Search This Blog

Showing posts with label Crypto. Show all posts

North Korean Cybercriminals Attempt to Steal $27M in ETH

Hacking organizations 'Lazarus' and 'APT38' supported by the North Korean government were responsible for the loss of $100 million worth of Ethereum from Harmony Horizon in June 2022. 

The funds and the seizure of stolen assets were reported to the authorities. The exploiters' activities closely resembled the attempt, which was undertaken on January 13, 2023, since more than $60 million was attempted to be laundered.

The Binance chain, Bitcoin, and Ethereum transfers are made possible through Harmony's Horizon Bridge. Numerous tokens worth $100,000,000  were taken from the network on June 23, 2022.

North Korean cybercriminals were actively shifting a portion of Harmony's Horizon bridge funds during the last weekend as the price of bitcoin approached $24,000. While several cryptocurrency exchanges instantly froze certain cash, Binance CEO Changpeng Zhao (CZ) claimed that some exchanges are not helpful in fighting crime, which made it easier to convert ETH to BTC.

According to reports, the APT38 was able to convert some of the $27 million in Ethers to Bitcoin and withdraw the money from exchanges. The Lazurus group has reportedly been shifting laundered money to a number of addresses in order to mask their true identity through multiple layers.

With the use of its Horizon Bridge, Harmony can transmit data to and from the Ethereum network, Binance Chain, and Bitcoin. On June 23, a number of tokens from the network valued at roughly $100 million were taken.

After the exploit, the Tornado Cash mixer processed 85,700 Ether, which was then deposited at various addresses. The hackers began transferring about $60 million of the stolen money via the Ethereum-based anonymity protocol RAILGUN on January 13. 350 addresses have been linked to the attack through numerous exchanges in an effort to escape detection, according to research by the cryptocurrency tracking tool MistTrack.

Cryptocurrency exchanges like Binance and Huobi have alerted authorities about stolen Harmony's Horizon Bridge funds by freezing them. This demonstrates how DeFi platforms and centralized exchanges are dependent on one another.

Cybersecurity in 2023: Will the Crypto Crash Impact It?


One of the questions that naturally arise for those working within the cybersecurity industry after the fall of the FTX exchange puts an end to the cryptocurrency crash of 2022, includes asking how it will affect the cybercrime economy as a result of this rapid decline in cryptocurrency valuations. 

Cybercriminals have been using and abusing cryptocurrency ever since the most recent crypto boom began more than a decade ago to build up their empires and make money. Through the use of cryptocurrency, ransomware is creating a world where you can pay extortion and face jail time. By using cryptocurrency, scammers target consumers to steal their wallets and accounts. A wide range of cybercriminal enterprises has traditionally relied on this method to conceal the fact that they are laundering money behind the scenes in an anonymous manner. 

Although many cybersecurity experts and intelligence analysts agree that there have been some changes in trends and tactics that they believe are loosely related to the crypto crash, the jury is still out on the effects of the crypto crash over the long run, and the jury is still out on how the crypto crash will affect the cyber world. 

The Shifting Trends & Tactics of Cryptocurrencies in 2022 

Despite the value of cryptos this year, cybercriminals have developed a more sophisticated strategy for monetizing their attacks with cryptocurrencies, according to Helen Short, Accenture cybersecurity intelligence analyst, who points to the use of yield farming within the field of decentralized finance, as an example of some ransomware groups making use of yield farming as a monetization method. 

In other words, yield farming is similar to lending money, in that the amount of interest that has to be paid is clearly outlined in the contract that outlines the amount that has to be paid," she explains. As a ransomware group, the advantages are that they will be able to collect legitimate proceeds from the ransom and they will not be forced to launder or hide the funds." 

In her analysis, she has found that threat actors have increasingly turned to 'stablecoins,' which are typically 'pegged' to fiat currencies or gold. This is to decrease the volatility of their wallets. Cryptocurrency is making headlines worldwide due to the recent downturn in its price. This has resulted in cybercriminals having a heightened appetite for risk, leading to more investment frauds and cryptocurrency scams being perpetrated. 

In addition to some people losing their wallet value, others may have simply lost interest in keeping an eye on their accounts. They may have stopped paying as much attention to them. Brittany Allen, the team's trust and safety architect and fraud researcher, offers some insight into how this is fueling another trend. "Fraudsters are noticing that consumers are paying less attention to their crypto wallets than they were when crypto prices were higher earlier this year and in 2021, as a result of plummeting prices for cryptocurrency," she said. Consequently, cryptocurrency account takeover attacks have increased by 79% in the last few months. 

According to the researcher, there is an increasing number of threat actors joining forces instead of being paid by each other for their specialist services. This reduces the costs of the attack as there is a set share of the proceeds included in the agreement. 

Ransomware Will Not Go Away

As far as cybersecurity pundits are concerned, one thing that has been agreed upon almost unanimously is that ransomware will remain prevalent for some time despite the growing volatility of cryptocurrencies. Ransomware activity in 2022 has seen a slight decline compared to early 2022. Despite that, the threat intelligence analyst at Optiv, Aamil Karimi, said that there are other factors out of our control, such as the war in Ukraine. These factors contribute to the decrease in activity.  

A significant regrouping of ransomware cartels has resulted in a decline in activity in recent years, which is more likely to be due to this than anything else. For as long as cryptocurrency is a popular extortion target, he believes extortion will remain a popular business model. 

