🔒
There are new articles available, click to refresh the page.
Today — 25 October 2021Security Affairs

Emsisoft created a free decryptor for past victims of the BlackMatter ransomware

25 October 2021 at 05:49

Experts from cybersecurity firm Emsisoft announced the availability of a free decryptor for past victims of the BlackMatter ransomware.

Cybersecurity firm Emsisoft has released a free decryption tool for past victims of the BlackMatter ransomware. The researchers found a vulnerability in the encryption process implemented in the BlackMatter ransomware that allowed them to recover encrypted files for free. Emsisoft didn’t reveal the existence of the flaw before to avoid the ransomware group patching the code of their malware.

The decrypter only allows decrypting files encrypted with BlackMatter versions used gang between mid-July and late-September 2021, the most recent version of the ransomware addressed the issue.

Earlier this year, Emsisoft researchers discovered a critical flaw in the BlackMatter ransomware that allowed them to help victims recover their files without paying a ransom, preventing millions of dollars falling into the hands of cybercriminals. The work has been conducted quietly and privately so as not to alert the BlackMatter operators to the flaw. reads the announcement published by Emsisoft.

The company is now urging the victims of the BlackMatter ransomware to contact them to receive support to recover their data without paying the ransom.

PSA: If you or someone you know got hit by BlackMatter in the past couple of months, please reach out. More details can be found here: https://t.co/2AK76UbPFE

— Fabian Wosar (@fwosar) October 24, 2021

The company, with the help of law enforcement agencies, CERTs and private sector partners in multiple countries, is reaching numerous victims to recover their data.

“Beyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families. In these cases, we can recover the vast majority of victims’ encrypted data without a ransom payment. As with BlackMatter, we aren’t making the list of families public until the vulnerability has been found and fixed by their respective operators. This is why we encourage victims to report incidents to law enforcement, as they may be able to direct them to us or other companies that can help.” concludes Emsisoft.

The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.

The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.

BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform. 

BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.

The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.

CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:

  • Implement Detection Signatures;
  • Use Strong Passwords;
  • Implement Multi-Factor Authentication;
  • Patch and Update Systems;
  • Limit Access to Resources over the Network;
  • Implement Network Segmentation and Traversal Monitoring;
  • Use Admin Disabling Tools to Support Identity and Privileged Access Management;
  • Implement and Enforce Backup and Restoration Policies and Procedures;

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Emsisoft created a free decryptor for past victims of the BlackMatter ransomware appeared first on Security Affairs.

Yesterday — 24 October 2021Security Affairs

TodayZoo phishing kit borrows the code from other kits

24 October 2021 at 20:48

Microsoft uncovered an extensive series of credential phishing campaigns that employed a custom phishing kit tracked as TodayZoo.

Microsoft researchers uncovered a custom phishing kit, dubbed TodayZoo, that was used in an extensive series of credential phishing campaigns.

A “phishing kit” is a set of software or services aimed at facilitating phishing campaigns, In most cases a phishing kit is an archive file containing images, scripts, and HTML pages that allow threat actors to creat a phishing page that is used to trick recipients into providing their credentials.

TodayZoo borrows large pieces of code from other phishing kits investigated by Microsoft in the past, these portions of code also include the comment markers, dead links, and other holdovers from the previous kits.

The kit was first spotted by the IT giant in December 2020, because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, experts attributes the kit to a threat actor that is behind an old phishing kit template. Microsoft experts specula the three actor has implemented its own credential harvesting logic.

Since March 2021, Microsoft observed a series of phishing campaigns abusing the AwsApps[.]com domain to send the phishing messages. The email messages impersonated Microsoft and leveraged a zero-point font obfuscation technique to evade detection. 

Attackers used different lures in the message body over the months, including password reset, and fake fax and scanner notifications.

todayzoo phishing kit

The analysis of the kit revealed that a large part of the code borrows from the DanceVida phishing kit.

“Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com but would have different code blocks for their obfuscation or credential harvest components.” reads the analysis from Microsoft. ““DanceVida” is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits’ harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.”

The imitation and obfuscation-related components of the TodayZoo phishing kit overlap with the code from at least five other kits such as Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo.

TodayZoo demonstrates that threat actors could create their own variants of phishing kits from publicly available frameworks to meet their needs.

“Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit “families.” While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves.” concludes Microsoft.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, TodayZoo phishing kit)

The post TodayZoo phishing kit borrows the code from other kits appeared first on Security Affairs.

Security Affairs newsletter Round 337

24 October 2021 at 13:40

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the international press subscribe here.

