Search This Blog

Showing posts with label Botnet. Show all posts

Azov Ransomware Tries to Frame Cybersecurity Researchers

 

Azov ransomware, a newcomer to the malware market, is being propagated via pirated software, key generators, and adware bundles, in an attempt to frame security researchers by claiming they are behind the attack. 

The ransom note, named RESTORE_FILES.txt, appears to be politically motivated to push western nations into assisting Ukraine in their war against Russia and claims to have encrypted the file in protest of the seizure of Crimea. 

The note falsely claims on Twitter that security researcher Hasherazade designed the data wiper, with the help of Vitali Kremez, Michael Gillespie, Lawrence Abrams, MalwareHunterTeam and also asks victims to contact the researchers for the recovery of the files. 

According to Lawrence Abrams of BleepingComputer, none of the researchers mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the data wiper. 

Furthermore, the note does not include any contact details for the original author meaning there’s currently no way of retrieving from an Azov infection and hence the ransomware should be treated as a data wiper for the moment. 

 Modus operandi of Azov wiper

In a new campaign started over the past two days, a hacker reportedly purchased installs via the SmokeLoader malware botnet, normally propagated through websites offering pirated content including game mods, cheats, and key generators, to deliver the data wiper. 

Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer info-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files, Bleeping Computer reported. 

To mitigate the risks, users should immediately change the passwords on their online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.

 Sophos: Hackers Avoid Deep Fakes as Phishing Attacks are Effective

According to a prominent security counsel for the UK-based infosec business Sophos, the fear of deepfake scams is entirely exaggerated.

According to John Shier, senior security adviser for cybersecurity company Sophos, hackers may never need to utilize deepfakes on a large scale because there are other, more effective ways to deceive individuals into giving up personal information and financial data.

As per Shier, phishing and other types of social engineering are much more effective than deepfakes, which are artificial intelligence-generated videos that imitate human speech.

What are deepfakes?

Scammers frequently use technology to carry out 'Identity Theft'. In order to demonstrate the risks of deepfakes, researchers in 2018 employed the technology to assume the identity of former US President Barack Obama and disseminate a hoax online.

Shier believes that while deepfakes may be overkill for some kinds of fraud, romance scams—in which a scammer develops a close relationship with their victim online in order to persuade them to send them money—could make good use of the technology because videos will give an online identity inherent legitimacy.

Since deepfake technology has gotten simpler to access and apply, Eric Horvitz, chief science officer at Microsoft, outlines his opinion that in the near future, "we won't be able to tell if the person we're chatting to on a video conversation is real or an impostor."

The expert also anticipates that deepfakes will become more common in several sectors, including romance scams. Making convincing false personas requires a significant commitment of time, effort, and devotion, and adding a deepfake does not require much more work. Shier is concerned that deepfaked romance frauds might become an issue if AI makes it possible for the con artist to operate on a large scale.

Shier was hesitant to assign a date for industrialized deepfake bots, but he claimed that the required technology is becoming better and better every year.

The researcher noted that "AI experts make it sound like it is still a few years away from the huge effect." In the interim, we will observe well-funded criminal organizations carrying out the subsequent degree of compromise to deceive victims into writing checks into accounts.

Deepfakes have historically been employed primarily to produce sexualized images and movies, almost always featuring women.

Nevertheless, a Binance PR executive recently disclosed that fraudsters had developed a deepfaked clone that took part in Zoom calls and attempted to conduct bitcoin scams.

Deepfakes may not necessarily be a scammer's primary tactic, but security researchers at Trend Micro said last month that they are frequently used to augment other techniques. The lifelike computerized images have recently appeared in online advertisements, phony business meetings, and job seeker frauds. The distress is that anybody could become a victim because the internet is so pervasive.






30 Million Data Theft Hacktivists Detained in Ukraine

The Security Service of Ukraine's (SSU) cyber division has eliminated a group of hackers responsible for the data theft or roughly 30 million people. 

According to SSU, its cyber branch has dismantled a group of hacktivists who stole 30 million accounts and sold the data on the dark web. According to the department, the hacker organization sold these accounts for about UAH 14 million ($375,000). 

