Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TrendMicro. Show all posts

Researchers: 'Black Basta' Group Rakes in Over $100 Million

 

A cyber extortion group believed to be an offshoot of the infamous Russian Conti hacker organization has reportedly amassed over $100 million since its emergence last year, according to a report published on Wednesday by digital currency tracking service Elliptic and Corvus Insurance.

The group, known as "Black Basta," has allegedly extorted at least $107 million in bitcoin, with a significant portion of the laundered ransom payments flowing to the sanctioned Russian cryptocurrency exchange Garantex, as revealed in the joint report. Attempts to contact Black Basta through its dark web site were unsuccessful. Garantex, which faced U.S. Treasury sanctions in April of the previous year, expressed support for global initiatives combatting cybercrime and urged information-sharing regarding the hackers' finances, pledging to block suspicious funds.

Elliptic co-founder Tom Robinson characterized Black Basta's substantial earnings as making it "one of the most profitable ransomware strains of all time." The researchers arrived at this figure by identifying known ransom payments linked to the group, tracing the laundering of digital currency, and discovering additional payments.

Robert McArdle, a cybercrime expert from security firm TrendMicro not involved in the report, deemed the reported Black Basta figure "certainly in a believable range for their operations."

The Elliptic-Corvus report also presented evidence linking Black Basta to the now-defunct Russian group "Canti." Conti, formerly a prominent ransomware gang, gained notoriety for coercing victims through data encryption, ransom demands, and threats to publish stolen information. 

The report suggests that individuals from Conti, following the dismantling of its leak site after Russia's invasion of Ukraine and the subsequent posting of U.S. bounties on its leadership, may have reorganized and rebranded, with Black Basta potentially being a manifestation of this restructuring.

"Conti was perhaps the most successful ransomware gang we've seen," remarked Robinson. The recent findings indicate that some individuals responsible for Conti's success might be replicating it with the Black Basta ransomware, he added.

 Sophos: Hackers Avoid Deep Fakes as Phishing Attacks are Effective

According to a prominent security counsel for the UK-based infosec business Sophos, the fear of deepfake scams is entirely exaggerated.

According to John Shier, senior security adviser for cybersecurity company Sophos, hackers may never need to utilize deepfakes on a large scale because there are other, more effective ways to deceive individuals into giving up personal information and financial data.

As per Shier, phishing and other types of social engineering are much more effective than deepfakes, which are artificial intelligence-generated videos that imitate human speech.

What are deepfakes?

Scammers frequently use technology to carry out 'Identity Theft'. In order to demonstrate the risks of deepfakes, researchers in 2018 employed the technology to assume the identity of former US President Barack Obama and disseminate a hoax online.

Shier believes that while deepfakes may be overkill for some kinds of fraud, romance scams—in which a scammer develops a close relationship with their victim online in order to persuade them to send them money—could make good use of the technology because videos will give an online identity inherent legitimacy.

Since deepfake technology has gotten simpler to access and apply, Eric Horvitz, chief science officer at Microsoft, outlines his opinion that in the near future, "we won't be able to tell if the person we're chatting to on a video conversation is real or an impostor."

The expert also anticipates that deepfakes will become more common in several sectors, including romance scams. Making convincing false personas requires a significant commitment of time, effort, and devotion, and adding a deepfake does not require much more work. Shier is concerned that deepfaked romance frauds might become an issue if AI makes it possible for the con artist to operate on a large scale.

Shier was hesitant to assign a date for industrialized deepfake bots, but he claimed that the required technology is becoming better and better every year.

The researcher noted that "AI experts make it sound like it is still a few years away from the huge effect." In the interim, we will observe well-funded criminal organizations carrying out the subsequent degree of compromise to deceive victims into writing checks into accounts.

Deepfakes have historically been employed primarily to produce sexualized images and movies, almost always featuring women.

Nevertheless, a Binance PR executive recently disclosed that fraudsters had developed a deepfaked clone that took part in Zoom calls and attempted to conduct bitcoin scams.

Deepfakes may not necessarily be a scammer's primary tactic, but security researchers at Trend Micro said last month that they are frequently used to augment other techniques. The lifelike computerized images have recently appeared in online advertisements, phony business meetings, and job seeker frauds. The distress is that anybody could become a victim because the internet is so pervasive.