NATO releases its first strategy for Artificial Intelligence
Threat actors offer for sale data for 50 millions of Moscow drivers
Cisco SD-WAN flaw could lead to arbitrary code execution, patch it now!
Supply-chain attack on NPM Package UAParser, which has millions of daily downloads
Facebook SSRF Dashboard allows hunting SSRF vulnerabilities
Groove ransomware group calls on other ransomware gangs to hit US public sector
DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown
FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks
FiveSys, a new digitally-signed rootkit spotted by Bitdefender experts
Evil Corp rebrands their ransomware, this time is the Macaw Locker
A flaw in WinRAR could lead to remote code execution
Administrators of bulletproof hosting sentenced to prison in the US
US Bureau of Industry and Security bans export of hacking tools to authoritarian regimes
Top 5 Attack Vectors to Look Out For in 2022
YouTube creators’ accounts hijacked with cookie-stealing malware
PurpleFox botnet variant uses WebSockets for more secure C2 communication
Acer suffers a second data breach in a week
China-linked LightBasin group accessed calling records from telcos worldwide
Zerodium is looking for zero-day exploits in ExpressVPN, NordVPN, and Surfshark Windows VPN clients
Experts found many similarities between the new Karma Ransomware and Nemty variants
Symantec uncovered a previously unknown nation-state actor, named Harvester, that targeted telcos
FBI, CISA, NSA published a joint advisory on BlackMatter ransomware operations
Trustwave released a free decryptor for the BlackByte ransomware
TeamTNT Deploys Malicious Docker Image On Docker Hub
Prometheus endpoint unprotected installs could expose sensitive data
Sinclair TV stations downtime allegedly caused by a ransomware attack
REvil ransomware operation shuts down once again
Experts spotted an Ad-Blocking Chrome extension injecting malicious ads
Experts hacked a fully patched iOS 15 running on iPhone 13 at China’s Tianfu Cup hacking contest
Twitch security breach had minimal impact, the company states

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 337 appeared first on Security Affairs.

NATO releases its first strategy for Artificial Intelligence

24 October 2021 at 12:19

This week, NATO Defence Ministers released the first-ever strategy for Artificial Intelligence (AI) that encourages the use of AI in a responsible manner.

Artificial Intelligence (AI) is changing the global defence and security environment, for this reason, NATO Defence Ministers released the first-ever strategy for this technology that promotes its development and use in a responsible manner.

Below are NATO principles of responsible use of Artificial Intelligence in defence:

A. Lawfulness: AI applications will be developed and used in accordance with national and international law, including international humanitarian law and human rights law, as applicable.
B. Responsibility and Accountability: AI applications will be developed and used with appropriate levels of judgment and care; clear human responsibility shall apply in order to ensure accountability.
C. Explainability and Traceability: AI applications will be appropriately understandable and transparent, including through the use of review methodologies, sources, and procedures. This includes verification, assessment and validation mechanisms at either a NATO and/or national level.
D. Reliability: AI applications will have explicit, well-defined use cases. The safety, security, and robustness of such capabilities will be subject to testing and assurance within those use cases across their entire life cycle, including through established NATO and/or national certification procedures.
E. Governability: AI applications will be developed and used according to their intended functions and will allow for: appropriate human-machine interaction; the ability to detect and avoid unintended consequences; and the ability to take steps, such as disengagement or deactivation of systems, when such systems demonstrate unintended behaviour.
F. Bias Mitigation: Proactive steps will be taken to minimise any unintended bias in the development and use of AI applications and in data sets.

The new strategy also aims at accelerating and mainstream AI adoption in capability development and delivery, enhancing interoperability within the Alliance. NATO encourages to protect and monitor AI technologies used by its members.

The Alliance warns of malicious use of AI by threat actors and urges the adoption of measures and technologies to identify and safeguard against these threats.

NATO Allies have recognized seven high-priority technological areas for defence and security, including Artificial Intelligence. These technologies include quantum-enabled technologies, data and computing, autonomy, biotechnology and human enhancements, hypersonic technologies, and space.

NATO stresses the importance of addressing these technologies in an ethical way, all of them are dual-use and very pervasive.

“Some state and non-state actors will likely seek to exploit defects or limitations within our AI technologies. Allies and NATO must strive to protect the use of AI from such interference, manipulation, or sabotage, in line with the Reliability Principle of Responsible Use, also leveraging AI-enabled Cyber Defence applications.” concludes the announcement. “Allies and NATO should develop adequate security certification requirements for AI, such as specific threat analysis frameworks and tailored security audits for purposes of ‘stress-testing’. AI can impact critical infrastructure, capabilities and civil preparedness—including those covered by NATO’s seven resilience Baseline Requirements—creating potential vulnerabilities, such as cyberspace, that could be exploited by certain state and non-state actors.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post NATO releases its first strategy for Artificial Intelligence appeared first on Security Affairs.

Threat actors offer for sale data for 50 millions of Moscow drivers

24 October 2021 at 09:47

Threat actors are offering for sale a database containing 50 million records belonging to Moscow drivers on a hacking forum for $800.

Bad news for Russian drivers, threat actors are selling a database containing 50 million records belonging to Moscow drivers on a hacking forum for only $800. The threat actors claim to have obtained the data from an insider in the local police, they published a sample of database records containing model of the car, its registration and VIN number, date of registration, engine power, name of the owner, date of birth, and phone number. 

Stolen data spans from 2006 and 2019, local media outlets have confirmed their authenticity. Threat actors are also offering a file containing information from 2020 to those that will buy the database.

“The cybercriminals put up for sale for $ 800 a database of 50 million lines with the data of drivers that were registered in Moscow and the Moscow region from 2006 to 2019. As a bonus to the purchase, a file with information from 2020 is offered. The database contains names, dates of birth, phone numbers, VIN-codes and numbers of cars, their brands and models, as well as the year of registration. The seller himself claims that he received information from an insider in the traffic police.” reads the post published by the Kommersant website.