As stated by the SSU, the hackers sold data packs that pro-Kremlin propagandists bought in bulk and then utilized the accounts to distribute false information on social media, generate panic, and destabilize Ukraine and other nations. 

YuMoney, Qiwi, and WebMoney, which are not permitted in Ukraine, were used by the group to receive funds.The police discovered and seized many hard drives containing stolen personal data, alongside desktops, SIM cards, mobile phones, and flash drives, during the raids on the attackers' homes in Lviv, Ukraine. 

By infecting systems with malware, fraudsters were able to gather sensitive data and login passwords. They targeted systems in the European Union and Ukraine. According to Part 1 of Article 361-2 of the Ukrainian Criminal Code, unauthorized selling of material with restricted access, the group's organizer has been put under investigation.

The number of people detained is still unknown, but they are all charged criminally with selling or disseminating restricted-access material stored in computers and networks without authorization. There are lengthy prison terms associated with these offenses.

The gang's primary clients were pro-Kremlin propagandists who utilized the stolen accounts in their destabilizing misinformation efforts in Ukraine and other nations.

The SSU took down five bot farms that spread misinformation around the nation in March and employed 100,000 fictitious social media profiles. A huge bot farm with one million bots was found and destroyed by Ukrainian authorities in August.

The SSU discovered two further botnets in September that were using 7,000 accounts to propagate false information on social media.

Malware producers are frequently easier to recognize, but by using accounts belonging to real people, the likelihood that the operation would be discovered is greatly reduced due to the history of the posts and the natural activity.






Sophos: Employing Stolen Session Cookies to Navigate MFA & Access Networks

Hackers on the internet keep getting better. Stealing cookies from recently completed or ongoing web sessions is one new strategy they have been employing to avoid multi-factor authentication (MFA). 

Recently, Sophos researchers reported a new attack technique that is already becoming more prevalent. According to the researchers, the "cookie-stealing cybercrime spectrum" is vast, encompassing entry-level hackers as well as sophisticated rivals who employ a variety of strategies. 

On dark web forums, cybercriminals purchase stolen credentials in bulk or collect cookies. Because ransomware groups exploit genuine executables, both those that are already present and those that are added as tools, 'their operations may not be detected by simple anti-malware defenses.'

Cookie theft

Cookies are used by cloud infrastructures as well for user authentication. It's becoming simpler for entry-level attackers to engage in credential theft thanks to the malware-as-a-service sector. 

For instance, all they need to do is purchase a copy of an information-stealing Trojan like Raccoon Stealer to bulk collect information like cookies and passwords and then sell them on illicit markets like Genesis. Once this data is purchased, other criminals in the attack chain, such as ransomware developers, can search through it for anything they think would help their attacks. 

In contrast hand, in two of the most recent events that Sophos studied, the attackers adopted a more focused strategy. For one event, the hackers infiltrated a target's network for months in order to collect cookies from the Microsoft Edge browser. The attackers employed Cobalt Strike and Meterpreter activity to take advantage of a legal compiler tool in order to scrape access tokens after the initial penetration occurred via an exploit kit.

The attackers dropped a malicious payload that scraped cookie files for a week using a legal Microsoft Visual Studio component.

"Although mass cookie theft has been an issue, hackers are using a far more focused and efficient method to steal cookies. There is no limit to the kinds of nefarious activities attackers might engage in with stolen session cookies now that so much of the workplace is web-based. Hackers have the power to alter cloud infrastructures, corrupt corporate email, persuade other staff members to download malware, and even modify product code. Their own imagination is their only constraint," said Sean Gallagher, principal threat researcher at Sophos.

Cookies Access Systems Against Safety Protocols

According to Digital Trends, hackers are able to abuse different online tools and services as a result of cookie theft. This exploitation can occur in browsers, web-based programs, web services, malware-infected emails, and ZIP files. Since cookies are so popular, hacking with them is a sophisticated practice.

