According to cybersecurity firm SEKOIA, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families.

Cybergang boasting use of Aurora along Raccoon - Source: SEKOIA

 

The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected.

Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability.

Aurora history

Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features.

As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough.

However, in late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.

The highlight features listed in the promotional posts are:

• Polymorphic compilation that doesn’t require crypter wrapping
• Server-side data decryption
• Targets over 40 cryptocurrency wallets
• Automatic seed phrase deduction for MetaMask
• Reverse lookup for password collection
• Runs on TCP sockets
• Communicates with C2 only once, during license check
• Fully native small payload (4.2 MB) requiring no dependencies

The above features are geared towards high-level stealthiness, which is the main advantage of Aurora over other popular info-stealers.

The cost to rent the malware was set to $250 per month or $1,500 for a lifetime license.

Stealer analysis

Upon execution, Aurora runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2.

Commands Aurora executes upon launch - Source: SEKOIA

 

Next, the malware targets data stored in multiple browsers (cookies, passwords, history, credit cards), cryptocurrency browser extensions, cryptocurrency wallet desktop apps, and Telegram.

The targeted desktop wallet apps include Electrum, Ethereum, Exodus, Zcash, Armory, Bytecoin, Guarda, and Jaxx Liberty.

All stolen data is bundled in a single base64-encoded JSON file and exfiltrated to the C2 through TCP ports 8081 or 9865.

SEKOIA reports they couldn’t confirm the existence of a working file grabber as the author of the malware promises.

However, the analysts observed Aurora’s malware loader that uses “net_http_Get” to drop a new payload onto the filesystem using a random name and then use PowerShell to execute it.

The payload loader function - Source: SEKOIA

Current distribution

Currently, Aurora is distributed to victims via various channels, which is to be expected considering the involvement of seven distinct operators.

SEKOIA noticed cryptocurrency phishing sites promoted via phishing emails and YouTube videos that link to fake software and cheat catalog sites.

One of the sites used for malware distribution - Source: BleepingComputer

 

For a complete list of the IoCs (indicators of compromise) and sites used for Aurora distribution, check SEKOIA’s GitHub repository.

Source

The defendants, 37-year-olds Sergei Potapenko and Ivan Turõgin, are accused of defrauding hundreds of thousands of victims together with four other co-conspirators residing in Estonia, Belarus, and Switzerland between December 2013 and August 2019.

They allegedly funneled victims' funds through a complex network of shell companies, bank accounts, virtual asset services, and cryptocurrency wallets designed to help them launder the money.

Starting in December 2013, they ran a company named HashCoins OÜ that imported and assembled other companies' cryptocurrency mining hardware instead of manufacturing its own, as advertised.

After failing to deliver equipment paid in advance and to avoid refunding payments, the defendants tricked customers who had already paid for mining hardware into signing up for remote mining contracts (cloud mining) through a new cryptocurrency mining service they called HashFlare (launched in February 2015).

Those who agreed to the scheme were promised to receive "rights under mining contracts entitling the customer to a percentage of profits" from a pooled remote mining operation, according to the indictment.

Instead, Potapenko and Turõgin operated HashFlare as a massive Ponzi scheme where the currency returns and balances were fraudulent.

"To conceal this fact, when investors submitted requests to withdraw their mining proceeds, defendants either resisted making payments or paid off the investors using virtual currency defendants had simply purchased on the open market, as opposed to currency generated by genuine mining operations," court documents say.

Revolutionary digital crypto-banking

Last but not least, they also started a new company in Estonia called Polybius Foundation OÜ (aka Polybius Bank) and invited potential investors to fund the projects through an "initial coin offering" (ICO) in exchange for virtual tokens known as Polybius tokens (PLBT), as part of a "real revolution in the world of digital crypto-banking."

After two weeks, a Polybius press release claimed that "the ICO has raised about $17 million from over 14250 participants," with over $6 million in under three days, thus "meeting the requirements to receive a European banking license."

In all, they managed to raise more than $31 million from third-party investors (according to FBI's HashFlare investigation), funds that were transferred to the defendants' bank accounts and virtual currency wallets instead of being used to fund Polybius Bank. They never paid the investors any dividends and never formed a bank.

Instead, the fraudulently obtained funds were used to buy at least 75 real estate properties, luxury vehicles, fill their cryptocurrency wallets, and invest in thousands of cryptocurrency mining machines.

"The size and scope of the alleged scheme is truly astounding. These defendants capitalized on both the allure of cryptocurrency, and the mystery surrounding cryptocurrency mining, to commit an enormous Ponzi scheme," said U.S. Attorney Nick Brown.

"They lured investors with false representations and then paid early investors off with money from those who invested later. They tried to hide their ill-gotten gain in Estonian properties, luxury cars, and bank accounts and virtual currency wallets around the world. U.S. and Estonian authorities are working to seize and restrain these assets and take the profit out of these crimes."

The two are charged with 16 counts of wire fraud, one count of conspiracy to commit money laundering, and conspiracy to commit wire fraud.

If convicted, each of them faces a maximum penalty of 20 years in prison.

The apps do not carry the malicious payload upon installation to evade detection when submitted on Google Play but instead fetch it later from a remote resource.

Because the trojan apps are file managers, it’s less likely to raise suspicions when requesting dangerous permissions for loading the Sharkbot malware.

Fake file managers infect Android

Sharkbot is a dangerous malware that attempts to steal online bank accounts by displaying fake login forms over legitimate login prompts in banking apps. When a user attempts to log in to their bank using one of these fake forms, the credentials are stolen and sent to the threat actors.

The malware has constantly been evolving, appearing on the Play Store under various guises or loaded from trojan apps.

In a new report by Bitdefender, analysts discovered the new Android trojan apps disguised as file managers and reported them to Google. All of them have since been removed from the Google Play Store.

However, many users who downloaded them previously may still have them installed on their phones or still suffer from undiscovered remnant malware infections.

The first malicious app is ‘X-File Manager’ by Victor Soft Ice LLC (com.victorsoftice.llc), downloaded 10,000 times via Google Play before Google eventually removed it.

X-File Manager on Google Play (Bitdefender)

 

The app performs anti-emulation checks to evade detection and will only load Sharkbot on Great British or Italian SIMs, so it’s part of a targeted campaign.

The list of mobile bank apps targeted by the malware is displayed below, but as Bitdefender notes, the threat actors can remotely update this list anytime.

Banks targeted by this Sharkbot campaign (Bitdefender)

 

Bitdefender’s telemetry data reflects the narrow targeting of this campaign, as most victims of the particular Sharkbot distribution wave are located in the United Kingdom, followed by Italy, Iran, and Germany.

The malicious app requests the user to grant risky permissions like reading and writing external storage, installing new packages, accessing account details, deleting packages (to wipe traces), etc.

However, these permissions appear normal and expected in the context of file management apps, so users are less likely to treat the request with caution.

Sharkbot is fetched as a fake program update, which X-File Manager prompts the user to approve before installing.

The second malicious app that installs the banking trojan is ‘FileVoyager’ by Julia Soft Io LLC (com.potsepko9.FileManagerApp), downloaded 5,000 times via Google Play.

FileVoyager on Google Play (Bitdefender)

 

FileVoyager features the same operational pattern as X-File Manager and targets the same financial institutions in Italy and the UK.

Another Sharkbot loading app spotted by Bitdefender is ‘LiteCleaner M’ (com.ltdevelopergroups.litecleaner.m), which amassed 1,000 downloads before it got spotted and removed from the Play Store.

Currently, this app is only available via third-party app stores like APKSOS. The same third-party app store hosts a fourth Sharkbot loader named ‘Phone AID, Cleaner, Booster 2.6’ (om.sidalistudio.developer.app).

If these apps are installed, Android users should remove them immediately and change the passwords for any online bank accounts they use.

