

According to security experts, this Lorenz gang operates differently as compared to other ransomware gangs. To pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible competitors. After a while, they start releasing password-protected RAR archives containing the victim's data. Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting. 

Each folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html that contains information about what happened to a victim's files. It will also include a link to the Lorenz data leak site and a link to a unique Tor payment site where the victim can see their ransom demand.

Finally, if the victim doesn’t fall into the trap of the hackers, Lorenz publishes the password for the data leak archives so that they are publicly available to anyone who downloads the files. From ransom notes seen by BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000. 

Furthermore, the ransomware is currently being analyzed for weaknesses, and paying the ransom never guarantees you actually get your data back, as it might still end up for sale on the Dark Web.
Read more »
Subscribe to: Posts (Atom)