Sophos lists Emotet botnet as one cookie-stealing virus that preys on data in the Google Chrome browser. Acquiring data from credit cards and saved logins are the objectives. Even if the browser is encrypted and uses multifactor authentication, the Emotet botnet can still gather login information.

Ransomware organizations also gather cookies. As hackers exploit genuine executables that are both already present and ones that can bring with them tools, simple anti-malware defenses are unable to detect their actions, according to eSecurity Planet.

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users

 

A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.

Malicious Excel Files are Now Being Employed to Propagate Revamped Emotet Malware

 

Cybersecurity researchers discovered that the infamous Emotet malware has altered methods yet again. In its latest campaign, the malware is able to access and use spreadsheets, documents, and other Microsoft programs, evading entry security. 

Emotet was identified in 2014 as a banking trojan, and it has been quite active in recent years. In this campaign, the botnet authors are using a relatively new module that steals payment card information from Google Chrome. 

According to Deep Instinct researchers, the current version of Emotet has led to a nine-fold surge in the use of Microsoft Excel macros compared with what researchers detected in the fourth quarter of 2021. The hackers that utilized this trojan were among the first to offer malware-as-a-service (MaaS). 

The latest malware still uses many of the same attack vectors as it had in the past, but this new technique is seen as being more effective in collecting and using stolen credentials. 

In a blog post on the re-emergence of Emotet, Chuck Everette, director of cybersecurity advocacy for Deep Instinct, which has been following the malware since the fourth quarter of last year, noted that the current malware variant uses many of the same “evasion methods” as previous versions. 

The malware has targeted customers in Japan, as well as the United States and Italy since this spring. The researchers detected the Emotet's re-emergence last November, and they noted that this evolved malware was even able to get past email gateway security. 

Additionally, the banking trojan is employing 64-bit shell code, as well as more advanced PowerShell and active scripts, “with nearly a fifth of all malicious samples exploiting the 2017 Microsoft vulnerability CVE-2017-11882,” according to reports. 

"We use internal code and binary similarity algorithms on our cloud backend to associate and correlate new variants of a select set of campaigns which we monitor very closely, Emotet being one of them," he explained. 

In particular, multiple static evasion methods are very characteristic of Emotet, and upticks in those in new variant waves are very indicative of malware activity. 

“The Emotet Gang are professionals. They know how to run a successful phishing campaign and have now upped their game with new sophisticated attack techniques,” Everette explained on his company’s blog on the re-emergence of Emotet. However, the primary delivery method is still phishing emails, and the human factor is the weakness. If you make yourself more difficult to attack than another company, they will go after the easier target. Make sure you're the harder target to penetrate. Educate your employees."

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

 US Reclaimed $15 Million From an Ad Fraud Operation

 

The US government has recovered more than $15 million in earnings from the 3ve digital advertising fraud enterprise, which cost firms more than $29 million in unviewed ads. 

Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev, according to the Justice Department, accessed more than 1.7 million infected computers between December 2015 and October 2018, using tens of command and control (C&C) servers as the Kovter botnet, a click-fraud malware would quietly run in the background while connecting to sites to consume advertisements. 

A forfeiture order, according to the Justice Department, resulted in the transfer of $15,111,453.84 from Swiss bank accounts to the US government. The technique resulted in the falsification of billions of ad views and the spoofing of over 86,000 domains. According to the US Department of Justice, groups paid over $29 million for advertising never seen by real people. 

Ovsyannikov and Timchenko were arrested in 2018, pleaded guilty, and sentenced to jail terms in the United States. For this role in 3ve (pronounced "Eve"), Isaev and five others are accused of money laundering, wire fraud, computer intrusion, and identity theft, yet they stay free. 

The US also charged Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, and Dmitry Novikov, five Russian citizens, with running the Methbot ad fraud scheme, which is thought to have netted the fraudsters more than $7 million in illegal gains. 

"This forfeiture is the greatest international cybercrime recovery in the Eastern District of New York's history," said United States Attorney Peace in a press statement.