As the threat actors distributed these apps directly from Google Play, the best way to protect yourself is to keep the Play Protect service enabled so that malicious apps are removed as they are detected.

Furthermore, an Android mobile security antivirus application would help to detect malicious traffic and apps, even before they are reported to Google Play.

Source

Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned.

The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.

Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.

When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refunds to the nearest hundred. The pixel also sent the names of dependents in an obfuscated — but generally reversible — format.

TaxAct, which says it has about 3 million “consumer and professional users” also uses Google’s analytics tool on its website, and The Markup found similar financial data, but not names, being sent to Google through its tool.

TaxAct wasn’t the only tax filing service using the Meta Pixel. Tax preparation giant H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses.

TaxSlayer, another widely used filing service, sent personal information to Facebook as part of the social media company’s “advanced matching” system, which gathers information on web visitors in an attempt to link them to Facebook accounts. The information gathered through the pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return. As with TaxAct, specific demographic information about a user was obfuscated but still usable for Facebook to link a user to an existing profile.

TaxSlayer has said it completed 10 million federal and state tax returns last year.

The Markup also found the pixel code on a tax preparation site operated by a financial advice and software company called Ramsey Solutions, which uses a version of TaxSlayer’s service. That pixel gathered even more personal data from a tax return summary page, including information on income and refund amounts. This information was not sent immediately upon visiting the page but only when visitors clicked drop-down headings to see more details of their report.

Even Intuit, the company that runs America’s dominant online filing software, employed the pixel. Intuit’s TurboTax, however, did not send financial information to Meta but, rather, usernames and the last time a device signed in. The company kept the pixel entirely off pages beyond sign-in.

“We take the privacy of our customers’ data very seriously,” Nicole Coburn, a spokesperson for TaxAct, said in an email. “TaxAct, at all times, endeavors to comply with all IRS regulations.” Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”

Megan McConnell, a spokesperson for Ramsey Solutions, said in an email that the company “implemented the Meta Pixel to deliver a more personalized customer experience.”

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” the statement said. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”

After The Markup contacted TaxSlayer, spokesperson Molly Richardson said in an email that the company had removed the pixel to evaluate its use. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” she said, adding that Ramsey Solutions “decided to remove the pixel” as well.

Rick Heineman, a spokesperson for Intuit, said the company’s pixel “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” although Intuit “may share some non-tax-return information, such as username, with marketing partners to deliver a better customer experience,” like not showing Intuit ads on Facebook to people who have accounts already. The company said it’s in compliance with regulations but has modified the pixel to no longer send usernames.

“This is appalling”

Mandi Matlock, a Harvard Law School lecturer focused on tax law, said The Markup’s findings showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited.”

“This is appalling,” she said. “It truly is.”

On Monday, after TaxAct was contacted by The Markup for comment, the company’s site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign-in. H&R Block’s site was continuing to send information on health savings accounts and college tuition grants.

How the Meta Pixel tracks users

Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish.

Using the code helps both Facebook and the businesses. When a customer comes to a business’s website, the pixel might record which items the customer browsed, say, a T-shirt, for example. The business can then target its ads on Facebook to people who looked at that shirt, allowing the business to find an audience that may already be interested in its products.

Meta wins financially, too. The company says it can use the data it gleans from tools like the pixel to power its algorithms, providing it insight into the habits of users across the internet.

The strategy has been successful for Facebook. In 2018, the company told Congress that there were more than 2 million pixels across the web — a massive data-harvesting operation most internet users never see.

“The practice is ubiquitous,” said Jon Callas, director of public interest technology at the Electronic Frontier Foundation, who said he was left in “shock but not surprise” at The Markup’s findings.

Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the Meta Pixel, while some appears to arise from customizations made by the tax filing services, someone acting on their behalf, or other software installed on the site.

For example, Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in webpage titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data. It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked. The summary was detected by the pixel as a button, and in its default configuration, the pixel collects text from inside a clicked button.

The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.” That feature scans forms looking for fields it thinks contain personally identifiable information, like a phone number, first name, last name, or email address, and then sends detected information to Meta. On TaxSlayer’s site, this feature collected phone numbers and the names of filers and their dependents. On TaxAct, it collected the names of dependents.

The data collected by the matching feature is sent in an obfuscated form known as a hash, which Meta states is used in order to “help protect user privacy.” But the company can generally determine the pre-obfuscated version of the data. In fact, Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.

This pixel feature was turned off by default when The Markup set up a test pixel attached to a business account but could be turned on by clicking a toggle during setup.

When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a “custom event,” which are sent only if the pixel is configured beyond the default by a website operator or another application the website operator adds to their site. TaxAct did not respond to questions about whether and why it configured the pixel in this manner.

< View two images at the source page. >

1/2 Once a tax return was filled out on Taxact.com, information including an individual’s adjusted gross income, federal refund amount, and number of dependents was sent to Meta via the Meta Pixel. Data in the screenshots is not real user data. Image: Taxact.com and The Markup

2/2 Once a tax return was filled out on Taxact.com, information including an individual’s adjusted gross income, federal refund amount, and number of dependents was sent to Meta via the Meta Pixel. Data in the screenshots is not real user data.

There are limits to the types of data Meta says it will collect through the pixel. The company says it doesn’t want sensitive information sent to it, including financial data, and that it uses automated filtering to block potentially sensitive data. Its help center states that it prohibits sending information including bank account or credit card numbers or “information about an individual’s financial account or status.”

Still, one specific type of prohibited data — income — was exactly what two tax sites sent to Facebook, The Markup found. Data sent to Facebook by TaxAct suggests it was also previously sending a parameter labeled “student_loan_interest,” which is now being filtered by the pixel before being sent.

Meta says it doesn’t want to receive sensitive financial data

From January to July of this year, The Markup tracked websites’ use of the pixel as part of the Pixel Hunt, a partnership with Mozilla Rally. For the project, participating users installed a browser extension that provided The Markup with a copy of all data shared with Meta via the pixel.

The Markup initially discovered sensitive information was shared by the tax preparers through data shared by Pixel Hunt participants. The Markup then signed up for accounts on the companies’ web applications and used the “Network” section of Chrome DevTools, a tool built into Google’s Chrome browser, to replicate and confirm the data.

Earlier this year, with the help of Pixel Hunt participants, The Markup found sensitive data sent to Facebook on the Education Department’s federal student aid application website, crisis pregnancy websites, and the websites of prominent hospitals.

Meta collects so much data that even the company itself sometimes may be unaware of where it ends up. Earlier this year, Vice reported on a leaked Facebook document written by Facebook privacy engineers who said the company did not “have an adequate level of control and explainability over how our systems use data,” making it difficult to promise it wouldn’t use certain data for certain purposes.

At the time, a company spokesperson told Vice that Facebook has “extensive processes and controls to manage data and comply with privacy regulations.”

In response to The Markup’s questions about the tax websites’ use of the pixel, Dale Hogan, a spokesperson for Meta, pointed to the company’s rules on sensitive financial information.

“Advertisers should not send sensitive information about people through our Business Tools,” Hogan wrote in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Google spokesperson Jackie Berté said in an email that the company “has strict policies against advertising to people based on sensitive information” and that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.”

The IRS closely regulates tax data

Nina Olson, the executive director of the nonprofit Center for Taxpayer Rights, was the national taxpayer advocate at the Internal Revenue Service between 2001 and 2019, a position in the agency meant to represent the interests of taxpayers.

As part of her role at the IRS, she contributed to the development of regulations that govern disclosures of tax information. Olson said the IRS regulations controlling the way private tax filing services can use data are intentionally “very strong.”

Under the regulations she helped develop, tax preparers — including e-filing companies — can use the information they receive from taxpayers only for limited purposes; for anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed.

The government goes so far as to prescribe even the font size of requests for disclosure, saying it must be “the same size as, or larger than, the normal or standard body text used by the website or software package.”