Alexei Parfentiev, head of the analytics department at SerchInform, confirmed this scenario:

“It looks more likely also because the requirements of regulators to such structures as the traffic police, in terms of protection against external attacks, are extremely strict,” he says.

However Kommersant speculates that the data was obtained by hacking into the level of regional information systems.

Andrey Arsentiev, head of analytics and special projects at InfoWatch Group, believes that the the data could have been obtained by external attackers, for example, by exploiting a vulnerability in the system software.

“Judging by the composition of the data, the new database of car owners is not an unloading from the traffic police system, but rather an unloading from the databases of insurers, the founder of the DLBI data leak intelligence and darknet monitoring service Ashot Hovhannisyan believes.” continues the post.

“This data could be stolen both directly from the insurance companies and from their contractors to whom the bases are transferred for “ringing”. says Ashot Hovhannisyan.

The availability of this data in the cybercrime underground poses serious risks to the exposed individuals, attackers can use the information to carry out several malicious activities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Moscow drivers)

The post Threat actors offer for sale data for 50 millions of Moscow drivers appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Cisco SD-WAN flaw could lead to arbitrary code execution, patch it now!

23 October 2021 at 20:24

Cisco fixes an OS command-injection flaw, tracked as CVE-2021-1529, in Cisco SD-WAN that could allow privilege escalation and lead to arbitrary code execution.

Cisco addressed a high-severity OS command-injection vulnerability, tracked as CVE-2021-1529, in Cisco SD-WAN that could allow privilege escalation and lead to arbitrary code execution.

Cisco SD-WAN is a cloud-delivered overlay WAN architecture that enables digital and cloud transformation at enterprises, it allows to connect disparate office locations via the cloud.

An authenticated, local attacker can exploit the CVE-2021-1529 vulnerability to execute arbitrary commands with root privileges. The CVE-2021-1529 received a CVSS score of 7.8,

“The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” reads the advisory published by the IT giant.

Cisco has released software updates to address this flaw, the company pointed out that there are no workarounds that fix this issue.

The Cisco PSIRT is not aware of attacks in the wild exploiting this vulnerability.

The US Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory for this flaw that urge organizations to address this vulnerability.

“CISA encourages users and administrators to review Cisco Advisory cisco-sa-sd-wan-rhpbE34A and apply the necessary updates.” states CISA’s advisory.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco SD-WAN)

The post Cisco SD-WAN flaw could lead to arbitrary code execution, patch it now! appeared first on Security Affairs.

Supply-chain attack on NPM Package UAParser, which has millions of daily downloads

23 October 2021 at 13:03

The U.S. CISA warned of crypto-mining malware hidden in a popular JavaScript NPM library, named UAParser.js, which has millions of weekly downloads.

The U.S. Cybersecurity and Infrastructure Security Agency published an advisory to warn of the discovery of a crypto-mining malware in the popular NPM Package UAParser.js. The popular library has million of weekly downloads.

“Versions of a popular NPM package named ua-parser-js was found to contain malicious codeua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system.” reads the advisory. “CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1.”

The analysis of the experts revealed that at least three tainted versions of the package were uploaded to the repository, versions 0.7.29, 0.8.0, and 1.0.0.

According to the maintainer of the library,Faisal Salman, a threat actor has hijacked his NPM account to publish the infected packages.

“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary).” wrote the maintainer of the UAParser.js.

“I believe someone was hijacking my npm account and published some compromised packages (0.7.290.8.01.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0. I have sent a message to NPM support since I can’t seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.”

The tainted versions were replaced with clean versions 0.7.30, 0.8.1, and 1.0.1.

“The npm package ua-parser-js had three versions published with malicious code. Users of affected versions (0.7.29, 0.8.0, 1.0.0) should upgrade as soon as possible and check their systems for suspicious activity. See this issue for details as they unfold.” reads another alert published by GitHub. “Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

The CISA’s alert comes a few days after the researchers from the security firm Sonatype have uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository. The names of the three npm packages were klowklownokhsa that were installing cryptocurrency miners on both Windows or Linux platforms.

The good news is that the above packages remained on the repository only for a day before they were discovered.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, UAParser)

The post Supply-chain attack on NPM Package UAParser, which has millions of daily downloads appeared first on Security Affairs.

Facebook SSRF Dashboard allows hunting SSRF vulnerabilities

22 October 2021 at 22:05

Facebook developed a new tool that allows security experts to look for Server-Side Request Forgery (SSRF) vulnerabilities in their software.

Facebook announced to have designed a new tool, named SSRF Dashboard, that allows security researchers to search for Server-Side Request Forgery (SSRF) vulnerabilities.

Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain chosen by the attacker.

“In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”

“This tool is a simple UI where researchers can generate unique internal endpoint URLs for targeting. The UI will then show the number of times these unique URLs have been hit as a result of a SSRF attempt. Researchers can leverage this tool as part of their SSRF proof of concept to reliably determine if they have been successful.” states Facebook.

SSRF Dashboard allows researchers to create unique internal endpoint URLs that could be targeted by SSRF attacks and determine if they have been hit. The tool allows researchers to test their SSRF proof-of-concept (PoC) code.

Pentesters could report any SSRF flat to the company by including the ID of the SSRF attempt url that they used along with their PoC.