New Version of 'Sysrv' Botnet is Targeting Windows and Linux Servers

 

Microsoft recently unearthed a new version of the Sysrv botnet, tracked as Sysrv-K, capable of abusing bugs in WordPress and Spring Framework to install crypto-mining malware on vulnerable Windows and Linux servers. The variant has been upgraded with multiple features, including scanning for unpatched WordPress and Spring deployments. 

"The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers" by exploiting various vulnerabilities, the Microsoft Security Intelligence team tweeted. These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins as well as newer vulnerabilities like CVE-2022-22947." 

CVE-2022-22947 (CVSS score of 10) is a code injection critical vulnerability in Spring Cloud Gateway that exposes applications to code injection assaults, allowing unauthenticated, remote attackers to achieve remote code execution. 
 
Sysrv-K scans for WordPress configuration files for their backups, in an attempt to steal database credentials and take over the webserver. Moreover, the botnet packs updated communication capabilities, such as support for Telegram. 

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and hostnames, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” the Microsoft team added. 

The botnet has been active since at least December 2020, but its activity was documented in April 2021 by multiple security researchers. Sysrv-K secures control of web servers by scanning the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. Once the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner. 

After killing competing cryptocurrency miners and deploying its own payloads, the botnet auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). 

Subsequently, the botnet aggressively scans the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots. To mitigate the risks, organizations are recommended to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

GoBrut Botnet Targets Sites and Devices: Heimdal Security Report

Heimdal Security released an advisory for its customer base, users, partners, and clients in a matter that involved the emergence of a botnet that has infected thousands of sites. The botnet StealthWorker (GoBrut) has managed a large number of attacks in a very short time, via brute-forcing the target's internet-facing NAS devices and web servers. For the infected devices, Heimdal says that they will be used in future botnet campaigns for exploiting more hosts. GoBrut is not a botnet novelty exactly. 

It was involved in the August 2021 campaign against Synology's NAS devices, however, its origin can be traced back to February 2019, when malware launched various brute-force attacks against poorly secured CMSs, including Magento. In terms of design, GoBrut is scripted in Golang, a popular programming language in the hacker communities and pen testers because of its flexibility, coding efficiency two IP addresses, and reasonable learning curve. In Synology's case, the payload was distributed via JS injection or something similar. 

Once the distribution was tagged as successful, the malware begins to collect resources, finding the ones vulnerable to brute force. The reason why botnet StealthWorker had impressive success is rooted in how few CMSs manage password hygiene. In various incidents, leaked credentials were default user-password pairs, which hints that no measures were taken to make the passwords strong. Regarding the intrusion, the credentials accessed via distributed dictionary-based brute-forcing were given to a C2 panel hosted on a secondary 'attack' address, for C2 performing functions. 

A surprising thing is that GoBrut is also capable of backtracking user admin login paths and extracting backup file locations. Heimdal Security says "the botnet StealthWorker is the very embodiment of the saying: “simpler is better”. Although heavily reliant on volumetric attacks, this malware has managed to rake up numerous hits by leveraging sub-par authentication mechanisms."

Attackers are Employing Multiple Malwares to Target Ukrainian System

 

Amid Russia-Ukraine war, cybersecurity experts have witnessed a sudden increase in the number of wiper malware deployments. Since February 24, Ukrainian security experts have unearthed at least seven new types of malwares employed by attackers to target Ukraine: AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. 

Earlier this week, AT&T cybersecurity published a blogpost detailing the different types of wiper malware which we have covered below. 

WhisperKill 

On the night of January 14, anonymous hackers attempted to secure access to and deface the websites of more than 70 Ukrainian government agencies, according to Ukraine’s security service. The malware successfully defaced 22 websites and severely damaged six. 

How it operates: The malware downloads a payload that wipes the Master Boot Record (MBR), then downloads a malicious file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the compromised devices. 

HermeticWiper 

A month after, on February 23rd 2022, ESET Research discovered a new Wiper called HermeticWiper being used against hundreds of Ukrainian systems. The hackers then used a shell company to issue a certificate that allows bypassing detection capabilities, such as Microsoft Defender SmartScreen and built-in browser protections. 