Penalties for disclosing data without consent can be steep

The penalties for disclosing data without consent are potentially steep: fines and even jail time are possible, although Olson said she wasn’t aware of any criminal cases that have been pursued.

The Markup reviewed the tax preparation websites for disclosures that specifically mentioned Meta or Facebook but did not find them. Instead, some companies included relatively broad disclosure agreements.

TaxAct, for example, requested users approve sending their tax information to its sister company, TaxSmart Research LLC, so it could “develop, offer, and provide products and services” for users. It also stated, “TaxSmart Research LLC may use service providers and business partners to accomplish these tasks.” H&R Block, meanwhile, included nearly the same disclosure request so “H&R Block Personalized Services, LLC” could provide products of its own. Those sites provided the user with the option to decline to share tax information, although data was shared with Facebook regardless of which option users chose, according to The Markup’s tests.

Any disclosure from a tax preparer must provide the exact purpose and recipient to be in compliance, Olson said. “Do they have a list saying they’re going to disclose the refund amounts, and your children, and your whatever to Facebook?” she said. If not, they may be in violation of regulations.

The IRS declined to comment or answer questions about whether any of the sites sharing tax information were in violation of tax law.

No way out for taxpayers

American taxpayers have few options but to turn to private companies to file their returns.

Unlike other countries, the United States has a heavily privatized system for filing taxes, one that often requires the use of third-party tax preparers. In other countries, the government handles the calculations and taxpayers simply approve the numbers. But after a successful lobbying push from private companies, tax preparers in the US effectively act as middlemen between taxpayers and the government.

Tax preparation is now big business: market researchers have estimated that it’s a more than $11 billion industry in the United States.

A free preparation and filing option exists, but it’s limited to people making $73,000 or less and can be difficult to use. Companies offer their tax software at no charge through an agreement with the IRS but have been criticized for not making the option easily available.

Using the pixel, The Markup found that the IRS even effectively directs taxpayers attempting to file for free to some of the companies. A handful of tax preparation services — including TaxAct and TaxSlayer — are part of the agreement, known as the Free File Alliance. TurboTax and H&R Block have been part of the program in the past.

Harvard’s Matlock said The Markup’s findings showed the almost inevitable consequences of relying on for-profit companies to handle a government requirement. It’s a process that provides users little choice but to hand over their data to Facebook if they want to comply with the law, she said.

“It’s frustrating because taxpayers have been pushed into the arms of these private, for-profit companies simply to comply with their tax filing obligations,” she said. “We have no choice, really, in the matter.”

Source

This article was copublished with The Markup, a nonprofit newsroom that investigates how powerful institutions are using technology to change our society. Sign up for its newsletters here.

iOS developers say Apple’s App Store analytics aren’t anonymous

The statement follows an early Monday morning tweet saying that DraftKings was investigating reports [1, 2, 3, 4] of customers experiencing issues with their accounts.

The common denominator for all accounts that got hijacked seems to be an initial $5 deposit followed by the attackers changing the password, enabling two-factor authentication (2FA) on a different phone number, and then withdrawing as much as possible from the victims' linked bank accounts.

Some victims have also expressed their frustration on social media because they were unable to get in contact with anyone at DraftKings while having to watch the attackers repeatedly withdrawing money from their bank accounts.

"We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information," revealed DraftKings President and Cofounder Paul Liberman more than 12 hours later.

"We have seen no evidence that DraftKings' systems were breached to obtain this information. We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted."

The company advised customers never to use the same password for more than one online service and never to share their credentials with third-party platforms, including betting trackers and betting apps besides the ones provided by DraftKings.

DraftKings customers who haven't yet been affected by this credential-stuffing campaign are advised to immediately turn on 2FA on their accounts and remove any banking details or, even better, unlink their bank accounts to block fraudulent withdrawal requests.

DraftKings statement regarding credential stuffing attack (DraftKings Customer Support)

 

In credential stuffing, threat actors use automated tools to make repeated attempts (up to millions at a time) to gain access to user accounts using credentials (commonly in user/password pairs) stolen from other online services.

This works particularly well against the accounts whose owners have reused credentials across multiple platforms.

The goal is to take over as many accounts as possible to steal associated personal and financial info that can later be sold on the dark web or on hacking forums.

The attackers will also use the stolen info in future identity theft scams to make unauthorized purchases or—as it happened in the case of hijacked DraftKings accounts—transfer money in linked banking accounts to accounts under their control.

As the FBI warned recently, these attacks are quickly growing in volume thanks to readily available aggregated lists of leaked credentials and automated tools.

Okta also reported that the situation has drastically worsened this year as it recorded more than 10 billion credential-stuffing events on its platform during the first three months of 2022.

The number represents approximately 34% of the overall authentication traffic tracked by Okta, meaning that one-third of all sign-in attempts are malicious and fraudulent.

Source

This Chrome extension is being installed by the ViperSoftX Windows malware, which acts as a JavaScript-based RAT (remote access trojan) and cryptocurrency hijacker.

ViperSoftX has been around since 2020, previously disclosed by security researchers Cerberus and  Colin Cowie, and in a report by Fortinet.

However, in a new report today by Avast, researchers provide more details regarding the malicious browser extension and how the malware operation has undergone extensive development lately.

Recent activity

Since the beginning of 2022, Avast has detected and stopped 93,000 ViperSoftX infection attempts against its customers, mainly impacting the United States, Italy, Brazil, and India.

ViberSoftX victim heat map for 2022 - Source: Avast

 

The main distribution channel for ViperSoftX is torrent files containing laced game cracks and software product activators.

By analyzing the wallet addresses that are hardcoded in samples of ViperSoftX and VenomSoftX, Avast found that the two had collectively earned their operators about $130,000 by November 8th, 2022.

This stolen cryptocurrency was obtained by diverting cryptocurrency transactions attempted on compromised devices and does not include profits from parallel activities.

The downloaded executable is a malware loader that decrypts AES data to create the following five files:

• Log file hiding a ViperSoftX PowerShell payload
• XML file for the task scheduler
• VBS file for establishing persistence by creating a scheduled task
• Application binary (promised game or software)
• Manifest file

The single malicious code line hides somewhere towards the bottom of the 5MB log text file and runs to decrypt the payload, ViperSoftX stealer.

Newer ViperSoftX variants don't differ much from what has been analyzed in previous years, including cryptocurrency wallet data stealing, arbitrary command execution, payload downloads from the C2, etc.

A key feature of newer ViperSoftX variants is the installation of a malicious browser extension named VenomSoftX on Chrome-based browsers (Chrome, Brave, Edge, Opera).

Infecting Chrome

To stay hidden from the victims, the installed extension masquerades as "Google Sheets 2.1", supposedly a Google productivity app. In May, security researcher Colin Cowie also spotted the extension installed as 'Update Manager.'

Malicious extension showing up as Google Sheets - Source: Avast

 

While VenomSoftX appears to overlap ViperSoftX activity since they both target a victim's cryptocurrency assets, it performs the theft differently, giving the operators higher chances of success.

"VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims visits/have an account with," explains Avast in the report.

"When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead."

The services targeted by VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin, while the extension also monitors the clipboard for the addition of wallet addresses.

Examples of the hijacked cryptocurrency - Source: Avast

 

Moreover, the extension can modify HTML on websites to display a user's cryptocurrency wallet address while manipulating the elements in the background to redirect payments to the threat actor.

To determine the victim's assets, the VenomSoftX extension also intercepts all API requests to the cryptocurency services mentioned above. It then sets the transaction amount to the maximum available, siphoning all available funds.

To make matters worse, for Blockchain.info, the extension will also attempt to steal passwords entered on the site.

"This module focuses on www.blockchain.com and it tries to hook https://blockchain.info/wallet. It also modifies the getter of the password field to steal entered passwords," explains Avast.