Additional information on the utility can be found here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SSRF)

The post Facebook SSRF Dashboard allows hunting SSRF vulnerabilities appeared first on Security Affairs.

Groove ransomware group calls on other ransomware gangs to hit US public sector

22 October 2021 at 20:32

Groove ransomware operators call on other ransomware groups to stop competing and join the forces to fight against the US.

The Groove ransomware gang is calling on other ransomware groups to attack US public sector after a an operation of of law enforcement shut down the infrastructure of the REvil gang.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

The ransomware gang published a message in Russian language on its leak site:

Groove

The message also asks other ransomware gangs to avoid targeting Chinese companies, because China could represent a safe place for ransomware gangs in case Russia will stop tolerate ransomware operations.

“In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start fucking up the US public sector” states the message. “I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors – the Chinese!”

Groove ransomware

After the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies, the gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million).

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

Update: The Groove gang published another post

👀 more #ransomware revelations from the #Groove pic.twitter.com/EFHCfTa8ry

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) October 22, 2021

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Groove ransomware group calls on other ransomware gangs to hit US public sector appeared first on Security Affairs.

DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown

22 October 2021 at 14:21

Darkside and BlackMatter ransomware operators have moved a large amount of their Bitcoin reserves after the recent shutdown of REvil’s infrastructure.

The gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million) after the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

“Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,” Moyal told The Record. “At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.”

Below the list of wallets shared by the expert:

  • 15WpW77a5zuMYUENyW3tFAvovgjbURBNdc
  • 1FysrVjFC8y1exHiSXWfHxWwHqwDEmDGcT
  • 12WLsWxC12hDWRAPYdaVCKxu3u5atL9DFc
  • 1EPJax1dzPr79yCuGM3BxHNRhpKesYnM4Y
  • 122rgzWWjHypxz51XydiuRvzATqYvEFoAk
  • 1HjFQLdGP4DFJR1TgXk9WUiGFMoomMmyax
  • 1KMV2LUcTJ8KF2chY32ErMtGUWXvRvWfrC
  • 16hJwHm4c6M2A6CytimipRDVhUeXVD2QrB 
  • bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6 (current major holder wallet)

Dear #bitcoin exchange platform, please block the following wallets from the incoming transactions: https://t.co/NwNiIno5mX

Attackers have split the BTC into 7 wallets with what looks like preparation to convert to other exchange or cashout somehow.

— Omri Segev Moyal (@GelosSnake) October 22, 2021

In May, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.

In July the group rebranded its operation with the name BlackMatter.

Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown appeared first on Security Affairs.

FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks

22 October 2021 at 11:02

FIN7 hacking group created fake cybersecurity companies to hire experts and involve them in ransomware attacks tricking them of conducting a pentest.

The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.

The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.

The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.

FIN7 fake security companies

FIN7, operating under the guise of Bastion Secure, published job offers for programmers (PHP, C++, Python), system administrators, and reverse engineers. The job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a good salary for this type of position in post-Soviet states.

The gang was looking for administrators to map out compromised companies’ networks and locate sensitive data, including backup. The initial access to the target organizations was obtained through phishing attacks or by purchasing access on dark web forums.

Once gained access to the target network, the threat actors could then drop malware and ransomware. 

“Bastion Secure offered a job offer to a Gemini source and, in the process, provided the source with files that analysts later determined were for the post-exploitation tools Carbanak and Lizar/Tirion. These two tools have been previously attributed to FIN7 and establish the link between Bastion Secure and FIN7.” reads the analysis of Gemini Advisory. “The tasks that were assigned to the Gemini source by FIN7—operating under the guise of Bastion Secure—matched the steps taken to prepare a ransomware attack, providing further evidence that FIN7 has continued to expand into the ransomware sphere.”

A Gemini’s source applied for a job position and was hired, the gang gave him access to a set of post-exploitation tools known to be in the FIN7’s arsenal, such as Carbanak and Lizar/Tirion. The group, through a fake pentesting activity assigned to Bastion Secure, provided access to the network of a target company.

“The files provided to the source by Bastion Secure included files for a software component titled “Command Manager” that was, in fact, a disguised version of the client component of Carbanak (see image 12). Gemini determined this by analyzing the software’s functionality and concluded that it is an updated version of previously identified versions of Carbanak.” continues the expert. “The main functions of the Carbanak command manager are collecting information about an infected computer and obtaining remote access to the infected computer. The files contained an obfuscated PowerShell script that ultimately launches the Lizar/Tirion injector and payload. “

They requested the hired pentesters to conduct reconnaissance and gather the information that could allow them to conduct the attack, such as user and admin accounts’ credentials, and backups.

“Although cybercriminals looking for unwitting accomplices on legitimate job sites is nothing new, the sheer scale and blatancy with which FIN7 operates continue to surpass the behavior shown by other cybercriminal groups. Not only is FIN7 looking for unwitting victims on legitimate job sites, but also attempting to obfuscate its true identity as a prolific cybercriminal and ransomware group by creating a fabricated web presence through a largely legitimate-appearing website, professional job postings, and company info pages on Russian-language business development sites.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks appeared first on Security Affairs.