New Malware NetDooka Deployes Payload: Trend Micro Report

Experts found an advanced malware framework and it has named it as NetDooka because of a few components. The framework is deployed via a pay-per-install (PPI) service and includes various parts, which include a loader, a dropper, a full-featured remote access Trojan (RAT), and a protection driver that deploys its own network communication protocol. "Upon execution, the loader will deobfuscate strings, such as the command-and-control (C&C) server address, and check for the command-line arguments that were passed. The malware accepts multiple arguments that indicate what action should be taken," says TrendMicro report. 

NetDooka is distributed via the PrivateLoader malware which after installing, starts the exploitation chain. The report emphasizes the components and infection chain of the NetDooka framework. The scope varies from the issue of the first payload, which drops a loader that makes a new virtual desktop to deploy an antivirus software uninstaller and communicate with it by emulating the mouse and pointer position- an essential step to complete the uninstallation process and make an environment for executing other components- until the launch of the final RAT that is guarded by a kernel driver. 

The infection starts after a user unknowingly downloads PrivateLoader, generally via pirated software sites, after that, NetDooka malware gets installed, a dropper component that results in decrypting and implementing the loader component. The loader starts various checks to make sure that the malware isn't working in a virtual environment, following that it installs another malware through a remote server. It can also download a kernel driver that can be used later. 

The downloaded malware is another dropper component that a loader executes, it is responsible for decryption and execution of the final payload, a RAT has multiple features like executing a remote shell, getting browser data, capturing screenshots, and accessing system information. TrendMicro says "If no parameter is passed to the loader, it executes a function called “DetectAV()” that queries the registry to automatically identify the antivirus products available in order to uninstall them."

Firefox update fixes critical security vulnerability

Firefox 66.0.1 Released with Fix for Critical Security Vulnerabilities that discovered via Trend Micro’s Zero Day Initiative. The vulnerability affects all the versions of Firefox below 66.0.1.

An attacker could exploit these vulnerabilities to take complete control over the target system of the process.

CVE-2019-9810: Incorrect alias information

Incorrect alias information with IonMonkey JIT compiler for Array.prototype.slice leads to missing bounds check and a buffer overflow.

The bounds checking is a method used for detecting the variable is present within the bounds, a failed bound check would through the exception and results in security vulnerabilities.

CVE-2019-9813: Ionmonkey type confusion with proto mutations

Mishandling of proto mutations leads to the type of confusion vulnerability in IonMonkey JIT code.

The type confusion vulnerability occurs, when the code doesn’t verify what objects it is passed to, and blindly uses it without type-checking.

By exploiting this vulnerability an attacker can execute arbitrary commands or code on a target machine or in a target process without user interaction.

This vulnerability discovered by an independent researcher Niklas Baumstark targeting Mozilla Firefox with a sandbox escape in Trend Micro Zero-day initiative contest and he successfully demonstrates the JIT bug in Firefox, for that he earned $40,000.

In Pwn2Own 2019 contents researchers exploit multiple bugs with leading providers such as Edge, Mozilla Firefox, Windows, VMware and earned $270,000 USD in a single day by submitting 9 unique zero-day exploits.

The Firefox bug was introduced in the second day of the contest by Fluoroacetate team and an individual security researcher Niklas Baumstark.

SpyEye Trojan stole $3.2 million from U.S. victims ~ Discovered by TrendMicro

A Russian cybergang headed by a mysterious ringleader called 'Soldier' were able to steal $3.2 million from U.S. citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported.

Trend Micro researchers recently uncovered a cybercriminal operation involving SpyEye that began as early as January 2011. The said operation was orchestrated by “Soldier” (the cybercriminal’s handle), who is currently based in Russia. Trend Micro researchers had been monitoring Soldier and his activities since March 2011.

Based on investigation, this attack mainly targeted US users and some of those affected were large enterprises and institutions such as the US government and military. In fact, 97% of the affected corporations are based in the US. However, we have also observed affected organizations located in other countries such as the United Kingdom, Mexico, Canada, and India.

The SpyEye variant used in this attack is detected by Trend Micro as TSPY_SPYEYE.EXEI.

How much money was stolen?