The malware collects all the data it wants to delete to maximize the impact of the wiping, it uses the EaseUS Partition Master driver to overwrite the selected parts of the disk with random data.

IsaacWiper 

A day after the initial assault with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before. 

This wiper malware iterates through the filesystem, enumerates files and overwrites them. The behavior is similar to ransomware activity, but in this case, there is no decryption key. Once the data has been overwritten, it is lost. 

AcidRain 

On March 15, a new strain of wiper malware called AcidRain was discovered by researchers at SentinelLabs. AcidRain wiper was used in an attack against the Viasat KA-SAT satellite broadband service provider. 

The attacker gained access to the management infrastructure of the provider to deploy AcidRain on KA-SAT modems used in Ukraine. The wiper employed was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from devices. 

CaddyWiper 

The first version of CaddyWiper was unearthed by ESET researchers on March 14 when it was used against a Ukrainian bank. Then it was employed again during the attack on the Ukrainian energy company on April 12. 

The Wiper overwrites files on the computer with null byte characters, making them unrecoverable. This malware can be executed with or without administrator privilege. In both cases, it causes lethal damage to the target machine. 

DoubleZero 

On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Dubbed DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program. 

The wiper erases files in two ways: by overwriting them with zero blocks of 4096 bytes (FileStream.Write method) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA). 

To prevent further assaults, researchers recommended keeping systems up to date and sharing knowledge regarding cybersecurity. In addition, attacks can be avoided by having periodic backup copies of key infrastructure available.

Docker Servers Targeted by LemonDuck Cryptomining Campaign

 

LemonDuck botnet operators have launched a large-scale Monero cryptomining campaign targeting Docker APIs on Linux servers. Cryptomining hackers are a persistent danger to Docker systems that aren’t properly shielded or configured, with multiple mass-exploitation efforts recorded in recent years.

The cryptomining malware was first identified in 2019 by researchers from Trend Micro while targeting enterprise networks. Previously, the botnet has targeted Microsoft Exchange servers, Linux machines via SSH brute force attacks, Windows systems susceptible to SMBGhost, and servers running Redis and Hadoop instances. 

Methodology Employed 

The LemonDuck botnet secures access to the exposed Docker APIs and runs a malicious container to fetch a Bash script disguised as a PNG image. 

The script is downloaded from the domain t.m7n0y[.]com, which was observed in other LemonDuck attacks. 

“The “core.png” file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,” which is actually a Bash file,” Crowdstrikes researchers explained. “The “a.asp” file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.” 

The Bash file (a.asp) performs the following actions: 

• Kill processes based on names of known mining pools, competing cryptomining groups, etc. 
• Kill daemons like crond, sshd and syslog. 
• Delete known indicator of compromise (IOC) file paths. 
• Kill network connections to C2s known to belong to competing cryptomining groups. 
• Disable Alibaba Cloud’s monitoring service that protects instances from risky activities. 

Last year in November, cryptomining malware used by unknown attackers was found to disable protective mechanisms in Alibaba Cloud services. After doing the above tasks, the Bash script then downloads and executes the cryptomining program XMRig and a configuration file that hides the actor’s wallets behind proxy pools. 

After the initially infected machine has been set up to mine, Lemon_Duck attempts lateral movement by leveraging SSH keys found on the filesystem. If those are available, the attacker will employ them to carry out a second infection. Hiding the Docker APIs properly on cloud instances is currently the only solution for avoiding LemonDuck crypto-mining attacks.

Muhstik Botnet Targeting Redis Servers by Exploiting Recently Published Bug

 

The Muhstik botnet infamous for spreading via web application exploits, has been spotted targeting and exploiting a Lua sandbox escape flaw (CVE-2022-0543) in Redis severs after a proof-of-concept exploit was publicly released. 

Lua sandbox escape flaw was uncovered in the open-source, in-memory, key-value data store in February 2022 and could be exploited to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 on the severity scale. 

"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu explained in an advisory released last month. 

