Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Group. Show all posts
US infrastructure
AsyncRAT command-and-control infrastructure Cybersecurity domain generation algorithm malware open-source trojan Phishing emails Threat Group US infrastructure

This Malware is Assaulting Critical US Infrastructure for Almost a Year

 

Over the course of the last 11 months, a threat group has actively engaged in a phishing campaign targeting employees across various companies, distributing an open-source trojan program named AsyncRAT. The victims of this campaign notably include companies responsible for managing critical infrastructure in the United States.

The cybersecurity division of AT&T, known as Alien Labs, has reported that the attackers employ a domain generation algorithm (DGA) within their command-and-control (C&C) infrastructure. This technique helps them rotate through a large number of domains, making it challenging to block traffic. In an effort to evade detection, the threat actors continually generate new samples of the malicious tool. Researchers have identified over 300 samples and 100 domains associated with this particular campaign.

AsyncRAT, an open-source remote access tool released in 2019 and still available on GitHub, serves as the attackers' weapon of choice. As a remote access trojan (RAT), AsyncRAT offers features such as keylogging, exfiltration techniques, and initial access staging for delivering the final payload.

It's not uncommon for even sophisticated threat actors to utilize open-source malware frameworks, providing advantages such as low development costs and plausible deniability. Interestingly, AsyncRAT had been previously employed in 2022 by an APT group known as Earth Berberoka or GamblingPuppet, as tracked by security firm Trend Micro.

The phishing emails, scrutinized by Alien Labs and other researchers, employ a thread hijacking technique to direct users to a phishing page, eventually dropping a JavaScript (.js) file on users' computers. This script, when opened in Notepad, contains numerous randomly commented-out English words, while variants using Sanskrit characters have also been reported in previous campaigns. The highly obfuscated script aims to download the second-stage payload from a URL encoded using a custom cipher and decimal values.

The second-stage payload is another encoded script in PowerShell, executed directly in memory without being saved to disk. The PowerShell script communicates with a rotating C&C server domain, sending information such as computer hostname and a variable indicating the likelihood of the computer being a virtual machine or sandbox.

If deemed a valid target, the C&C server deploys AsyncRAT. In the case of a potential virtual machine or sandbox, the server redirects the request to Google or launches a different PowerShell script that downloads and initiates a decoy RAT, designed to distract researchers investigating the campaign.

To further complicate detection, the attackers regularly randomize the script code and malware samples, and they rotate C&C domains weekly. Despite these efforts, Alien Lab researchers managed to reverse-engineer the domain generation algorithm, providing insights into historical samples and enabling the development of detection signatures for future infrastructure identification. The AT&T Alien Labs report includes detection signatures for the Suricata intrusion detection system and a list of indicators of compromise (IOC) for building detections on other systems.
Read more »
Threat Group
Cybersecurity Dark Web Internet Security. malware PureCoder TG Soft Threat Group

Multiple Malware Being Sold on Darkweb Forums


Researchers have recently discovered a new threat group, PureCoder, apparently selling numerous malware on the dark web. They listed malware such as miners, information stealers, and crypters, used by threat actors for their campaigns. 

Spread of PureLogs/PureCrypt 

Two of the most efficiently advertised malware, sold by Purecoder include PureLogs and PureCrypt.

The threat actors as well have posted details of the aforementioned malware in cybercrime forums in order to garner the interest of their customers. 

PureLogs and PureCrypt

  • PureLogs: A malicious DotNET program created for stealing browser data, crypto wallets, and other applications. Reportedly, these malwares are being sold at $99 for a year subscription. 
  • PureCrypter: This malware distributes multiple RATs and stealers. It is being sold for $59, for a one-month subscription and $245 for a lifetime subscription. 

Used by Other Threat Groups 

Most recently, an Italian cybersecurity company TG Soft discovered that PureLogs information stealer was being used by Alibaba2044 threat actors, that was being utilized for launching a spam campaign targeting Italian online users.