"Once the request to the API endpoint is sent, the wallet address is extracted from the request, bundled with the password, and sent to the collector as a base64-encoded JSON via MQTT."

Finally, if a user pastes content into any website, the extension will check if it matches any of the regular expressions shown above, and if so, send the pasted content to the threat actors.

As Google Sheets is normally installed in Google Chrome as an app under chrome://apps/and not an extension, you can check your browser's extension page to determine if Google Sheets is installed.

If it is installed as an extension, you should remove it and clear your browser data to ensure the malicious extension is removed.

Source

The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied.

The development comes nearly a year after the tech giant took down the malware's command-and-control infrastructure and initiated legal proceedings against Dmitry Starovikov and Alexander Filippov, who are said to have been in charge of running the illegal botnet.

The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads.

Gluteba is distinguished from its botnet counterparts by the use of cryptocurrency blockchains as a command-and-control mechanism to withstand disruption. Per Google, the botnet approximately infected more than one million Windows computers worldwide.

"The Glupteba malware [...] instructs infected computers to look for the addresses of its C2 servers by referencing transactions associated with specific accounts on the Bitcoin blockchain," the court order reads.

Starovikov and Filippov, who claim to have worked for a company called Valtron LLC as software engineers, have been charged with attempting to wilfully mislead the court, while also acting with an intent to deprive Google of discoverable information.

A settlement demand made on September 8 shows that the actors asked $1 million each from Google, in addition to $110,000 in attorney's fees, in exchange for providing the private keys for Bitcoin addresses associated with the Glupteba botnet.

The Mountain View-based company, however, rejected the offer, calling it "extortionate," and reported it to law enforcement.

But in a contradictory statement, the defendants walked back on their earlier stance a week later on September 15, asserting that "they had no such information in their possession, and that the Bitcoin accounts were owned by Valtron's CEO."

"It is now clear that the defendants appeared in this Court not to proceed in good faith to defend against Google's claims but with the intent to abuse the court system and discovery rules to reap a profit from Google," District Judge Denise L. Cote said.

Source

"Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families."

Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.

The Emotet-related activity was last observed in July 2022, although sporadic infections have been reported since then. In mid-October, ESET revealed that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module.

The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a revival of sorts late last year after its infrastructure was dismantled during a coordinated law enforcement operation in January 2021.

Europol called Emotet the "world's most dangerous malware" for its ability to act as a "primary door opener for computer systems" to deploy next-stage binaries that facilitate data theft and ransomware. It started off in 2014 as a banking trojan before evolving into a botnet.

Infection chains involving the malware are known to employ generic lures as well as the technique of email thread hijacking to lure recipients into opening macro-enabled Excel attachments.

"Following Microsoft's recent announcement that it would begin disabling macros by default in Office documents downloaded from the internet, many malware families have begun migrating away from Office macros to other delivery mechanisms like ISO and LNK files," Cisco Talos said earlier this month.

"Therefore, it is interesting to note that this new campaign of Emotet is using its old method of distributing malicious Microsoft Office documents (maldocs) via email-based phishing.

An alternative method urges potential victims to copy the file to a Microsoft Office Template location – a trusted location – and launch the lure document from there instead of having to explicitly enable macros to activate the kill-chain.

The renewed activity has also been accompanied by changes to the Emotet loader component, and addition of new commands, and updates to the packer to resist reverse engineering.

One of the follow-on payloads distributed through Emotet is a brand new variant of the IcedID loader, which receives commands to read and send file contents to a remote server, in addition to executing other backdoor instructions that allow it to extract web browser data.

The use of IcedID is concerning as it's likely a precursor for ransomware, the researchers pointed out. Another malware dropped via Emotet is Bumblebee, according to Palo Alto Networks Unit 42.

"Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet," researchers Pim Trouerbach and Axel F said.

"Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that's not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot."

Source

The development comes a little over a week after the company fell victim to a ransomware attack on November 11 and 12, per DataBreaches.net.

The threat actors allegedly claim to have obtained the personal data associated with five million unique passengers and all of its employees.

The samples uploaded to the leak site reveal passenger information and the booking IDs as well as personal data related to the company's staff.

A spokesperson for the threat actor told DataBreaches.net that further attacks were not pursued owing to AirAsia's poor security measures and "the chaotic organization of the network."

Daixin Team was recently the subject of an advisory from the U.S. cybersecurity and intelligence agencies, which warned of attacks mainly aimed at the healthcare sector.

Other victims of the criminal group include Fitzgibbon Hospital, Trib Total Media, ista International GmbH, and OakBend Medical.

The Hacker News has reached out to AirAsia for comment and we will update the story if we hear back.

Source

Of those apps, 32 expose admin secrets, including 57 unique admin keys, giving attackers a way to access sensitive user information or modify app index records and settings.

The discovery of this exposure comes from Singapore-based cybersecurity firm CloudSEK, who shared their findings exclusively with BleepingComputer.

Algolia API details

The Algolia API (Application Program Interface) is a proprietary platform for integrating search engines with discovery and recommendation features in websites and applications used by over 11,000 companies.

The system uses five API keys for Admin, Search, Monitoring, Usage, and Analytics.

Of those keys, only the Search is meant to be public and available on front-end code, helping users perform search queries on the apps.

The Monitoring key gives admins a glimpse of their cluster status, Usage and Analytics give usage stats, while the Admin key offers access to the other four API key services, as well as the following:

• Browse/Delete the index
• Add/Delete records
• List indices
• Get/Set index settings
• Get access logs
• Get irretrievable attributes

Abusing the above services can expose data containing user device and network access details, usage statistics, search logs, and manipulation of the associated information.

Exposing app ID and API keys

CloudSEK’s automated scanners found that 1,550 applications are leaking the Algolia API key and application ID, risking unauthorized access to internal information.

"While the admin API key enables threat actors to perform several critical actions and provides access to sensitive data, even with one or more of the other API keys, threat actors can search or view sensitive data," a CloudSEK analyst told BleepingComputer.

"Also, depending on code changes in future versions of apps, threat actors may be able to access more sensitive data using just these keys."

The 32 apps that leak Admin API keys are more critical, as they expose their users to data leak risks and the databases to malicious modifications that could incur business damage.

The apps exposing Algolia Admin API keys have approximately 3,250,000, with some apps having over a million downloads each.

API keys leak (CloudSEK)

 

The category most prone to exposed keys was shopping apps, collectively downloaded 2.3 million times.

In a list of leaky apps shared with BleepingComputer, other categories include news apps, food and drink, education, fitness, photography, lifestyle, productivity, medical, and business apps, collectively downloaded over 950,000 times.

CloudSEK says they contacted all of the app developers to alert them about the exposure but have not heard back from any of them.

Source

Security teams will also be able to identify Cobalt Strike versions deployed in their environment using these detection signatures.

"We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike's components and its respective versions," said Google Cloud Threat Intelligence security engineer Greg Sinclair.

"We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors."

This enables improved detection of malicious activity by targeting non-current Cobalt Strike releases (potentially leaked and cracked versions) since it helps differentiate easier between legitimate deployments and those controlled by threat actors.

As Google explained, cracked and leaked releases of Cobalt Strike are, in most cases, at least one version behind, which allowed the company to collect hundreds of stagers, templates, and beacon samples used in the wild to build YARA-based detection rules with a high degree of accuracy.

"Our goal was to make high-fidelity detections to enable pinpointing the exact version of particular Cobalt Strike components. Whenever possible, we built signatures to detect specific versions of the Cobalt Strike component," Sinclair added.

Google has also shared a collection of detection signatures for Sliver, a legitimate and open-source adversary emulation framework designed for security testing that has also been adopted by malicious actors as a Cobalt Strike alternative.

Cobalt Strike infrastructure setup (Google)

 

Cobalt Strike (made by Fortra, previously known as Help Systems) is a legitimate penetration testing tool under development since 2012. It has been designed as an attack framework for red teams who scan their organizations' infrastructure to find vulnerabilities and security gaps.