As of right now, cryptocurrency is the safest medium through which cybercriminals can act as a means of doing transactions. Cryptocurrency is the preferred payment method by extortion," Karimi says. The amount of cybercrime and extortionary activity will not slow down soon, as Karimi doesn't anticipate any slowdown." 

The evolution to be expected in 2023

Cybercriminals may also evolve their techniques in response to increased friction between law enforcement and themselves about other types of attacks in addition to ransomware. This is a result of increased friction between the two organizations. The most common among these is business email compromise (BEC), which does not require cryptocurrency. 

It was determined in the FBI's annual IC3 report [PDF] that business email compromise was the most common method used by attackers to steal fiat coins. It is becoming increasingly easy and convenient for technology to mimic human writing, speech, and even live video. This is a result of advances in artificial intelligence, according to GreyNoise's Rudis. As businesses, ransomware groups have been around for a long time. Therefore, it makes sense to assume that they would use their technological skills to deploy more advanced BEC schemes in addition to their primary mission of stealing money.  

At the same time, attackers are likely to continue advancing technology to stay one step ahead of the authorities. This is regarding the tracking and laundering of money, thereby staying one step ahead of the police. 

"The number of attackers will increase, and they will try to obfuscate their illicit funds by breaking the sequence of blockchain transactions, which will become increasingly sophisticated," Short says. "We will likely see a professionalization of cryptocurrency mixers, such as Tornado Cash, with threat actors offering fast and high value 'cash out as-a-service offerings." 

As a result, she believes that there will be an increase in demand for account takeovers to repurpose stolen accounts to create mule accounts as a way of cashing out on the back end of various scams by 2023, as it will increase the value of personally identifiable information (PII).

DEA Tracks Down Drug Cartels with Binance


Due to the anonymity provided by cryptocurrencies, they allow cartels a perfect means to transfer funds across continents in a relatively safe manner. To identify individuals, it is necessary to analyze the chain of command. 

As a result of its widespread use by threat actors to wash funds from crypto markets, Tornado Cash has been sanctioned by the US Treasury for being used as a crypto mixing tool. Following the sanctions, threat actors are no longer able to operate through their usual routes, including through centralized exchanges. 

Drug cartels are under attack by the DEA

Forbes published an article about the gang that indicated that it operated in several countries, including the United States, Europe, Mexico, and Australia. Based on the DEA's report, it appears that the cartel was channeling as much as $40 million of illicit proceeds through the exchange.

Using Localbitcoins, informants were able to interact with perpetrators trading crypto for fiat in 2020, which led to investigations into the crime and communication with authorities. 

To ensure trust between trading parties, Localbitcoins uses an escrow service to ensure both parties are given a fair chance to make a transaction. Carlos Fong Echavarria, a Mexican citizen responsible for the theft, assured them the money came from family restaurants and cattle ranches. 

In the aftermath of Echavvaria's capture, he pleaded guilty to charges of drug possession and money laundering. As the matter awaited sentencing, a blockchain address was tracked by the DEA. According to one of them, there is still money being laundered.  One of the latest perpetrators recently bought $42 million in crypto and sold $38 million in crypto. Some of these funds are believed to be linked to the trafficking of drugs, according to authorities. 

The Binance versus the money laundering issue

During the most recent attack, BNBc tokens worth trillions of dollars were obtained via an exploit of the ANKR protocol. BNP and BUSD were exchanged for some of the proceeds, then transferred to the exchange. As a result of the incident, the Exchange reacted by freezing the associated accounts. The company ANKR has determined that the perpetrator of the crime was a former employee of their own company. There was a data breach earlier this month by Lazarus Group, a North Korean cybercrime group. This breach may have led to a loss of more than $540 million from the Ronin Axie Infinity ecosystem. 

It appears that Lazarus also moved the stolen funds to Tornado Cash and several other exchanges. Through a collaborative effort, Chainalysis, law enforcement authorities, and the leading cryptocurrency exchange reverse-engineered the transaction trail. They also froze about $5.8 million in crypto assets linked to this crime as a result of this discovery. 

Following a collaboration between Russian law enforcement and the exchange, Hydra, a darknet marketplace for Russians on the internet, has been shut down. According to earlier reports in the media, it had been reported that Hydra had received funding from the exchange. In its statement, Binance stated that law enforcement would not have been able to capture the criminals behind the Hydra case if it weren't for cryptocurrency. 

A report by Binance indicated that the company had spent tens of millions of dollars hiring sophisticated cybersecurity specialists from across the globe. More than 120 security and industry experts comprise the team. These experts include former members of the IRS, FBI, the US secret service, Europol, and police agencies in the U.K., Europe, Asia, and Latin America. In addition, former members of the US secret service. 

Throughout the history of cryptocurrencies, critics have portrayed them in a bad light. This is because they view them as a disruptive technology that will revolutionize global finance, as well as global crime. 

To ensure that the industry is under the control of the authorities, strict regulations have been published. 

Binance has proved that blockchain is a valuable tool to use in the fight against cyber law-breaking, as evidenced by its success in this field. Several industrial applications have been demonstrated using the technology, including preventing forgery and enhancing procurement processes.  

There is no anonymity in crypto, centralized exchanges may be able to identify the owners of the addresses. As a user or individual with a majority stake in a blockchain ecosystem and a much-acclaimed proof-of-stake coin, one can rely on their power to lock out funds on the blockchain and ultimately lock users out of their funds.   