  • Fraudulent emails attached with a link were being used to download the password-protected zip file. 
  • The email contained a cabinet file that was disguised as a batch file and contained a malicious executable and the password to open the file. 
  • The batch file, once opened by the targeted victims, will further lead to the (PureLogs stealer) being executed on their systems. 

Various Tools on Offer 

Moreover, the PureCoder group is offering various additional malicious software besides PureLogs and PureCrypter, such as: 

  • PureMiner: The cost of the tool is $99 for a year of access and $199 for lifetime access. It functions as a covert, stealthy, and silent miner. 
  • BlueLoader: A significant number of bots are managed by the BlueLoader botnet, which may be purchased for $99 for a year or $199 for a lifetime. 
  • PureHVNC: A hidden stealth VNC to control systems, sold for one-year use at $99. 

Easy and affordable access to such malicious tools is a serious matter of concern to online users. As a precautionary measure, users are advised to avoid opening suspicious links and email attachments. Moreover, use reliable anti-malware and Internet security software.  

Read more »
Threat Group
Black Axe Gang Cyber Crime Interpol Interpol Operation South Africa Threat Group

Cybercrime Gangs Are Expanding Across Africa: Investigators Warns


Police and investigative experts of the sub-Saharan region of Africa have cautioned of cyber criminal gangs, that are recently advancing in size and power by exploiting the vulnerabilities caused during the global economic crises and the Covid-19 pandemic. 

As claimed by the authorities, both of the mentioned situations have given rise to newer opportunities for online criminals to rake in large assets without risking being caught. 

This growth has a direct impact on the rest of the world, where many victims of “hugely lucrative” fraud live, a senior police official says. 

According to Prof. Landry Signé, a senior scholar and study author at Brookings Institution, the Covid-19 crisis has apparently resulted in the growth of digitalization globally. As online activities boosted, criminals, targeted critical digital infrastructure. 

“The Covid-19 pandemic has accelerated digitalization around the world, but as life has shifted increasingly online, cybercriminals have exploited the opportunity to attack vital digital infrastructure […] States across Africa have emerged as a favorite target of cybercriminals, with costly consequences,” says Professor Signé. 

Nigerian Black Axe Gang

Interpol describes online frauds like banking and credit card frauds as the most pervasive and severe cyber threat across Africa. The Covid-19 pandemic has resulted in a sustained rise in the number and advancement of cyber-attacks, with more than half being targeted at online banking platforms, as per the analysts.

A major operation organized by Interpol this month, across 14 countries, emphasises the scale of cybercrimes across the continent and beyond. 

Police later detained more than 70 alleged fraudsters in connection with the Nigerian cyber threat group known as ‘Black Axe’ in South Africa, Nigeria, and Ivory Coast, as well as in the Middle East, Europe, south-east Asia, and the US. 

Moreover, about 50 residents were being investigated, with $1 million confiscated from bank accounts. Additionally, an apartment building, three vehicles, tens of thousands of dollars, and about 12,000 sim cards were seized. 

Reportedly the Black Axe gang started out as a student organization, originating in Benin City, in the 1970s and later evolved into a worldwide criminal network, specializing in frauds. As per the US court filings, the group later claimed a regional headquarters in South Africa in the year 2013. 

Authorities reportedly discovered phones and other equipment that were known to be used by Black Axe scammers, in Ireland. While tracing the group’s vocabulary, the investigators linked the group to West Africa. 

A former South African criminal intelligence official says that although the fraudulent activities have comparatively reduced, one cannot assume that the organization has ceased operations. The official continued that these criminals manage their operations very well, and they have found solutions to all the issues. 

A Major Base for Organized Crimes

As reported by The Guardian, South Africa has emerged as a headquarter for organized crimes. 

South Africa apparently hosts the Black Axe organization, while also helping them proliferate worldwide. In this regard, Interpol further said, “as well as hosting Black Axe groups, South Africa also helps enable their spread to other parts of the world … Black Axe members come to South Africa to obtain South African citizenship, which facilitates their travel to the US, Europe or Dubai.” 