FiveSys, a new digitally-signed rootkit spotted by Bitdefender experts

22 October 2021 at 07:50

Bitdefender researchers discovered a new Rootkit named FiveSys that abuses Microsoft-Issued Digital Signature signature to evade detection.

FiveSys is a new rootkit discovered by researchers from Bitdefender, it is able to evade detection by abusing a Microsoft-issued digital signature.

Driver packages that pass Windows Hardware Lab Kit (HLK) testing can be digitally-signed by Microsoft WHQL (Windows Hardware Quality Labs). If your driver package is digitally-signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms.

Obtaining a WHQL release signature is part of the Windows Hardware Lab Kit (HLK). A WHQL release signature consists of a digitally-signed catalog file.

Microsoft is aware that Vxers have devised a method to digitally sign their rootkits through this process. After Bitdefender has reported the discovery, Microsoft has revoked the signature for FiveSys.

FiveSys

In June, the company announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by Microsoft, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.

The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.

The FiveSys rootkit uses the same technique to remain under the radar, it is very similar to the Undead malware and likely originate from China where is used to target domestic games.

The rootkit was used by threat actors to redirect internet traffic to a custom proxy server.

“The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the
driver serves locally a Proxy Autoconfguration Script to the browser. The driver will periodically update this autoconfguration script. The script has a list of domains/URLs for which it
redirects traffc to an endpoint under the attacker’s control.” reads the report published by Bitdefender.

The rootkit is able to redirect both http and https traffic, in the latter case, it installs a custom root certificate to about browser’s warnings of the unknown identity of the proxy server.

The malware maintains a list of digital signatures used to detect drivers associated with Netfilter and fk_undead malware families and prevent that they are loaded.

Bitdefender identified several user mode binaries that are used to fetch and execute the malicious drivers onto the target machines. According to the experts, FiveSys uses four drivers, but at this time they have only detected only two of them.

“It also has an estimated four drivers, but in our research, we only managed to isolate two:

  • PacSys(PC.sys) is responsible for delivering the proxy autoconfguration script (the *.PAC fle, hence the name probably).
  • Up.sys downloads an executable and starts it using an embedded dll which it injects from kernel mode.
    Both drivers can protect the other module too, and reinstall it if it gets deleted.
  • Even though, technically speaking, the malware families are not among the sophisticated ones, the fact that they
    abuse digital signatures in this manner seriously undermines the credibility of this protection mechanism.”

To minimize the chance of a C2 takedown, the rootkit uses a built-in list of 300 domains on the “.xyz” TLD that are randomly generated and that stored in an encrypted form inside the binary.

Upon contacting the C2, the rootkit will select a random domain from the list, each such domain having several DNS A records.

The paper published by Bitdefender also includes indicators of compromise (IoCs.)

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post FiveSys, a new digitally-signed rootkit spotted by Bitdefender experts appeared first on Security Affairs.

Evil Corp rebrands their ransomware, this time is the Macaw Locker

21 October 2021 at 22:40

Evil Corp cybercrime gang is using a new ransomware called Macaw Locker to evade US sanctions that prevent victims from paying the ransom.

Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.

Bleeping Computer, citing Emsisoft CTO Fabian Wosar, reported that the Macaw Locker ransomware is the latest rebrand of Evil Corp. The Macaw Locker ransomware encrypts victims’ files and append the .macaw extension to the file name of the encrypted files. The malware drops ransom notes (macaw_recover.txt) in each folder, the ransom note includes the link to a unique victim negotiation page.

The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.

In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.

Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLocker, Hades, Phoenix Locker, and PayloadBin.

The Macaw Locker was recently involved in attacks against Olympus and the Sinclair Broadcast Group.

An example of real-world consequences from the ransoming of Sinclair Broadcasting Group.

The group behind the attack is Evil Corp. and their new "Macaw Locker". https://t.co/iNJgnCvK5q

— vx-underground (@vxunderground) October 21, 2021

Bleeping Computer also reported that Macaw Locker operators demanded $28 million and $40 million ransom worth of Bitcoin in two separate attacks against unnamed companies.

Experts speculate that after the exposure of the Macaw Locker operation, Evil Corp will rebrand their ransomware again.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Macaw Locker)

The post Evil Corp rebrands their ransomware, this time is the Macaw Locker appeared first on Security Affairs.

A flaw in WinRAR could lead to remote code execution

21 October 2021 at 20:10

A vulnerability in the WinRAR is a trialware file archiver utility for Windows could be exploited by a remote attacker to hack a system.

Positive Technologies researcher Igor Sak-Sakovskiy discovered a remote code execution vulnerability, tracked as CVE-2021-35052, in the popular WinRAR trialware file archiver utility for Windows.

The vulnerability affects the trial version of the utility, the vulnerable version is 5.70.

“This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. This can be used to achieve Remote Code Execution (RCE) on a victim’s computer. It has been assigned the CVE ID – CVE-2021-35052.” reads the post published by Sak-Sakovskiy. “We found this vulnerability by chance, in WinRAR version 5.70.”

The researchers installed the software and noticed that it was producing a JavaScript error, the specific error indicates that the Internet Explorer engine is rendering this error window.

Winrar

After a series of test, the expert noticed that after the trial period has expired, the software started displaying the error message, one time out of three executions. This window used to display the error uses mshtml.dll implementation for Borland C++ in which WinRAR has been written.