What does Downfall of FTX Uncovers about Crypto Media


What happens when a crypto mogul holds the crypto equivalent of a press conference and is confronted with his role in a crypto media scandal? 

Sam Bankman-Fried was grilled this morning about Friday's revelation of his secret payments to the Block, a cryptocurrency publication founded in 2018. The question came at the end of a Twitter Spaces hosted by Unusual Whales, a pseudonymous Twitter account that gained a following by tweeting about congressional stock trades during the pandemic and now offers a financial information service with a heavy emphasis on crypto data. For the record, it resembled many old-fashioned press conferences, albeit in a new setting: Bankman-Fried dodged the question and exited the conversation.

But the moment emphasizes how much crypto-native media exists and how quickly it has developed its own online information realm that is largely distinct from the mainstream media. Crypto media, on the other hand, is a full-fledged entity in its own right. Much of it appears to be traditional outlets with newsrooms, articles, and podcasts that happen to cover a niche topic.

However, it is also inextricably linked to Twitter, the chat platform Discord, the encrypted messaging app Telegram, and tools for direct analysis of blockchain data. And it has a lot of overlap with the rest of the anti-establishment digital media sphere, as the FTX collapse demonstrates better than anything else.

Indeed, as part of the mogul’s ongoing apology tour, crypto entrepreneur Mario Nawfal, who hosted Musk for a Twitter Spaces to discuss the "Twitter Files," also hosted a Spaces with Bankman-Fried. To truly understand the crypto media sphere, go back to the early stages of the FTX collapse — one of the biggest stories in the world right now — and examine how much of it occurred in this largely self-contained ecosystem.

Bankman Fried's problems began with a Nov. 2 report by CoinDesk, a decade-old crypto news service owned by Digital Currency Group, a crypto-focused venture capital firm. According to financial records obtained by CoinDesk, FTX was more financially intertwined with its sister firm, the hedge fund Alameda Research, than previously known.

The report sparked online speculation that Bankman Fried's empire was not financially sound and that the price of FTX's native token, FTT, had been inflated. Changpeng Zhao, the CEO of rival exchange Binance, announced on Twitter four days later that his company was selling its FTT holdings.

Bankman-Fried and Alamada's CEO, Caroline Ellison, fought back on Twitter, assuring the cryptocurrency community that their finances were solid. On-chain analysis — the interpretation of publicly available blockchain data — suggested that the two were not as confident in FTX's financial position as they showed up. According to The Data Nerd, a pseudonymous Twitter account dedicated to on-chain analysis, Alameda sent more than $250 million in stablecoins to FTX in a single day.

As the collapse began, much of the most foresighted real-time analysis of FTX's precarious financial position came in Tweet threads and Twitter Spaces from Dylan LeClair, a contributor to Bitcoin Magazine.

As the fallout from the collapse unfolds, Autism Capital — a Twitter account created in 2020 and linked to a Discord chat — is one source of extensive leads and tips about it. It sometimes reports details of the fallout before mainstream media outlets. The account tweeted on December 4 that Ellison was represented by the law firm WilmerHale. Bloomberg has since confirmed this.

Of course, mainstream media outlets have covered the FTX story as well. POLITICO has covered the intricacies of Washington's response; the FT and Wall Street Journal have scooped stories about internal corruption; a Vox reporter published a damning interview with Bankman-Fried; and the New York Times landed a much-watched live interview with Bankman-Fried.

The tone of coverage, on the other hand, frequently varies. The FTX story is mostly about the dangers of cryptocurrency, with its lack of regulation and ever-present scams, in mainstream media. More emphasis is being placed in the crypto media world on the extent to which Bankman-Fried funded establishment media outlets and politicians while becoming the crypto mogul most embraced by those establishments. 

What's the big picture here?

Media ecosystems tend to form around important human interaction sites, such as governments and markets.

Governments' core activities generate fundamental units of information (e.g. bills and executive orders). Markets are the same way (prices and trading volumes). More elaborate media ecosystems can sprout up around these core pieces of information to cover everything else that's going on.
These digital networks also generate basic information, such as social media posts. Furthermore, blockchain networks — a new subset of digital networks — are abandoning on-chain data.

Could they one day support similarly robust media ecosystems?

It is astounding how large and developed the crypto media ecosystem has become. However, it is possible that it is too large.

After all, as Byron Guilliam, senior markets strategist at Blockworks, a crypto media firm aimed at financial institutions, told DFD, "the entire crypto market cap is smaller than Apple, and Apple does not have 15 media outlets covering it."

The demise of the FTX could point to the future of digital information. Or, as the crypto markets remain stagnant and the Block is now rocked by scandal, it could be the last gasp of a crypto media bubble about to burst.

An Active Typosquat Attack in PyPI and NPM Discovered

The typosquatting-based software supply chain threat, which targets explicitly Python and JavaScript programmers, is being warned off by Phylum security researchers.

What is Typosquatting?

Cybercriminals that practice typosquatting register domains with purposeful misspellings of the names of popular websites. Typically for malevolent intentions, hackers use this tactic to entice unwary users to other websites. These fake websites could deceive users into inputting private information. These sites can seriously harm an organization's reputation if attacked by these perpetrators. 


Researchers alerted developers to malicious dependencies that contained code to download Golang payloads on Friday, saying a threat actor was typosquatting well-known PyPI packages. 