While the developer is attempting to vet customers and will only sell licenses for legitimate uses, cracked copies of Cobalt Strike have also been obtained and shared by threat actors over time.

This has led to Cobalt Strike becoming one of the most common tools used in cyberattacks that could lead to data theft and ransomware. 

In such attacks, it is used by threat actors for post-exploitation tasks after deploying so-called beacons that provide them with persistent remote access to compromised devices. 

With the help of beacons deployed on the victims' networks, the attackers can access compromised servers to harvest sensitive data or deploy further malware payloads.

Researchers with security firm Intezer have also revealed that threat actors have also developed and have been using (since August 2021) their own Linux beacon (Vermilion Strike), compatible with Cobalt Strike, to gain persistence and remote command execution on both Windows and Linux devices.

A new ransomware operation is using unusual techniques to breach networks and encrypt them with file-locking malware in order to hold victims to ransom.

Royal ransomware first appeared in September this year and is being distributed by multiple threat groups, but one is showing what Microsoft Security Threat Intelligence describes as "a pattern of continuous innovation" to distribute and hide payloads, often until it's too late and the victim has had their network encrypted.

The attacks, delivered in a variety of ways, are attributed to a group Microsoft tracks as DEV–0569 – a temporary name as the origin and identity of the group behind the activity is still uncertain.

Some of the campaigns deliver Royal ransomware using a method commonly associated with cyber attacks; phishing emails used to deliver a malicious attachment, in this case, containing Batloader backdoor malware, which is used to download the ransomware payload.

This isn't the only phishing method which the Royal ransomware attackers use to deliver the initial payload. Microsoft also notes that it's delivered via emails with links to what pose as legitimate installers and updates for commonly used business applications. Downloading these fake updates installs the backdoor, which is later used to deliver malware.

More unusual techniques include using contact forms to gain access to targets and deliver malware. DEV-0569 isn't the first ransomware operation to distribute attacks in this way, but the attack method is still an uncommon one – and one which defenders may not consider.

The attackers send messages to the targets via the contact forms on the targets' own websites, claiming to be from a national financial authority.

If the victim responds to the message, the attackers reply again and attempt to trick the victim into clicking a link which installs Batloader.

Recently, the attackers have been seen leveraging Google ads to help deliver malware via malvertising links which allow attackers to track which users and which devices click links. These links are used to identify potential targets distribute the Batloader payload.  

Microsoft says it has reported this abuse to Google for awareness and consideration for action. ZDNET has contacted Google but is yet to receive a reply at the time of publication.

In addition to malvertising and phishing links, it's also reported that DEV-0569 has performed 'hands-on' human operated attacks to install ransomware, gaining access to compromised networks exploiting vulnerabilities and remote access tools to manually download the Royal payload.

Microsoft's researchers note "DEV-0569's widespread infection base and diverse payloads likely make the group an attractive access broker for ransomware operators" - meaning that even if they didn't install their own ransomware, they could sell access to networks to other ransomware operators and other malicious cyber threat groups.

The attackers have also been witnessed using open source tools in attempts to disable anti-virus software to make it harder for their malicious activity to be detected.

According to Microsoft, it's likely the group will continue to breach networks using a variety of different methods – but there are actions which can be taken to avoid falling victim to attacks.

These include building resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection – and providing users with a method for reporting suspected attacks.

It's also recommended that organizations practice the principle of least-privilege and maintain credential hygiene – in other words, only providing accounts with the access they absolutely need for that person to do their job, and to ensure that the account is secured with a strong password and multi-factor authentication. These can help prevent attackers from entering and moving around the network.

Microsoft also suggests that organizations turn on tamper protection features to prevent attackers from stopping security services.

Source

When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account.

Threat actors commonly attempt to steal these tokens because they enable them to take over accounts or, even worse, abuse them for further malicious attacks.

As Discord has become the community of choice for NFT platforms and cryptocurrency groups, stealing a moderator token or other verified community member could allow threat actors to conduct scams and steal funds.

AxLocker is a two-in-one threat

Researchers at Cyble recently analyzed a sample of the new AXLocker ransomware and discovered that it not only encrypts files but also steals a victim's Discord tokens.

As ransomware, there is nothing particularly sophisticated about the malware or the threat actors who use it.

When executed, the ransomware will target certain file extensions and exclude specific folders, as shown in the image below.

Targeted files (left) and excluded directories (right) (Cyble)

 

When encrypting a file, AXLocker uses the AES algorithm, but it does not append a filename extension on the encrypted files, so they appear with their normal names.

Next, AXLocker sends a victim ID, system details, data stored in browsers, and Discord tokens to the threat actors' Discord channel using a webhook URL.

To steal the Discord token, AxLocker will scan the following directories for and extract tokens using regular expressions:

• Discord\Local Storage\leveldb
• discordcanary\Local Storage\leveldb
• discordptb\leveldb
• Opera Software\Opera Stable\Local Storage\leveldb
• Google\Chrome\User Data\\Default\Local Storage\leveldb
• BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
• Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb

AXLocker's grab function (Cyble)

 

Eventually, victims are served a pop-up window containing the ransom note, informing them that their data was encrypted and how they contact the threat actor to purchase a decryptor.

Victims are given 48 hours to contact the attackers with their victim ID, but the ransom amount isn't mentioned in the note.

AXLocker ransom note (Cyble)

 

While this ransomware clearly targets consumers rather than the enterprise, it could still pose a significant threat to large communities.

Therefore, if you find that AxLocker encrypted your computer, you should immediately change your Discord password, as it will invalidate the token stolen by the ransomware.

While this may not help recover your files, it will prevent further compromise of your accounts, data, and the communities you are involved in.

This time last year, we were optimistic. It seemed like the tide was turning on ransomware after the U.S. government scored a handful of wins against the cybercriminals carrying out these increasingly damaging attacks: the Justice Department successfully seized $2.3 million in bitcoin that Colonial Pipeline paid to the DarkSide ransomware gang to reclaim its data, and months later it played a part in bringing down the notorious REvil ransomware gang.

Our optimism was short-lived. Despite this action, 2022 looks set to top last year as the worst year on record for ransomware attacks; a recent report shows that attacks have increased by 80% year-over-year and that the cybercriminals responsible for these attacks have easily dodged law enforcement action by taking advantage of ransomware as a service, or by simply rebranding.

“It’s clear that ransomware attacks are on the rise,” Matthew Prince, CEO of Cloudflare, tells TechCrunch. “In September 2022, nearly one in every four respondents to our customer survey reported receiving a ransomware attack or threat, the highest month so far of 2022.”

The worst year for ransomware attacks

2022 hasn’t just been the worst year for ransomware attacks statistically, it has also just been… the worst. While hackers last year focused on critical infrastructure and financial services, this year’s focus has been on organizations where they can inflict the most damage.

An attack on the Los Angeles Unified School District saw Vice Society hackers leak a 500 gigabyte trove of sensitive data, including previous conviction reports and psychological assessments of students, while an attack on IT services provider Advanced left the U.K’s NHS scrambling after it was forced to cancel appointments, and staff relying on taking notes with pen and paper.

Perhaps the most devastating attack of 2022 came just weeks ago after attackers breached Australian health insurance giant Medibank and accessed roughly 9.7 million customers’ personal details and health claims data for almost half-a-million customers. Data stolen during the attack included sensitive files related to abortions and alcohol-related illnesses.

These attacks don’t just demonstrate that ransomware is worsening. They also show that ransomware is a global problem and that global action is needed to fight back successfully. Earlier in November, the U.S. government started to take strides in the right direction, announcing that it will establish an International Counter Ransomware Task Force, or ICRTF, to promote information and capability sharing.