The expert used Burp Suite as a default Windows proxy to intercept traffic generated when the message is displayed.

The analysis of the response code sent when WinRAR alerts the user about the end of the free trial period via “notifier.rarlab[.]com” revealed that modifying it to a “301 Moved Permanently” redirect message if was possible to cache the redirection to a malicious domain for any subsequent request. Experts also noticed that an attacker with access to the same network domain carry out ARP spoofing attacks to remotely launch applications, retrieve local host information, and run arbitrary code.

“Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.” continues the expert. “Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.”

Winrar

Experts pointed out that vulnerabilities in third-party software pose serious risks to organizations, they can be exploited to access any resource of the system and potentially of the network hosting it.

“It’s impossible to audit every application that could be installed by a user and so policy is critical to managing the risk associated with external applications and balancing this risk against the business need for a variety of applications. Improper management can have wide reaching consequences.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WinRAR)

The post A flaw in WinRAR could lead to remote code execution appeared first on Security Affairs.

Administrators of bulletproof hosting sentenced to prison in the US

21 October 2021 at 15:17

The United States Department of Justice sentenced two individuals that were providing bulletproof hosting to various malware operations.

The United States Department of Justice sentenced to prison two individuals involved in providing bulletproof hosting to various malware operations, including Citadel, SpyEye, Zeus, and the Blackhole exploit kit.

The two individuals, Aleksandr Skorodumov (33) of Lithuania, and Pavel Stassi (30) of Estonia, administrated the bulletproof hosting service between 2009 and 2015.

The duo, along with Russian nationals Aleksandr Grichishkin and Andrei Skvortsov, founded an organization that was offering bulletproof hosting, they rented the attack infrastructure (IP addresses, servers, and domains) to crooks who used it to spread multiple malware families and conducted several malicious activities.

The defendants helped their clients to evade detection by monitoring sites used to blocklist technical infrastructure used for crime. Every time a content was flagged as malicious, the defendants moved it to new infrastructure and used false or stolen identities to register it.

Skvortsov was responsible for the marketing activity of the group, while Grichishkin was the organization’s day-to-day leader and oversaw its personnel.

Skorodumov was one of the organization’s lead systems administrators, he configured and managed the clients’ domains and IP addresses, provided technical assistance to help clients optimize their malware and botnets.

Stassi conducted several administrative tasks for the group, such as registering webhosting and financial accounts using stolen and/or false personal information.

Skorodumov was sentenced to 48 months in prison and Stassi to 24 months in prison.

Grichishkin and Skvortsov are pending sentencing and have already pleaded guilty, both face up to 20 years in prison.

“Every day, transnational organized cybercriminals deploy malware that ravages our economy and victimizes our citizens and businesses,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “The criminal organizations that purposefully aid these actors — the so-called bulletproof hosters, money launderers, purveyors of stolen identity information, and the like — are no less responsible for the harms these malware campaigns cause, and we are committed to holding them accountable. Prosecutions like this one increase the costs and risks to cybercriminals and ensure that they cannot evade responsibility for the enormous injuries they cause to victims.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

The post Administrators of bulletproof hosting sentenced to prison in the US appeared first on Security Affairs.

US Bureau of Industry and Security bans export of hacking tools to authoritarian regimes

21 October 2021 at 07:17

The Commerce Department’s Bureau of Industry and Security (BIS) would ban U.S. firms from selling hacking tools to authoritarian regimes.

The Commerce Department’s Bureau of Industry and Security (BIS) would introduce a new export control rule aimed at banning the export or resale of hacking tools to authoritarian regimes. 

The rule announced by the BIS tightens export controls on technology that could be used by adversaries to conduct malicious cyber activities and surveillance of private citizens resulting in human rights abuse.

The rull will become effective in 90 days and will ban the export of “cybersecurity items” for National Security (NS) and Anti-terrorism (AT) reasons.

“Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” reads the announcement published by the Bureau of Industry and Security, Commerce.

The new License Exception Authorized Cybersecurity Exports would allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern.  The license will be required for those countries subject to a U.S. arms embargo.

The complete list includes states of weapons of mass destruction or national security concern or subject to a U.S. arms embargo.

The rule is consistent with the result of BIS’s negotiations in the Wassenaar Arrangement (W.A.) multilateral export control regime and results from a review of comments from Congress, the private sector, academia, civil society, and other stakeholders.

U.S. Secretary of Commerce Gina M. Raimondo explained that the new rule aims at preventing the use of this technology by threat actors that could hit US computer networks threaten U.S. national security.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights. The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.” said U.S. Secretary of Commerce Raimondo.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bureau of Industry and Security)

The post US Bureau of Industry and Security bans export of hacking tools to authoritarian regimes appeared first on Security Affairs.

Top 5 Attack Vectors to Look Out For in 2022

21 October 2021 at 06:11

Threat actors are continually looking for better ways to target organizations, here are the top five attack vectors to look out for in 2022.

Malicious actors are continually looking for better ways to carry out successful cyber attacks. Whether motivated by a potential payday or the ability to access confidential information, cybercriminals have plenty of incentive to focus on what works best in achieving their goals. This article focuses on the top five attack vectors organizations should look out for and defend against in 2022.