The Python Software Foundation is responsible for maintaining PyPI, the largest code repository for the Python programming language. Over 350,000 software programs are stored there. Meanwhile, NPM, which hosts over a million packages, serves as the primary repository for javascript programming. 

About the hack

The aim of the hack is to infect users with a ransomware variant. A number of files with nearly identical names, like Python Requests, are being used by hackers to mimic the Python Requests package on PyPI.

After being downloaded, the malware encrypts files in the background while changing the victim's desktop wallpaper to a picture controlled by the hacker, and looks like it came from the CIA.

When a Readme file created by malware is opened, a message from the attacker requesting $100, usually in a cryptocurrency, for the decryption key is displayed. 

The malware used is referred to as W4SP Stealer. It is able to access a variety of private information, including Telegram data, crypto wallets, Discord tokens, cookies, and saved passwords. 

One of the binaries is ransomware, which encrypts specific files and changes the victim's desktop wallpaper when executed. However, soon the malicious actors published numerous npm packages with identical behaviors. For the decryption key, they demand $100 in Bitcoin, XMR, Ethereum, or Litecoin.

Each of the malicious npm packages, such as discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr, contains JavaScript code that acts identical to the code embedded in the Python packages. 

Louis Lang, chief technology officer at Phylum, predicts a rise in harmful package numbers. These packages drop binaries, and the antivirus engines in VirusTotal identify these binaries as malicious. It is advised that Python and JavaScript developers adhere to the necessary cybersecurity maintenance and stay secure. 

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File

DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 

The Sprouting Connection Between Cybercrime and Cryptocurrency

The wild journey of cryptocurrencies has not only been influencing people to mine or trade crypto. But, the enigmatic stages behind crypto have also become a significant link for cybercrime activities.

According to the latest report by Interisle Counseling Gathering, illegal activities pertaining to cryptocurrencies have grown by 257% over the past year, with wallets and trades being the most vulnerable to attacks. 

Cybercriminals are experiencing exceptional results in their operations, by engaging in techniques similar to methods used in other online monetary crimes on virtual monetary forms. 

How is Cryptocurrency the Most Suitable for Cybercrime? 

The autonomous, anonymous and permanent attributes of crypto transactions make cryptocurrency ideal for cybercrime activities. 

Crypto has emerged as a highly-priced vehicle for threat actors for the following reasons: 

1. No Oversight: Fundamental authorities such as banks, or government agencies, which generally play the role of a middleman in financial transactions, do not intervene in crypto transactions. 

2. Anonymity of threat actors: Crypto transactions do not transmit any detail that could possibly disclose the hacker in any way, such as names, email addresses, or other background information. There is only one wallet address, which is a collection of otherwise cryptic letters and numbers. Additionally, hackers frequently use numerous wallets to further "wash" transactions. 

3. Transactions are permanent: In crypto, money being exchanged cannot be reversed. The transaction is out of an individual's hands, just like using cash. Additionally, hackers can easily flee the scene of cybercrime, like ransomware, without being detected. 

With the constant decline in the value of cryptocurrency, cybercriminals who have considerable expertise in ransomware attacks are compelled to reconsider how they collect their payoffs and the amount they could demand. 

The crypto crash has as well resulted in the bankruptcy of many online crypto-trade commercial centers, where cybercriminals apparently deal with their cash or payoffs. For an instance, last year, at least 30 more modest dim web trade centers went bankrupt, and later closed down. Hackers still retain the mentality of a conventional financial backer: if the value of a resource starts to decline, they usually cash out rapidly to limit their losses. 

Blockchain Paving Way for Advanced Network Protection: 

Blockchain technology emerged as a significant founding for Bitcoin over 10 years ago, while it was also largely compared to the cryptocurrencies at that time. However, advanced blockchain application, like Ethereum has become more widely popular, for it has newer market segments such as non-fungible tokens (NFTs) and decentralized, distributed-computing led finance platforms. 

This decentralized and consensus-oriented characteristic of Blockchain allows higher resilience to cyberattacks. In the presence of Blockchain, the threat actor will need to acquire control of the majority of nodes to alter ledger transactions, which is extremely difficult and costly, in order to be able to carry out a hack successfully. 

Moreover, a domain name server (DNS) that maps IP addresses to a website name can also be moved to a blockchain platform, dispersing resources across various nodes and making it more difficult for the hacker to access the data. Thus, making blockchain systems a technology that could be a game changer in combating future cybercrimes. 

Crypto and Cyber Skills Rules the Day

The new generation of tech experts is currently in the forefront to combat cybercrime, with their advanced skillsets and tools that operate a step ahead of threat actors. From becoming a Blockchain Developer, where one can master architectural principles of blockchain and develop apps in a corporate environment, to becoming a Certified Ethical Hacker (CEH), where you are trained to investigate vulnerabilities in target systems and utilize the same techniques as malicious hackers, one can procure great opportunities to combat cybercrimes in crypto.  

FTX Filed for Bankruptcy Protection in US

Facing the digital equivalent of a banking collapse, the financially troubled cryptocurrency exchange FTX filed for US bankruptcy protection on Friday.

Bitcoin fell to a two-year low this week after a week of reports regarding the platform's financial difficulties, and by Friday night, the price of the cryptocurrency was trading at $16,861 (€16,256).