The attacks exploiting the new flaw started on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and implement the botnet binaries from another server, Juniper Threat Lab researchers explained. 

According to Chinese security firm Netlab 360, the Muhstik botnet is known to be active since March 2018 and is monetized for performing coin mining activities and staging distributed denial-of-service (DDoS) attacks. 

The botnet propagates by exploiting home routers, but researchers noticed multiple attempted exploits for Linux server propagation. The list of compromised routers includes GPON home router, DD-WRT router, and the Tomato router. The vulnerabilities exploited by Muhstik over the years are as follows – 

• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware 
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability 
• CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability 
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and 
• CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell) 

"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week. In light of active exploitation of the critical security loophole, users are strictly advised to act quickly to patch their Redis services to the latest version.

This New Russian Cyclops Blink Botnet Targets ASUS Routers

 

Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.

By Attacking Healthcare, Education, and Government Systems, FritzFrog Botnet Grew Tenfold

 

The FritzFrog botnet, which has been active for over two years, has revived with an alarming infection rate, growing tenfold in just a month of attacking healthcare, education, and government networks via an unprotected SSH server. FritzFrog, a malware developed in Golang that was discovered in August 2020, is both a worm and a botnet that targets the government, education, and finance sectors. 

The malware fully assembles and executes the malicious payload in memory, making it volatile. Furthermore, because of its unique P2P implementation, there is no central Command & Control (C&C) server giving commands to FritzFrog. It is self-sufficient and decentralised. Despite FritzFrog's harsh brute-force tactics for breaching SSH servers, it is strangely efficient at targeting a network equitably. 

Guardicore Labs has been monitoring FritzFrog with its honeypot network for some time. "We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," said the company in a report published in August 2020, authored by security researcher Ophir Harpaz.

Researchers at internet security firm Akamai discovered a new version of the FritzFrog malware, which has intriguing new features such as the use of the Tor proxy chain. The new botnet variation also reveals signs of its operators planning to enhance capabilities to target WordPress servers. 

Athough the Akamai global network of sensors identified 24,000 attacks, the botnet has claimed only 1,500 victims thus far. The majority of infected hosts are in China, although affected systems can also be found in a European TV network, a Russian healthcare organisation, and other East Asian universities. The perpetrators have included a filtering list to avoid low-powered devices like Raspberry Pi boards, and the malware also includes code that lays the basis for targeting WordPress sites. 

Given that the botnet is renowned for cryptocurrency mining, this feature is an odd inclusion. However, Akamai believes that the attackers have discovered new means of monetization, such as the deployment of ransomware or data leaks. This functionality is currently dormant while it is being developed. The researchers point out that FritzFrog is always in development, with bugs being resolved on a daily basis. 

FritzFrog targets any device that exposes an SSH server, therefore administrators of data centre servers, cloud instances, and routers must be careful, according to the researchers. Some security tips from Akamai include enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring an explicit allow list for SSH login, and so on.

Russia Recorded the Largest Botnet Attack on Retail

 

The new botnet is not used to damage the IT infrastructure of companies through DDoS attacks, but to collect internal information; large chains of retailers became victims. 

According to Alexander Lyamin, the founder and CEO of Qrator Labs, the main danger of data mining for retail companies is that attackers can conduct competitive analysis based on the collected data. In addition, data mining is often used in fraudulent schemes with theft or fraud of bonus points, as a tool of unfair competition. 

One of Russia's largest retail chains Lenta acknowledges that the number of cyberattacks on retail has increased. The attackers target the personal data of employees and customers of the company. Botnet attacks can cause serious damage to businesses. X5 Group and Inventive Retail Group declined to comment. 

Experts add that data mining could be a competitive intelligence tool. "The retail sector is well suited for this since all chain stores have online versions, and analyzing the availability of goods on the site, customer reviews or price changes allows competitors to build their business more efficiently," experts explain. 

Using data-mining in retail, it is possible to collect information that is valuable on the black market, for example, credit card numbers, or from competitors: customer patterns and other statistics. 

According to experts, the introduction of network traffic analysis technologies and process control at network endpoints will help to cope with the threat. 