1. Phishing

Phishing techniques use social engineering to trick victims into taking an action that helps an attacker compromise your network or access your sensitive information assets. Fraudulent emails purporting to be from authoritative company sources are the main phishing attacks that employees fall victim to. These emails persuade employees to reveal passwords for important applications or download malicious files to their devices.

Some threat actors carry out phishing attacks using social media and networking platforms, such as Twitter or LinkedIn. Phishing scams remain such a widely used attack vector because of their efficiency. The potential rewards for very little effort make phishing scams highly attractive attack vectors requiring minimal technical knowledge.

Some phishing scams target particular individuals because of their close proximity to sensitive information or because those individuals are likely to have administrative access to network resources. Some phishing scams are so convincing that they can fool even seasoned security professionals. A solid defense against phishing requires a dual approach of employee awareness and an anti-phishing email filtering solution.

2. Stolen Credentials

Stolen credentials continue to cause problems for businesses of all sizes. A 2021 report on data breaches found that stolen credentials were the initial attack vector used in 61 percent of breaches. Using stolen passwords is an easy way to masquerade as a genuine user and access sensitive information or infiltrate deeper into your network.

It’s straightforward for threat actors to purchase bulk lists of stolen username-password credentials on the dark web. Other attack vectors such as phishing emails can be used to trick employees into disclosing their passwords, which cybercriminals then use to access your network.

The problems posed by stolen credentials stem from a perfect storm of poor password hygiene and weak identity and access management controls. Employees regularly reuse their passwords across multiple applications and services, which means that a single stolen password could provide an easy entry route into your network. Many organizations provide excessive access privileges to users, which worsens the impact of a credential compromise by giving hackers access to administrative functions or critical systems.

3. API Exploits

Organizations can create new opportunities for growth through the use of APIs, which integrate their applications and service with other resources in the wider digital ecosystem. APIs facilitate communication between different apps and services. The use of APIs has become so widespread that many technologists say we’re living in an API economy.

Ever on the lookout for new opportunities to get their hands on sensitive data, many threat actors realize that the proliferation of APIs may work to their advantage. Traditional security tactics cannot detect API attacks, so many organizations remain open to a breach or data exfiltration via APIs. This API security checklist provides best practices and considerations for closing off your APIs as an attack vector.

4. Remote Technology

The speed at which cyber attacks exploiting remote technology increased during the Covid-19 pandemic serves as a telling example of how threat actors dynamically adapt the attack vectors they use in response to changing conditions. A 2020 report found that 20 percent of organizations experienced a security breach due to remote work.

The technologies used by organizations to facilitate remote work include virtual private network (VPN) connections and remote desktop protocol (RDP). These technologies let employees access business applications and resources from outside the physical location of their place of work.

While the use of remote technology will likely reduce over time compared to at the height of the pandemic, it’s clear that remote work is here to stay in some capacity. Opportunistic threat actors know that with remote work not going away, there will be chances to gain entry to corporate networks by exploiting RDP and VPN connections.

An actionable way to defend against remote access threats is to require multi factor authentication (MFA) for these connections. MFA requires users to provide another category of evidence that verifies their identity in addition to the standard username-password combination they use to log in. These distinct pieces of evidence can include a one-time password or a fingerprint scan.

5. IoT Devices

IoT devices include wearable devices, coffee makers, sensors, and cameras, all of which connect to the Internet. Many organizations don’t have visibility into all of their IoT devices. Furthermore, it’s common for IoT devices to use default credentials that hackers can easily guess.

IoT devices are veritable storehouses of data about the environment they are in and the people that use them. A cyber attack on an IoT device could also be the initial entry point from which a hacker accesses your wider network and installs ransomware that locks down key systems.

Organizations need a serious approach to secure their IoT infrastructures, including:

  • Full device visibility
  • Changing default usernames and passwords
  • Using strong passwords
  • Segmenting the network so that an IoT compromise can’t spread to key IT systems and assets
  • Update IoT devices on time

Conclusion

As we come into 2022, get your organization ready to combat these top five cyber attack vectors. Each of them calls for its own defense strategy to limit the chances of malicious threat actors successfully leveraging them to access or disrupt your valuable data and services.

attack vectors

About the Author: Ronan Mahony is a freelance content writer mostly focused on cybersecurity topics. He likes breaking down complex ideas and solutions into engaging blog posts and articles. He’s comfortable writing about other areas of B2B technology, including machine learning and data analytics. He graduated from University College Dublin in 2013 with a degree in actuarial science, however, he followed his passion for writing and became a freelance writer in 2016. He currently also works with Bora. In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, attack vectors)

The post Top 5 Attack Vectors to Look Out For in 2022 appeared first on Security Affairs.

YouTube creators’ accounts hijacked with cookie-stealing malware

20 October 2021 at 22:56

A Cookie Theft malware was employed in phishing attacks against YouTube creators, Google’s Threat Analysis Group (TAG) warns.

Financially motivated threat actors are using Cookie Theft malware in phishing attacks against YouTube creators since late 2019. According to Google’s Threat Analysis Group (TAG) researchers, who spotted the campaign, the attacks were launched by multiple hack-for-hire actors recruited on Russian-speaking forums. Below are the job descriptions used to recruit the hackers.