“This is a global issue, so governments need to come together,” Camellia Chan, CEO and founder at cybersecurity firm X-PHY tells TechCrunch. “That said, collaboration alone won’t provide a solution. It’s more than signing an agreement.”

Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021. The U.S. government declared a regional emergency on May 9, 2021 as the largest U.S. fuel pipeline system remained largely shut down, two days after a ransomware attack. Image Credits: Jim Watson / AFP via Getty Images.

 

This is a viewpoint shared among the cybersecurity community: Signing agreements and sharing intelligence is all well and good, but it’s unlikely to deter financially motivated cybercriminals that continue to reap the rewards of these attacks.

To gain ground on cybercriminals that continue to achieve a high rate of success, governments need a fresh approach.

More government cooperation?

“You can’t arrest your way out of the problem,” Morgan Wright, chief security advisor at SentinelOne, tells TechCrunch. “There are numerous examples of both transnational criminal ransomware actors and nation-state actors being identified and indicted for various crimes. These offenders almost always live in countries with no extradition treaty with the country that has issued the indictments.”

“One area I would like to see an increased effort is in the area of human collection of intelligence,” Wright added. “We need more penetration of state actors and criminal organizations. Too often, ransomware is viewed as a technical issue. It’s not. It’s human greed that uses technology to achieve an end goal.”

This element of greed could also be targeted by increasing regulation of the cryptocurrency market, which many believe could be on the horizon following the recent collapse of FTX. Former CISA assistant director Bob Kolasky said that in order to discourage ransomware actors for good, governments need to reduce the financial instruments available for them to use.

“This includes using regulatory pressure on the cryptocurrency market to make tracking and recouping ransomware payments easier,” Kolasky tells TechCrunch, a view shared by others.

“We need governments to take a bigger role in blocking cryptocurrencies, which is the enabler of attacker monetization strategies,” David Warburton, director of networking company F5 Labs, agrees, telling TechCrunch: “While decentralized currencies, such as bitcoin, aren’t inherently bad, nor solely responsible for the ransomware epidemic we’re facing, there’s no denying they are a huge factor.”

“While control and regulation somewhat defeat the original intent of decentralized currencies, there’s no escaping the fact that without Bitcoin, ransomware simply wouldn’t exist,” said Warburton.

But legislation wouldn’t work unless it’s a global effort, he said: “Many ransomware groups operate from countries which have no motivation to help those that are being targeted.”

This is a problem that, like ransomware itself, has been worsened by Russia’s invasion of Ukraine, which has ended any cooperation between Europe, the U.S. and Russia on ransomware operations inside Russia. Jason Steer, chief information security officer at threat intelligence giant Recorded Future, said that this is an area that immediately needs more global government support.

“The focus has significantly dropped off in 2022 due to Russia’s activities, where in fact many groups operate safely from,” said Steer.

Even if governments joined forces to collaboratively fight the growing ransomware problem, it’s unlikely to have any immediate effect. Security experts expect no respite from ransomware as we enter 2023 as increasingly savvy hackers exploit new attack vectors and continue to reap the financial rewards.

“There are governments that are working to provide more support and resources. But it will never be enough,” says Wright. “Bad actors will always have the advantage, but we should make them pay in a significant way every time an attack is launched.”

Source

When files are downloaded from an untrusted remote location, such as the Internet or an email attachment, Windows add a special attribute to the file called the Mark of the Web.

This Mark of the Web (MoTW) is an alternate data stream that contains information about the file, such as the URL security zone the file originates from, its referrer, and its download URL.

When a user attempts to open a file with a MoTW attribute, Windows will display a security warning asking if they are sure they wish to open the file.

"While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software," reads the warning from Windows.

Windows Mark of the Web security warning - Source: BleepingComputer

 

Last month, the HP threat intelligence team reported that a phishing attack was distributing the Magniber ransomware using JavaScript files.

These JavaScript files are not the same as those used on websites but are standalone files with the '.JS' extension that are executed using the Windows Script Host (wscript.exe).

After analyzing the files, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered that the threat actors were using a new Windows zero-day vulnerability that prevented Mark of the Web security warnings from being displayed.

To exploit this vulnerability, a JS file (or other types of files) could be signed using an embedded base64 encoded signature block, as described in this Microsoft support article.

JavaScript file used to install the Magniber Ransomware - Source: BleepingComputer

 

However, when a malicious file with one of these malformed signatures is opened, instead of being flagged by Microsoft SmartScreen and showing the MoTW security warning, Windows automatically allows the program to run.

QBot malware campaign uses Windows zero-day

Recent QBot malware phishing campaigns have distributed password-protected ZIP archives containing ISO images. These ISO images contain a Windows shortcut and DLLs to install the malware.

ISO images were being used to distribute the malware as Windows was not correctly propagating the Mark of the Web to files within them, allowing the contained files to bypass Windows security warnings.

As part of the Microsoft November 2022 Patch Tuesday, security updates were released that fixed this bug, causing the MoTW flag to propagate to all files inside an opened ISO image, fixing this security bypass.

In a new QBot phishing campaign discovered by security researcher ProxyLife, the threat actors have switched to the Windows Mark of the Web zero-day vulnerability by distributing JS files signed with malformed signatures.

This new phishing campaign starts with an email that includes a link to an alleged document and a password to the file.

Phishing email with a link to download malicious archive - Source: BleepingComputer

 

When the link is clicked, a password-protected ZIP archive is downloaded that contains another zip file, followed by an IMG file.

In Windows 10 and later, when you double-click on a disk image file, such as an IMG or ISO, the operating system will automatically mount it as a new drive letter.

This IMG file contains a .js file ('WW.js'), a text file ('data.txt'), and another folder that contains a DLL file renamed to a .tmp file ('resemblance.tmp') [VirusTotal], as illustrated below. It should be noted that the file names will change per campaign, so they should not be considered static.

Mounted IMG file - Source: BleepingComputer

 

The JS file contains VB script that will read the data.txt file, which contains the 'vR32' string, and appends the contents to the parameter of the shellexecute command to load the 'port/resemblance.tmp' DLL file. In this particular email, the reconstructed command is:

regSvR32 port\\resemblance.tmp

JS file with a malformed signature to exploit Windows zero-day - Source: BleepingComputer

 

As the JS file originates from the Internet, launching it in Windows would display a Mark of the Web security warning.

However, as you can see from the image of the JS script above, it is signed using the same malformed key used in the Magniber ransomware campaigns to exploit the Windows zero-day vulnerability.

This malformed signature allows the JS script to run and load the QBot malware without displaying any security warnings from Windows, as shown by the launched process below.

Regsvr32.exe launching the QBot DLL - Source: BleepingComputer

 

After a short period, the malware loader will inject the QBot DLL into legitimate Windows processes to evade detection, such as wermgr.exe or AtBroker.exe.

Microsoft has known about this zero-day vulnerability since October, and now that other malware campaigns are exploiting it, we will hopefully see the bug fixed as part of the December 2022 Patch Tuesday security updates.

The QBot malware

QBot, also known as Qakbot, is a Windows malware initially developed as a banking trojan but has evolved to be a malware dropper.

Once loaded, the malware will quietly run in the background while stealing emails for use in other phishing attacks or to install additional payloads such as Brute Ratel, Cobalt Strike, and other malware.

Installing the Brute Ratel and Cobalt Strike post-exploitation toolkits typically lead to more disruptive attacks, such as data theft and ransomware attacks.

In the past, the Egregor and Prolock ransomware operations partnered with the QBot distributors to gain access to corporate networks. More recently, Black Basta ransomware attacks have been seen on networks following QBot infections.

Source

One of the biggest stories this week is the arrest of Ukrainian Vyacheslav Igorevich Penchukov, aka 'Tank,' for his alleged role as a leader in the JabberZeus cybercrime gang that operated the Zeus malware botnet.