According to Trend Micro research, the cybercriminal behind this attack was able to get more than $3.2 million dollars, or $17,000 per day, in the last 6 months with the help of accomplices and money mules. Money mules were recruited to transfer the money to the cybercriminals. To launder the money, the stolen money is passed by the cybercriminal to the accomplices situated in various locations then to the money mules and finally back to the cybercriminal. This is done so the cybercriminal won’t be easily track down by security researchers and law enforcement.



Once a system is infected, what does TSPY_SPYEYE.EXEI do?

Once installed, TSPY_SPYEYE.EXEI downloads a configuration file, which contains the websites that it monitors. Once users visit any of these monitored sites, it performs web injection and logs keystrokes to steal information from users. It also connects to specific URLs to send and receive information from a remote user. Once connected to these sites, it sends specific information such as operating system information, Internet Explorer (IE) version, account type, language ID, time zone etc.

What is SpyEye and how can I encounter this?

SpyEye is a commercially-sold toolkit which first emerged in 2009. Users may encounter SpyEye variants via various infection vectors such as blackhat search engine optimization (SEO), spam, and other malware to infect users’s systems. Its main routine is information, identity, and financial theft.

Trend Micro detects the binary files generated by SpyEye as TSPY_SPYEYE variants. When SpyEye first came out in the wild, it is thought of as the rival of another prevalent crimeware toolkit, ZeuS.


How do SpyEye malware steal information?

SpyEye downloads a configuration file on the infected systems. This configuration file contains the list of monitored websites. When users accessed any of the monitored websites, SpyEye performs Web injection to steal the data inputted by the users. It is also capable of capturing screenshots from the infected systems.


What is a web injection and how does it work?

In Web injection, SpyEye injects HTML code into the webpage to add form fields of other data that the cybercriminals want to steal. In the instance that users visit one of the monitored web sites, they would see an additional field(s) in the said site, asking for specific information other than logon credentials such as ATM or credit card number, email address, etc.




What kind of information do SpyEye variants steal?

Although SpyEye steals banking credentials, it is capable of stealing credentials related to different websites, such as Facebook, Twitter, Yahoo!, Google, eBay, and Amazon. It also gathers system information such as installed operating system, Internet Explorer version, timezone, and others. Furthermore, it is capable of capturing screenshots. This routine enables SpyEye to bypass authentication means and to gather data apart from online banking information. The stolen data are either used for other fraudulent activities or sold in the underground.

Why should I be concerned about SpyEye?

As an information stealer, SpyEye variants steal logon credentials and used this to initiate unauthorized transactions, such as an online fund transfer. Because of the web injection routine, users are also at risk of unwittingly giving out sensitive information, which are sold to the underground market and used for malicious purposes. In addition, SpyEye remains to be one of the prevalent malware to date. It can be sold commercially making it available to anyone who intends to steal information and hard-earned money of users.

SpyEye is known for targeting consumers, as well as small and medium businesses. However, large organizations are affected in this particular attack. It is possible that employees of large enterprises accessed their online bank accounts, and may have engaged in other online activities while using the work/business network, thus compromising its security. Furthermore, the stolen information from these large enterprises may be used to stage targeted attacks.
Are Trend Micro users protected from this attack?

Yes. Trend Micro provides a multi-layered protection via Trend Micro™ Smart Protection Network™. With Web reputation technology blocks all the malicious URLs where SpyEye variants may be downloaded. It also prevents access to all the URLs where the malware may download its configuration files. File reputation service detects and deletes all known SpyEye variants found on the affected system. For SpyEye variants that arrive via spam messages, the Email reputation service promptly blocks such messages even before it arrives on users' inboxes.
Trend Micro’s Threat Discovery Appliance (TDA) also protects users' networks by blocking malicious packets, such as C&C communication and upload of stolen information.
Home users can use Trend Micro’s HouseCall to scan and clean systems infected with malware components related to this attack. Similarly, Trend Micro’s Genericlean detects and cleans the malware components.

Users are advised to be wary of divulging any personal information online. It is also best not to access online bank accounts using a work network. For businesses, we recommend the use of various security layers such as firewall, gateway, messaging, network, server, endpoint, and mobile security for optimal protection against attacks like this.

As of this writing, Trend Micro researchers and analysts are collaborating with law enforcement agencies regarding the blocking of identified command and control servers related to SpyEye.

Source:TrendMicro

Android users will be next target !