The company revealed that Sam Bankman-Fried, its former CEO, has also left after a remarkable turn of events at the second-largest cryptocurrency exchange in the world. His FTX empire crumbled in a little more than a week, shattering trust in the already unstable cryptocurrency market.

Coindesk and customer reports on social media claim that the unstable platform has finally permitted some users to withdraw money for the first time in days.

Summary of FXT company

According to a tweet from the company, FTX, Alameda Research, a cryptocurrency trading company that is linked with it, and roughly 130 of its other businesses have started voluntary Chapter 11 bankruptcy procedures in Delaware. In the US, a firm can use Chapter 11 to reorganize its debts while still operating under court supervision.

FTX Trading claimed in its bankruptcy filing that the firm has assets worth between $10 billion and $50 billion, liabilities between $10 billion and $50 billion, and more than 100,000 creditors.

Customers left FTX earlier this week because of concern about a lack of capital, leading to an agreement to sell the company to larger rival Binance.

Kingston student Thomas, 22, who has been a customer of FTX for over a year, calls it a 'hub for crypto.'For the £2,000 he claimed to have on the exchange, which he calls a 'fairly large amount of money,' he claims he was able to submit a withdrawal request.

However, he is worried about the number of requests being made by FTX consumers and is unsure if all of them will be fulfilled as the business struggles.

The cryptocurrency community had hoped that Binance, the biggest cryptocurrency exchange in the world, could be able to save FTX and its depositors.

After reviewing FTX's financial records, Binance came to the conclusion that the issues facing the smaller exchange were insurmountable, and it withdrew from the agreement. A business that was once the pride of the cryptocurrency market had a dramatic fall in popularity.

In January, FTX collected $400 million from investors, valuing the business at $32 billion.

Metaverse: Billions Spent In The Virtual Land Grab


A sum of almost $2 billion was spent on the virtual land over the past year, according to research from metaverse analysts DappRadar. Digital real estate and digital plots of land are being purchased by individuals like Snoop Dogg and corporate investors like Samsung Electronics and PwC for a variety of reasons, but many of them believe that its value will rise over time. 
The virtual land is being sold via online platforms like Decentraland and Voxels (formerly Cryptovoxels), which many people consider as a primal version of metaverse – a virtual world, where the online users can live, work and play. 

Moreover, businesses and investors are building digital shops and event spaces on the virtual land they purchased in the metaverse, which often allows visitors to make purchases via cryptocurrencies. 

However, we are yet years away from the metaverse emerging as a sole immersive space online for people to live, play and work. So, is spending large sums for the land grabbing one huge gamble? 

‘Exhibiting my own work’ 

With the giant red Mohican and a permanent cigarette, the avatar of artist Angie Taylor does not quite resemble a typical land mogul. Nonetheless, she is among the growing group of people, who are laying claim to the new virtual worlds. 

“I bought my first metaverse parcel in July 2020 and paid about £1,500. I bought it for exhibiting my own work, but also for running metaverse events that would promote my art and also other people's art," she says. 

These plots, owned by Angie are about the size of a small family house (if one compares them to the size of her avatar). The tallest of them all stretches up over three floors and even comprises a roof terrace with a white-and-black-striped road crossing, and a pink taxi permanently driving back and forth just for fun. 

But one can sense the reality of the scale of this world from the air. 

"Hold down the F key and you can fly up to take a look at my neighborhood," Angie explains. Above her gallery, one can see thousands of identical boxes of land stretching to the horizon. 

Voxels is one of the many virtual worlds that identify as metaverses. People frequently refer to "the metaverse" as if there were just one, which is confusing. Companies are selling land and experiences in their own versions until one platform begins to dominate or these disparate worlds join together. 

According to DappRadar, $1.93 billion worth of cryptocurrency has been spent in order to purchase virtual lands in the past year alone, with $22m of that spent on about 3,000 parcels of land in Voxels. 

Among the many luxury fashion brands, Philipp Plein as well owns a virtual plot about the size of four football pitches, which it hopes will eventually contain a metaverse store and gallery. 

With fashion industries being most interested in taking the opportunity and risks in regards to the metaverse, Amsterdam-based digital-only fashion house, ‘The Fabricant’ only makes clothing for the avatars, designing collections and bespoke garments for users of Decentraland, Sandbox, and other crypto metaverses. 

The company just raised $14m in funding from investors betting on the idea that many of us will soon be living part of our lives in the metaverse. But since crypto metaverses are generally sparsely populated and only really used when events are held, and even then only thousands, and not millions, of people attend. Consequently, it is not certain if and when it will happen.

TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers


AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script (""), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

UK Agency Publishes New Guidelines for Crypto Exchanges to Stop Sanctions Evaders


Crypto exchanges are now required to report suspected sanctions breaches to UK authorities under new rules introduced amid concerns that digital currencies such as Bitcoin, Ether, and Tether, or non-fungible tokens (NFTs) are being used to evade Russian sanctions. 

On August 30, the Treasury’s Office of Financial Sanctions Implementation (OFSI) updated official guidelines to specifically include "crypto assets" among the things that must be blocked if sanctions are imposed on an individual or enterprise. 

According to the regulations established by the Treasury's Office of Financial Penalties Implementation, cryptocurrency exchanges will be breaking the law if they fail to report customers who are subject to sanctions. 

The regulations mean that exchanges now have the same legal obligations as professionals like estate agents, accountants, lawyers, and jewelers. The breach of guidelines will mean crypto exchanges are committing a criminal offense if they fail to report customers designated for sanctions. 