Penchukov is also believed to be one of the managers of the notorious Maze ransomware operation, which popularized double-extortion attacks.

Other news this week are new reports on rising ransomware operations:

• Both Microsoft and SecurityScorecard released reports on the Royal Ransomware operation, which is believed to be comprised of ex-Conti members.
• ASEC released a report on Dagon Locker, a rebrand of the Quantum ransomware operation.
• BlackBerry warns of the expanding operations of the ARCrypter ransomware.

Finally, Ukraine says that a new Somnia ransomware is being used in attacks, CISA/FBI warned Iranian hackers breached a federal agency, and the FBI warned that Hive ransomware had made over $100 million in ransom payments.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @Ionut_Ilascu, @malwareforme, @malwrhunterteam, @DanielGallagher, @serghei, @jorntvdw, @fwosar, @LawrenceAbrams, @PolarToffee, @demonslay335, @FourOctets, @billtoulas, @VK_Intel, @BleepinComputer, @pcrisk, @Seifreed, @GeeksCyber, @BlackBerry, @ahnlab, and @MsftSecIntel.

November 13th 2022

Ukraine says Russian hacktivists use new Somnia ransomware

Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems.

November 14th 2022

A Technical Analysis of Royal Ransomware

Royal ransomware is a recent threat that appeared in 2022 and was particularly active during recent months. The ransomware deletes all Volume Shadow Copies and avoids specific file extensions and folders. It encrypts the network shares found in the local network as well as the local drives. A parameter called “-id” that identifies the victim and is also written in the ransom note must be specified in the command line.

Australia to consider banning paying of ransoms to cyber criminals

Australia's Home Affairs Minister Clare O'Neil on Sunday said the government would consider making illegal the paying of ransoms to cyber hackers, following recent cyber attacks affecting millions of Australians.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .faust extension to encrypted files and drops ransom notes named info.txt and info.hta.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .fatp and .fate extensions to encrypted files.

New Xorist ransomware variant

PCrisk found a new Xorist variant that appends the .ZeRy extension and drops a ransom note name HOW TO DECRYPT FILES.txt.

November 16th 2022

Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police

Vyacheslav Igorevich Penchukov, also known as Tank and one of the leaders of the notorious JabberZeus cybercrime gang, was arrested in Geneva last month.

US govt: Iranian hackers breached federal agency using Log4Shell exploit

The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.

DAGON LOCKER Ransomware Being Distributed

It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.

New VoidCrypt variant

PCrisk found a new VoidCrypt variant that appends the .DRCRM extension and drops a ransom note named Read.txt.

New Anthraxbulletproof variant

PCrisk found a new 'Anthraxbulletproof ' ransomware based on Chaos that appends the .Anthraxbulletproof extension and drops a ransom note named read_it.txt.

November 17th 2022

Previously unidentified ARCrypter ransomware expands worldwide

A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide.

FBI: Hive ransomware extorted $100M from over 1,300 victims

The Federal Bureau of Investigation (FBI) said today that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021.

DEV-0569 finds new ways to deliver Royal ransomware, various payloads

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.

November 18th 2022

New Satana ransomware variant

PCrisk found a new SATANA ransomware variant that appends the .SEX3 extension and drops a ransom note named !satana!.txt.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - November 18th 2022 - Rising Operations

The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.

Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments.

Activities of the group chronicled by ESET, Google, Proofpoint, Cisco Talos, and Secureworks this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in Asia, Europe, the Middle East, and the Americas.

The latest findings from Trend Micro show that Mustang Panda continues to evolve its tactics in a strategy to evade detection and adopt infection routines that lead to the deployment of bespoke malware families like TONEINS, TONESHELL, and PUBLOAD.

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," researchers Nick Dai, Vickie Su, and Sunny Lu said.

Initial access is facilitated through decoy documents that cover controversial geopolitical themes to entice the targeted organizations into downloading and triggering the malware.

In some cases, the phishing messages were sent from previously compromised email accounts belonging to specific entities, indicating the efforts undertaken by the Mustang Panda actor to increase the likelihood of the success of its campaigns.

The archive files, when opened, are designed to display a lure document to the victim, while stealthily loading the malware in the background through a method referred to as DLL side-loading.

The attack chains ultimately lead to the delivery of three malware families – PUBLOAD, TONEINS, and TONESHELL – which are capable of downloading next-stage payloads and flying under the radar.

TONESHELL, the main backdoor used in the attacks, is installed through TONEINS and is a shellcode loader, with an early version of the implant detected in September 2021, suggesting continued efforts on part of the threat actor to update its arsenal.

"Earth Preta is a cyber espionage group known to develop their own loaders in combination with existing tools like PlugX and Cobalt Strike for compromise," the researchers concluded.

"Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."

Source

Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569.

"Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team said in an analysis.

The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

The malware downloader, a strain referred to as BATLOADER, is a dropper that functions as a conduit to distribute next-stage payloads. It has been observed to share overlaps with another malware called ZLoader.

A recent analysis of BATLOADER by eSentire and VMware called out the malware's stealth and persistence, in addition to its use of search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites or attacker-created domains.

Alternatively, phishing links are shared through spam emails, fake forum pages, blog comments, and even contact forms present on targeted organizations' websites.

"DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network," the tech giant noted.

"The management tool can also be an access point for the staging and spread of ransomware."

Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.

The use of Google Ads to deliver BATLOADER selectively marks a diversification of the DEV-0569's distribution vectors, enabling it to reach more targets and deliver malware payloads, the company pointed out.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as Emotet, IcedID, Qakbot.

"Since DEV-0569's phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists," Microsoft said.

Source

Tracked as CVE-2022-41082 and CVE-2022-41040, the two bugs affect Microsoft Exchange Server 2013, 2016, and 2019 and allow attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on compromised servers.

Microsoft released security updates to address the two security flaws as part of the November 2022 Patch Tuesday, even though ProxyNotShell attacks have been detected since at least September 2022.

One week after Microsoft released ProxyNotShell security updates, security researcher Janggggg released the proof-of-concept (PoC) exploit attackers have used in the wild to backdoor Exchange servers.

Will Dormann, a senior vulnerability analyst at ANALYGENCE, tested the exploit and confirmed that it's working against systems running Exchange Server 2016 and 2019, and added that the code needs some tweaking to get it to work when targeting Exchange Server 2013).

Threat intelligence company GreyNoise has been tracking ProxyNotShell exploitation since late September and provides info on ProxyNotShell scanning activity and a list of IP addresses linked to these attacks.

ProxyNotShell vulnerability scans (GreyNoise)

 

Attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as for lateral movement in their victims' networks since at least September 2022.

Redmond also confirmed they were actively abused in the wild on September 30, saying it was "aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

"Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks," the Exchange Team warned after patches were released. [emphasis ours]

"These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment."

Security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks, said attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers.

Source

The developer of the decryption tool is Unit221b, a cybersecurity consulting company based in New Jersey, who had a technical report ready in February 2020 but delayed its publishing to keep the threat actor in the dark about the vulnerabilities in their file-encrypting malware.

Cracking Zeppelin

Unit221b was motivated to crack Zeppelin after seeing that the ransomware operators hit charity organizations, nonprofits, and even homeless shelters.

The cybersecurity consulting firm spotted potentially exploitable flaws in Zeppelin after reading an analysis of the malware from Blackberry Cylance in December 2019.

The researchers noticed that Zeppelin used an ephemeral RSA-512 key to encrypt the AES key that locked access to encrypted data.

The AES key was stored in the footer of each encrypted file, so if the RSA-512 key was cracked, the files could be decrypted without paying the attacker.

Zeppelin ransomware encryption keys logic (Unit221b)

 

Unit221b found that this public key remained in the registry of the infected system for roughly five minutes after the data encryption completed.

Retrieving the key was possible by doing registry carving on the raw file system, the registry.exe memory dumps, and directly on the NTUSER.Dat in the "/User/[user_account]/" directory.