YouTube creators

The hackers used fake collaboration opportunities (i.e. a demo for anti-virus software, VPN, music players, photo editing or online games) to hijack the channel of YouTube creators. Once hijacked the channel, attackers either sell it to the highest bidder or employ it in cryptocurrency scam scheme.

Hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers.

The malware landing page is disguised as a software download URL that was sent via email or a PDF on Google Drive, or via Google documents containing the phishing links. The researchers identified around 15,000 actor accounts, most of which were created for this campaign.

Experts also observed the attackers driving targets to messaging apps like WhatsApp, Telegram or Discord because Google is able to neutralize phishing attempts via Gmail,

Upon running the fake software, a cookie stealing malware will be executed. The malware steals the browser cookies from the infected machine and sends them to C2 servers. Experts noticed that all the malware involved in this campaign runs in a non-persistent mode.

Some of the malicious codes used in this campaign are RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, along with open-source malware like Sorano and AdamantiumThief.

Once delivered on the targets’ systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims’ accounts in pass-the-cookie attacks.

“While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” said Ashley Shen, a TAG Security Engineer.

“Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.” reads the analysis published by Google TAG.

Google shared its findings with the FBI and shared Indicators of Compromise for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, YouTube creators)

The post YouTube creators’ accounts hijacked with cookie-stealing malware appeared first on Security Affairs.

PurpleFox botnet variant uses WebSockets for more secure C2 communication

20 October 2021 at 20:24

Researchers warn of a new evolution of the PurpleFox botnet, operators included exploits and leverage WebSockets for C2 communication.

Researchers from TrendMicro have documented a recent evolution of the PurpleFox botnet, the experts discovered a new .NET backdoor, dubbed FoxSocket, that is highly associated with the PurpleFox operation.

Its operators have added new exploits and payloads, according to the experts, the new variant leverages WebSockets to implement more secure C2 bidirectional communication.

purplefox botnet

Currently, the new variant was employed in attacks aimed at users in the Middle East. The analysis of the C2 infrastructure revealed that the most notable activity is in the US, Turkey, UAE, Iraq, and Saudi Arabia.

The attack chain starts with the execution of PowerShell commands that fetch a malicious payload from URLs associated with multiple compromised servers. Most of the servers are located in China and belong to the infrastructure of the PurpleFox botnet.

The payload fetched by the PowerShell targets 64-bit architecture systems, it is a long script consisting of three components:

  1. Tater (Hot Potato – privilege escalation)
  2. PowerSploit
  3. Embedded exploit bundle binary (privilege escalation)

Upon executing the script, it will check the Windows version of the targeted host and the presence of patches for the following list of vulnerabilities:

  • Windows 7/Windows Server 2008 [CVE-2020-1054 (KB4556836, KB4556843), CVE-2019-0808 (KB4489878, KB4489885, KB2882822]
  • Windows 8/Windows Server 2012 [CVE-2019-1458 (KB4530702, KB4530730)]
  • Windows 10/Windows Server 2019 [CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)]

“After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.” reads the analysis published by TrendMicro. “The goal is to install the MSI package as an admin without any user interaction.”

The MSI package first removes registry keys associated with the old Purple Fox installations if any are present, then it replaces the components of the malware with new ones.

The package also sets two registry values under the key “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager” and runs a .vbs script that creates a Windows firewall rule to block incoming connections on ports 135, 139, and 445. 

The final backdoor is a DLL file protected by the VMProtect.

The installer also uses a rootkit driver that hides its files, registry keys, and processes, to avoid detection.

This variant outstands for the use of WebSockets for communications.

“Afterward, the client will try to send the property PublicKey, which will be used at the C&C side on another ECDiffieHellmanCng object to generate a shared secret agreement. Eventually, this data will be sent on the WebSocket as the first key exchange message.” continues the analysis. “However, instead of sending it in cleartext, the client deploys a symmetric AES encryption for any communication over the WebSocket for the first exchange, as no shared secret is established yet, and the AES encryption will generate a default key for this first exchange. “

TrendMicro observed the following list of WebSocket commands and highlighted that there are some minor differences between variants across them.

Command code Functionality
20 Sends the current date on the victim machine
30 Leaks DriveInfo.GetDrives() results info for all the drives 
40 Leaks DirectoryInfo() results info for a specific directory
50 FileInfo()results info for a specific file
60 Recursive directory search
70 Executes WMI queries – ManagementObjectSearcher()
80 Closes the WebSocket Session
90 Exits the process
100 Spawns a new process
110 Downloads more data from a specific URL to the victim machine
120 DNS lookup from the victim machine
130 Leaks specific file contents from the victim machine
140 Writes new content to a specific location
150 Downloads data then write to a specific file
160 Renegotiates session key for symmetric encryption
180 Gets current process ID/Name
210 Returns the configuration parameter for the backdoor
220 Kills the process then start the new process with a different config
230 Kills specific process with PID
240 Queries internal backdoor object properties
260 Leaks hashes of some specific files requested
270 Kills list of PIDs
280 Deletes list of files/directories requested
290 Moves list of files/directories to another location
300 Creates new directory to a specific location

Researchers from TrendMicro also shared a list of Indicators of Compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PurpleFox botnet)

The post PurpleFox botnet variant uses WebSockets for more secure C2 communication appeared first on Security Affairs.

❌