“It is vital to address the risk of crypto-assets being used to breach or circumvent financial sanctions,” a Treasury spokesperson stated. “These new requirements will cover firms that either record holdings of, or enable the transfer of, crypto-assets and are therefore most likely to hold relevant information.”

Financial sanctions on Russian business tycoons, politicians, and firms have been among the UK’s most prominent responses to the invasion of Ukraine. 

Earlier this year in April, Binance, the cryptocurrency exchange giant, blocked the accounts of relatives of Russian politicians, including Polina Kovaleva, the stepdaughter of the foreign minister, Sergei Lavrov, and Elizaveta Peskova, the daughter of Putin’s spokesperson, Dmitry Peskov. 

Employing crypto assets to bypass sanctions and shift money across the globe was already illegal in the UK under laws that cover all “economic resources”. However, the latest guidelines underline authorities’ concern regarding the new assets, which could be employed for circumventing sanctions because customers do not rely on regulated exchanges to make transactions. 

Anna Bradshaw, a partner in Business Crime Department at Peters & Peters, a London law firm, supported the UK’s move by stating the new guidelines were “in line with the more general expansion of financial services and anti-financial crime regulation to the crypto sector”.

“Crypto and virtual assets are treated no differently than any other type of assets for the purposes of an asset freeze. Having said that, reliance on crypto or virtual currencies could potentially make it more difficult to detect that a sanctioned party is involved, or that it relates to sanctioned trade or other sanctioned activity – at least in time for steps to be taken to prevent it.”

FBI: Hackers use DeFi Bugs to Steal Cryptocurrency


Investors are being warned by the FBI that hackers are increasingly using Decentralized Finance (DeFi) platform security flaws to steal cryptocurrency.

According to the PSA, which was posted on the FBI's Internet Crime Complaint Center (IC3) today, nearly 97% of the $1.3 billion in bitcoin that was stolen between January and March 2022 came via DeFi sites. This represents a big increase from 72% in 2021 and roughly 30% in 2020, according to projections by the FBI.

The FBI urges people to be aware of the hazards, seek professional assistance if they are unsure, and research the security and general business practices of DeFi providers. Additionally, we all refer to DeFi providers as exchanges, markets, and other websites where you may buy, sell, trade, and borrow bitcoins and other digital assets.

The FBI's warning is due to a Chainalysis analysis from April that revealed how, per Q1 2022 statistics, DeFi cryptocurrency platforms are currently more targeted than ever.

In the majority of occurrences, the hackers rely on using security flaws in their platform's code or unauthorized access to drain cryptocurrency to addresses under their command.

According to Chainalysis, the threat actors responsible for these attacks used dangerous laundering services, like unlawful exchanges and coin tumblers on the dark web, to re-launder the majority of the stolen funds in 2022.

The FBI's alert provides investors with guidance that begins with basic cautions about performing due diligence before investing and then suggests the following:

Before investing, research DeFi platforms, protocols, and smart contracts and be aware of the dangers associated with DeFi investments.

Verify whether the DeFi investment platform has undergone one or more code audits done by impartial auditors. A code audit normally entails carefully examining and studying the platform's underlying code to find any flaws or vulnerabilities that might impair the platform's functionality.

Be wary of DeFi investment pools with short join windows and quick smart contract rollouts, especially if they don't perform the advised code audit.

Be mindful of the potential risks crowdsourced solutions pose for finding and patching vulnerabilities. Open source code repositories give anyone, even those with malicious intent, unauthorized access.

This year, no DeFi-taken monies have been reimbursed, indicating that attackers are less interested in protecting their stolen assets than they were in 2021 when almost 25% of all cryptocurrency stolen via DeFi platforms was eventually recovered and given to the victims.

The FBI established a link between the Lazarus and BlueNorOff (also known as APT38) North Korean threat organizations and the April attack of Axie Infinity's Ronin network bridge, now the largest crypto hack ever.

The $611 million breach of the decentralized merge protocols and network Poly System in August 2021 was the most significant cryptocurrency theft to date.

Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.

That 'Clean' Google Translate App is Actually Windows Crypto-mining Malware


The Turkish-speaking group responsible for Nitrokod, which has been active since 2019 is said to have infected thousands of systems in 11 countries. Nitrokod, a crypto mining Trojan, is usually disguised as a clean Windows app and functions normally for days or weeks before its hidden Monero-crafting code is executed. What's interesting is that the apps offer a desktop version of services that are normally only available online.

"The malware is dropped from applications that are popular, but don't have an actual desktop version, such as Google Translate, keeping the malware versions in demand and exclusive," Check Point malware analyst Moshe Marelus wrote in a report Monday.

"The malware drops almost a month after the infection, and following other stages to drop files, making it very hard to analyze back to the initial stage."

Nitrokod also uses other translation applications, such as Microsoft Translator Desktop, and MP3 downloader programmes in addition to Google Translate. On some websites, malicious applications will highlight about being "100% clean," despite the fact that they are infected with mining malware. Nitrokod has been productive in spreading its malicious code through download sites such as Softpedia. Since December 2019, the Nitrokod Google Translator app has been downloaded over 112,000 times, according to Softpedia.

Nitrokod programmers, according to Check Point, are patient, taking a long time and multiple steps to conceal the malware's presence inside an infected PC before installing aggressive crypto mining code. Due to the lengthy, multi-stage infection efforts, the campaign went unnoticed for years before being discovered by cybersecurity experts.