The resulting data is obfuscated with RC4, and after lifting that layer, Unit221b was left with one layer of RSA-2048 encryption.

Retrieved public key in obfuscated form (Unit221b)

 

To overcome this final obstacle, Unit221b used a total of 800 central processing units (CPUs) in 20 servers, each with 40 CPUs. that factored smaller parts of the key.

After six hours, the key had been cracked, and the analysts could work their way back to retrieve the AES key from the file footer.

Decryptor availability

Unit221b’s founder Lance James told BleepingComputer they decided to make all details public due to the Zeppelin ransomware victim influx dropping significantly in the recent months.

James said the decryption tool should work even for recent Zeppelin versions and is available to victims upon request.

Emsisoft’s threat analyst Brett Callow confirmed the drop in Zeppelin attacks, pointing out that the last major operation to use the ransomware strain was Vice Society, which abandoned it months ago.

Callow also noted that data recovery experts have been exploiting Zeppelin’s encryption vulnerability since mid-2020.

As for the possibility of Emsisoft releasing a public decryptor for the strain, the analyst told us the high cost of computing power to recover the keys does not make this a good candidate for a free tool that a company could use.

Zeppelin background

Zeppelin (aka ‘Buran’) is a Delphi-based ransomware strain of Russian origin that emerged in the wild in late 2019 as a semi-private project operating in small-circle partnerships.

The ransomware project extorted victims for an average of $50,000 and featured a robust AES-256-CBC encryption.

In 2021, the operation launched a heavily revamped version following a period of hiatus, offering several perks to its long-term partners.

More recently, in August 2022, the FBI posted an alert about Zeppelin ransomware, warning that its operators were now following the tactic of performing multiple encryptions on the breached systems.

This strange tactic created multiple victim IDs and files with multiple encryption layers, requiring several decryption keys and a lot of trial and error to restore the data even after paying the ransom.

"The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal said in a write-up published Thursday.

Aside from being dropped alongside other malware families, LodaRAT has also been observed being delivered through a previously unknown variant of another commodity trojan called Venom RAT, which has been codenamed S500.

An AutoIT-based malware, LodaRAT (aka Nymeria) is attributed to a group called Kasablanca and is capable of harvesting sensitive information from compromised machines.

In February 2021, an Android version of the malware sprang forth as a way for the threat actors to expand their attack surface. Then in September 2022, Zscaler ThreatLabz uncovered a new delivery mechanism that involved the use of an information stealer dubbed Prynt Stealer.

The latest findings from Cisco Talos documents the altered variants of LodaRAT that have been detected in the wild with updated functionality, chiefly enabling it to proliferate to every attached removable storage device and detect running antivirus processes.

The revamped implementation is also considered ineffective in that it searches for an explicit list of 30 different process names associated with different cybersecurity vendors, meaning a solution that's not included in the search criteria will not be detected.

Also included in this list are discontinued security software such as Prevx, ByteHero, and Norman Virus Control, suggesting that this may be an attempt on the part of the threat actor to flag systems or virtual machines running older versions of Windows.

An analysis of the captured artifacts further reveals the removal of non-functional code and the use of string obfuscation using a more efficient method.

The bundling of LodaRAT alongside Neshta and RedLine Stealer has also been something of a puzzle, although it's being suspected that "LodaRAT is preferred by the attacker for performing a particular function."

"Over the course of LodaRAT's lifetime, the implant has gone through numerous changes and continues to evolve," the researchers said. "While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware."

Source

To add insult to injury, the FBI says that the Hive gang will deploy additional ransomware payloads on the networks of victims who refuse to pay the ransom.

"As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information," the FBI revealed.

"Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment."

The list of victims includes organizations from a wide range of industries and critical infrastructure sectors such as government facilities, communications, and information technology, with a focus on Healthcare and Public Health (HPH) entities.

This was revealed in a joint advisory published today with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS).

Today's advisory was issued to share Hive indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) discovered by the FBI while investigating Hive ransomware attacks.

The end goal is to help defenders detect malicious activity associated with Hive affiliates and reduce or eliminate the impact of such incidents.

While submissions to the ID Ransomware platform don't include all Hive ransomware attacks, victims have submitted more than 850 samples since the start of the year, many of them pushed following a huge spike of activity between late March and mid-April.

Request for incident reports

While the three federal agencies behind the advisory do not encourage paying the ransoms as it will most likely encourage other threat actors to join the ransomware onslaught, victims are urged to report Hive attacks to their local FBI field office or to CISA at report@cisa.gov regardless of whether they pay the ransom or not.

This will help law enforcement collect critical information needed to keep track of the ransomware operation's activity, prevent additional attacks, or hold the attackers accountable for their actions.

The FBI also released additional indicators of compromise and technical details associated with Hive ransomware attacks in August 2021.

Hive is a Ransomware-as-a-Service (RaaS) operation active since at least June 2021, with some of its members known to have worked for both Hive and the Conti cybercrime gang simultaneously for at least six months, starting in November 2021.

"We have identified extended evidence of HIVE actively using both the initial attack accesses provided by Conti and the services of Conti's pen-testers," Advanced Intel's Head Of Research Yelisey Boguslavskiy told BleepingComputer in May 2022.

Source

Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the “.crypt” extension on encrypted files.

Back then, Chilean threat analyst Germán Fernández told BleepingComputer that the strain appeared entirely new, not connected to any known ransomware families.

Researchers at BlackBerry have confirmed this via a report that identifies the family as ARCrypter and links it to a second attack against the Colombia National Food and Drug Surveillance Institute (Invima) in October.

BlackBerry also warns that ARCrypter is now expanding its operations outside Latin America and targeting various organizations worldwide, including China and Canada.

BleepingComputer confirmed this expansion, also seeing ARCrypter victims in Germany, USA, and France.

The ransom demands vary and get as low as $5,000 in some cases seen by BleepingComputer, so ARCrypter operates as a mid-tier ransomware actor.

ARCrypter details

BlackBerry says the first samples of ARCrypter appeared in early August 2022, a few weeks before the Chile attack.

The attack vector remains unknown, but the analysts were able to locate two AnonFiles URLs that are used as remote resources for fetching a “win.zip” archive containing “win.exe.”

The executable is a dropper file that contains the resources BIN and HTML. HTML holds the ransom note data, while BIN contains encrypted data that requires a password.

The ransom note, generated prior to encryption (BleepingComputer)

 

If a password is provided, BIN will create a random directory on the compromised machine to store the second-stage payload, which is named using random alphanumeric characters.

“While we were unable to identify the correct decryption key used for decryption of the BIN resource, we believe with a high degree of certainty that the second payload is the ARCrypter ransomware,” says BlackBerry in the report.

The randomly-named payload dropped on a newly created folder (BlackBerry)

 

The ARCrypter payload then creates persistence by adding the following registry key:

“HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate”

Next, the malware deletes all Shadow Volume Copies to prevent easy data restoration, modifies network settings to secure stable connectivity, and then encrypts all files except for the types shown below.

File types excluded from encryption (BlackBerry)

 

Files in critical locations like “Boot” and “Windows” folders are also skipped to avoid rendering the system completely unusable.

Apart from the ‘.crypt’ extension, encrypted files will show an ‘ALL YOUR FILES HAS BEEN ENCRYPTED’ message on the file manager, thanks to modifications to the following Registry keys:

HKCU\Control Panel\International\sShortDate
HKLM\SYSTEM\ControlSet001\Control\CommonGlobUserSettings\Control Panel\International\sShortDate

Files encrypted by ARCrypter (BlackBerry)

 

While the threat actors claim to steal data during their attacks, the ransomware operation does not currently have a data leak site that they use to publish data for unpaid victims.

At this time, little is known about the operators of ARCrypter, their origin, language, and potential links to other ransomware gangs.

Source