In general, according to Qrator Labs, at the end of 2021 the victims of attacks on information security, including DDoS, were services to create websites, organizations from the field of education, and e-commerce. 

“DDoS attacks follow business: in those industries where there is maximum growth, the number of attacks proportionally increases,” explains Alexander Lyamin. In the fourth quarter, users continued to study remotely, and the number of online orders for goods broke all records, so the attackers focused their attention on these profitable segments.

Russian experts have discovered the largest botnet in the history of the Internet

Hackers have combined several botnets to carry out the most powerful DDoS attacks on the Network. Experts of the Russian company StormWall, a company specializing in protecting businesses from cyber threats, have recorded attacks with a capacity of more than 1 Tbit /s, lasting for several days. Most often, they affected companies in the entertainment sector, retail, publishing houses and the fintech sector.

StormWall reported that the attacks were carried out using a new botnet consisting of several tens of thousands of servers with different versions of operating systems, as well as webcams, routers, smart TVs.

Since the botnet includes different devices based on different operating systems, it can be concluded that they are infected in different ways. Each attack had approximately the same power, but at the same time different geographical distribution, which indicates that not one botnet was used, but several combined into a single control system.

According to experts, the botnet's resources were divided between several users who could launch DDoS attacks simultaneously. At the same time, to launch the attack, each attacker used not the entire botnet, but a part of it. But even a part allowed organizing an attack with a capacity of several hundred gigabits per second.

According to Artem Tereshchenko, Development Director of VAS Experts, today the Internet security resources are at a fairly high level, and in order to hack them, you need to generate as much traffic as possible.

Experts believe that the botnet poses risks for both technology companies that provide their services over the Internet and for their customers. The purpose of the botnet is not just to harm, but to seize the personal data of users and commercial data of the company itself.

According to StormWall experts, hackers are combining botnets in order to get the maximum attack power that can even penetrate DDoS protection. 

Emotet Installs Cobalt Strike for Rapid Attacks

 

The notorious Emotet malware is now directly installing Cobalt Strike beacons for rapid cyberattacks, rather than dropping an intermediate payload first. 

Attackers are using Cobalt Strike, a legitimate penetration testing tool, to spread laterally through a firm and deploy ransomware on their network. Earlier this month, the malware started analyzing the installation of Cobalt Strike beacons instead of conventional payloads on exploited devices. The test was short and soon after the attackers returned to distributing their typical payloads.

According to researchers, the attackers using Emotet suspended their phishing and spamming campaigns and since then, they have been quiet. However, researchers believe the attackers are installing Cobalt Strike beacons on already compromised devices. They install the Cobalt Strike modules straight from their command-and-control (C2) server and then execute the modules on the infected devices.

Installing Cobalt Strike directly eliminates the time between initial infection and subsequent installation of the pen testing tool, giving victims less time to detect and mitigate the infection prior to the execution of ransomware. 

The malware communicates with the attacker’s command and control servers via a fake ‘jquery-3.3.1.min.js’ file in a sample of the Cobalt Strike beacon provided with BleepingComputer. Each time the malware interacts with the C2, it will attempt to download the jQuery file, which will have a variable changed with new instructions. 

As most of the file is valid jQuery source code, and only some content is changed, it blends into legitimate traffic and makes it easier to evade security software. The quick deployment of Cobalt Strike via Emotet is an important development that should be noted by all Windows and network administrators, as well as security specialists. 

In previous attacks, defenders had more time to spot the presence of Emotet or Trickbot, or QakBot and remediate before the ransomware infection took place. But now, the timeline is compressed and the chances of identifying and removing Emotet or the Cobalt Strike beacon before a ransomware infection are much lesser. 

“The old Emotet also used a multilayer communication protocol for all communication performed by the infected victim and the C2. However, the old protocol required the loader to also enumerate the victim’s process list, which was sent to the C2 during check-in. New Emotet strips out this process checking functionality from initial check-in and places it into a new module focused on process list checking,” researchers at Intel 471 stated.