"Most of their developed programs are easily built from the official web pages using a Chromium-based framework. For example, the Google translate desktop application is converted from the Google Translate web page using the CEF [Chromium Embedded Framework] project. This gives the attackers the ability to spread functional programs without having to develop them."

After the program is downloaded and the user launches the software, an actual Google Translate app, built using Chromium as described above, is installed and runs normally. Simultaneously, the software quietly fetches and saves a series of executables, eventually scheduling one specific.exe to run every day once unpacked. This extracts another executable that connects to a remote command-and-control server, retrieves Monero miner code configuration settings, and begins the mining process, with generated coins sent to the miscreants' wallets. To conceal its tracks, some of the early-stage code will self-destruct.

One stage also looks for known virtual-machine processes and security products, which may indicate that the software is being researched. If one is discovered, the programme will terminate. If the programme is allowed to run, it will create a firewall rule that will allow incoming network connections.

Throughout the various stages, the attackers deliver the next stage using password-protected RAR-encrypted files to make them more difficult to detect. According to Marelus, Check Point researchers were able to investigate the crypto mining campaign using the vendor's Infinity extended detection and response (XDR) platform.

Binance Executive: Scammers Created a 'Deep Fake Hologram' of him to Fool Victims


According to a Binance public relations executive, fraudsters created a deep-fake "AI hologram" of him to scam cryptocurrency projects via Zoom video calls.

Patrick Hillmann, chief communications officer at the crypto hypermart, stated he received messages from project teams thanking him for meeting with them virtually to discuss listing their digital assets on Binance over the past month. This raised some suspicions because Hillmann isn't involved in the exchange's listings and doesn't know the people messaging him.

"It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a 'deep fake' of me," Hillmann said. "Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members."

Hillmann included a screenshot of a project manager asking him to confirm that he was, in fact, on a Zoom call in his write-up this week. The hologram is the latest example of cybercriminals impersonating Binance employees and executives on Twitter, LinkedIn, and other social media platforms.

Scams abound in the cryptocurrency world.
Despite highlighting a wealth of security experts and systems at Binance, Hillman insisted that users must be the first line of defence against scammers. He wrote that they can do so by being vigilant, using the Binance Verify tool, and reporting anything suspicious to Binance support.

“I was not prepared for the onslaught of cyberattacks, phishing attacks, and scams that regularly target the crypto community. Now I understand why Binance goes to the lengths it does,” he added.

The only proof Hillman provided was a screenshot of a chat with someone asking him to confirm a Zoom call they previously had. Hillman responds: “That was not me,” before the unidentified person posts a link to somebody’s LinkedIn profile, telling Hillman “This person sent me a Zoom link then your hologram was in the zoom, please report the scam”.

The fight against deepfakes
Deepfakes are becoming more common in the age of misinformation and artificial intelligence, as technological advancements make convincing digital impersonations of people online more viable.

They are sometimes highly realistic fabrications that have sparked global outrage, particularly when used in a political context. A deepfake video of Ukrainian President Volodymyr Zelenskyy was posted online in March of this year, with the digital impersonation of the leader telling citizens to surrender to Russia.

On Twitter, one version of the deepfake was viewed over 120,000 times. In its fight against disinformation, the European Union has targeted deepfakes, recently requiring tech companies such as Google, Facebook, and Twitter to take countermeasures or face heavy fines.

'DarkTortilla' Crypter Produces Targeted Malware 

Researchers from Secureworks examined "DarkTortilla," a.NET-based crypter used to distribute both well-known malware and custom payloads. 

Agent Tesla, AsyncRat, NanoCore, and RedLine were among the information stealers and remote access trojans (RATs) delivered by DarkTortilla, which has probably been active since 2015. It was also detected distributing specific payloads like Cobalt Strike and Metasploit.

Software tools known as crypters enable malware to evade detection by security programs by combining encryption, obfuscation, and code manipulation.

Averaging 93 samples each week between January 2021 and May 2022, the highly adjustable and complicated crypter can also be used to send add-ons, such as additional payloads, decoy documents, and executables. It also looks to be particularly popular among hackers.

SecureWorks analysts have discovered code resemblances with a crypter employed by the RATs Crew threat organization between 2008 and 2011 as well as with malware discovered in 2021, Gameloader.

The malicious spam emails that transmit DarkTortilla include archives with an executable for an initial loader that is used to decode and run a core processor module, either hidden within the email itself or downloaded through text-storage websites like Pastebin.

The researchers have found spam email samples in English, German, Italian, Bulgarian, Romanian, and Spanish languages. These emails are adapted to the target's language.

A complex configuration file that enables the core processor to drop add-on packages like keyloggers, clipboard stealers, and cryptocurrency miners is then used to establish persistence and inject the main RAT payload into memory without leaving a trace on the file system.

The anti-tamper safeguards utilized by DarkTortilla are also significant since they guarantee that both processes used to run the components in memory are restarted right away after termination.

A second executable called a WatchDog, which is intended to monitor the targeted process and rerun it if it is destroyed, specifically enables the persistence of the first loader.

In addition to performing anti-VM and anti-sandbox checks, achieving persistence, migrating execution to the 'tmp' folder, processing add-on packages, and migrating execution to its install directory, DarkTortilla's core processor can be configured to do these things.