Along with other acts of cyber fraud, threat actors in Africa generally targets victims via online dating services and apps, deceiving them into false relationships in order to acquire money or sensitive information about the victims. 

Not only South Africa, Kenya as well has evolved into a significant base for digital extortion schemes, believes the FBI and Interpol. Thus, making the continent a major base for cybercrime activities.  

Read more »
Threat Group
China malware PLA RAT Threat Group

ShadowPad Malware Attacks have been Linked to Chinese Ministry and PLA

 

ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat organizations in recent years, has been revealed by cybersecurity researchers, who have also linked it to the country's civilian and military intelligence services. Since at least 2017, the Chinese government-sponsored BRONZE ATLAS threat organization has been using the ShadowPad sophisticated modular remote access trojan (RAT). 

Since 2019, a rising number of other Chinese threat groups have used it in attacks against firms in a variety of industrial verticals throughout the world. Analysis of ShadowPad samples by Secureworks Counter Threat Unit (CTU) found clusters of activity associated with threat groups affiliated with the Chinese Ministry of State Security (MSS), civilian intelligence agency, and the People's Liberation Army (PLA). 

ShadowPad rose to prominence in 2017 because it was used in software supply chain attacks involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments released in 2020 provide more details on ShadowPad's relationship to BRONZE ATLAS. 

According to the Microsoft complaint, BRONZE ATLAS (also known as Barium) used ShadowPad to steal intellectual property and personally identifiable information in 2017. The malware was only utilised by BRONZE ATLAS at the time. According to the DOJ indictments, Chinese nationals working for the Chengdu 404 network security firm used ShadowPad in a global campaign ascribed to BRONZE ATLAS. 

Traditionally, malware payloads are sent to a host either encrypted within a DLL loader or embedded within a separate file alongside a DLL loader, which subsequently decrypts and executes the embedded ShadowPad payload in memory using a specific decryption technique tailored to the malware version. These DLL loaders run malware after being sideloaded by a genuine executable vulnerable to DLL search order hijacking, a technique that allows malware to run by hijacking the mechanism used to look for required DLLs to load into a programme. 

Secureworks discovered that certain infection chains include a third file containing the encrypted ShadowPad payload, which works by executing the genuine binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL, which then loads and decrypts the third file. 

The incursions in one ShadowPad incident paved the door for conducting hands-on-keyboard attacks, which are attacks in which human hackers manually log into an infected system to execute commands rather than using automated scripts.
Read more »
Thundercrypt
Cyber Attacks Lorenz Ransomware Group Threat Group Thundercrypt

Beware of Lorenz Ransomware Gang Targeting Organizations with Customized Attacks

 

Security researchers have unearthed a new ransomware operation known as Lorenz targeting organizations worldwide with customized attacks and demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since compiled a growing list of victims whose stolen data has been published on a data leak site.

According to Bleeping Computer, Michael Gillespie of ID Ransomware: the Lorenz ransomware encryptor is identical to a previous operation known as ThunderCrypt. However, it remains unclear if Lorenz is of the same group or has purchased the ransomware source code to design its own variant. 

Like other ransomware attacks, Lorenz breaches a network and expands laterally to other devices until it secures access to Windows domain administrator credentials. While expanding throughout the system, it will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims into paying a ransom or to sell the data to other threat actors.

According to security experts, this Lorenz gang operates differently as compared to other ransomware gangs. To pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible competitors. After a while, they start releasing password-protected RAR archives containing the victim's data. Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting. 

Each folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html that contains information about what happened to a victim's files. It will also include a link to the Lorenz data leak site and a link to a unique Tor payment site where the victim can see their ransom demand.

Finally, if the victim doesn’t fall into the trap of the hackers, Lorenz publishes the password for the data leak archives so that they are publicly available to anyone who downloads the files. From ransom notes seen by BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000. 

Furthermore, the ransomware is currently being analyzed for weaknesses, and paying the ransom never guarantees you actually get your data back, as it might still end up for sale on the Dark Web.
Read more »
Subscribe to: Posts (Atom)