To prevent interference with the execution of DarkTortilla or the payload, it then injects its payload within the context of the configured subprocess and, if configured, can also provide anti-tamper protections.

This method is similar to the one used by the threat actor Moses Staff, who was discovered earlier this year using a watchdog-based strategy to prevent any interruption of his payloads. Two additional controls are also used to ensure the persistence of the initial loader as well as the continuing execution of the dumped WatchDog software itself.

Over 17 months from 2021 to May 2022, Secureworks claimed to have found an average of 93 different DarkTortilla samples being posted to the VirusTotal malware database per week. Only roughly nine of the 10,000 samples monitored during that period were used to propagate ransomware, with seven distributing Babuk and two more distributing MedusaLocker.

Microsoft Facing a Growing Threat by Cryptojackers


Cryptojackers, are still invading computers all over the world while also getting more discreet and skilled at evading detection. The data was released by Microsoft's 365 Defender Research Team, which on Thursday posted a new analysis of cryptojackers on its blog.

Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT. In campaigns, hackers strongly favor the exploitation of notepad.exe over several valid system utilities.

What are Cryptojackers?

Cryptojackers are mining viruses that hijack and use a target's device resources for the former's gain without the user's knowledge or approval. They are one of the threat categories that have emerged and thrived since the advent of cryptocurrencies. The threat data indicates that over the past year, companies have encountered millions of cryptojackers.

Furthermore, as per Microsoft, Javascript is frequently used in the creation of cryptojackers, which in this instance use browsers to infiltrate systems. The tech titan also cautioned against fileless cryptojackers, who mine in a device's memory and maintain persistence by abusing legal programs and LOLBins.

Cryptojacking operation

Among several legitimate system utilities, notepad.exe abuse is heavily favored by attackers in campaigns that have been observed. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. 
  • This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious deeds. 
  • The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
  • An archive file containing autoit.exe and a heavily obscured, arbitrarily named.au3 script serves as the threat's delivery vehicle. 
  • Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. 
  • When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
  • The script then places a copy of itself and autoit.exe in a folder with an arbitrary name under C:ProgramData.
  • To run the script each time the device begins, the script inserts autostart registry entries and generates a scheduled task to destroy the original files.
  • The software then incorporates persistence methods, loads malicious code into VBC.exe using process hollowing, and establishes a connection to a C2 server to wait for commands. 
  • The software loads its cryptojacking code into notepad.exe using process hollowing based on the C2 answer.

The warning was issued just a few weeks after Microsoft released a study describing how a widespread phishing effort managed to steal sign-in credentials, hijack sign-in sessions, and bypass the authentication step even when multi-factor authentication (MFA) was turned on.

Sneak Peek: Hive’s RaaS Techniques


With the average ransomware pay-out expected to reach $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it's no wonder that RaaS setups are claimed to assist nearly two-thirds of ransomware operations. 

Indeed, service providers, such as Hive, are giving threat actors a head start in their criminal careers. Hive is a new RaaS group that was discovered in June 2021. However, its aggressive tactics and frequent variation improvements have turned it into a powerful opponent in the space. While other ransomware operators, like as REvil, dominated news in its first year, 

Hive gained prominence in November 2021 by hitting Media Markt, Europe's largest consumer electronics shop.The attack piqued the interest of the RaaS industry, causing the platform's victim count to soon rise into the hundreds, with the bulk of these victims being IT and real estate enterprises in the United States. 

How Hive Set Up a "Sales Department" 

The Menlo Labs research team examined interactions between the Hive ransomware gang and some of its victims in order to better comprehend this new and formidable RaaS group. Hive ransomware exploits a variety of attack vectors, including hijacked VPN credentials, weak RDP servers, and phishing emails with a Cobalt Strike payload. The examined programme was highly active, with attackers using the Hive platform putting considerable pressure on their targets. 

The Labs team discovered that Hive provides compromised victims a unique identification before encrypting their data, generally during unsociable hours, after reviewing some of the network traffic. Once this is accomplished, information about the victim is released on Hive's dark web data leak sites (DLS). The victim is then emailed an automatically created ransom letter with a link to the website, login credentials, and a call to action to contact Hive's "sales department." 

When the victim logs in, a live chat between the victim and a Hive admin is opened, during which the ransom is sought - generally in the form of Bitcoin - in return for a decryptor, a security report, and a file tree highlighting exactly what was stolen.

Hive was utilising malware written in Golang by its developers at the time the communications were reviewed by the Menlo Labs team, with the samples acquired being obfuscated to prevent detection and analysis.

However, Microsoft has now announced that Hive has produced a new variation that uses a different programming language, switching from Golang to Rust. The migration is expected to give Hive with various benefits that Rust has over other programming languages, including the use of string encryption as a strategy to make it more elusive.

Surprisingly, the new variant will also employ a different cryptographic technique.While the Golang variation embeds one encrypted key in each file it encrypts, the Rust variant has been proven to construct two sets of keys in memory, use them to encrypt the files, and then save the sets to the root of the disc it encrypts, both with the.key extension. While the new variant's key set creation differs from the previous set examined by the Menlo Labs team, its file encryption is remarkably comparable.

With these changes, the Hive danger is projected to grow much more. As a result, enterprises must prepare to battle RaaS and ransomware more extensively in the future.

Here's How BlackMatter Ransomware is Linked With LockBit 3.0


LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.