Search This Blog

Showing posts with label Infostealer. Show all posts

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data

 

Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

This Infostealer has a Lethal Sting for Python Developers

 

Checkmarx cybersecurity researchers discovered over two dozen malicious packages on PyPI, a popular repository for Python developers, and published their findings in a new report (opens in new tab). 

These malicious packages, which are designed to look almost identical to legitimate ones, attempt to dupe inexperienced developers into downloading and installing the wrong one, thereby spreading malware. The practice is known as typosquatting, and it is widely used by cybercriminals who target software developers. 

The attackers use two distinct methods to conceal the malware: steganography and polymorphism. Steganography is the practice of concealing code within an image, allowing threat actors to spread malicious code via seemingly innocent.JPGs and.PNGs. Polymorphic malware, on the other hand, changes the payload with each installation, allowing it to avoid detection by antivirus software and other cybersecurity solutions.

These techniques were used by the attackers to deliver WASP, an infostealer capable of stealing people's Discord accounts, passwords, cryptocurrency wallet information, credit card data, and any other information on the victim's endpoint that the attacker deems interesting.

When the data is identified, it is returned to the attackers via a hard-coded Discord webhook address. The campaign appears to be a marketing ploy, as researchers discovered threat actors advertising the tool on the dark web for $20 and claiming that it is undetectable.

Furthermore, the researchers believe this is the same group that was behind a similar attack reported earlier this month by Phylum(opens in new tab) and Check Point researchers (opens in new tab). It was previously stated that a group known as Worok had been distributing DropBoxControl, a custom.NET C# infostealer that uses Dropbox file hosting for communication and data theft, since at least September 2022.

Worok, based on its toolkit, is thought to be the work of a cyberespionage group that operates quietly, moves laterally across target networks, and steals sensitive data. It also appears to be using its own, proprietary tools, as no one else has been observed using them.

SLTT Organizations Targeted by Jupyter Malware

 

The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) have uncovered Jupyter, a highly evasive and adaptive .NET infostealer, targeting state, local, tribal, and territorial (SLTT) organizations. 

To exploit SLTT entities, malicious actors have installed Jupyter widely, leveraging SEO-poisoning to design watering hole sites. Jupyter, also known as SolarMarker installs a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and the user identifier. 

According to MS-ISAC, Jupyter targeting SLTTs is a part of a broader opportunistic effort, since the malware is impacting a wide range of sectors, including finance, healthcare, and education. Following a surge in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.

The targeted organizations became aware of infections when their endpoint detection and response services (EDR) warned of unauthorized PowerShell commands attempting to establish links with command and control (C2) traffic. 

The researchers at MS-ISAC continue to investigate why malware authors are exfiltrating victims' private details. Additionally, researchers have noticed that Jupyter operators are altering their techniques, tactics, and procedures (TTPs), causing variation in intrusion details across infections. 

Despite the irregularity in Jupyter TTPs, multiple features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress sites up search engine rankings, using a technique known as SEO-poisoning, thereby increasing the likelihood that an unsuspecting user will visit the page. 

Upon examining an SLTT Jupyter incident, researchers noticed that the initial infection occurred after an end-user attempted to install a malicious file embedded with an executable of a compromised website form.

BazarLoader's Arrival and Delivery Vectors now Include Compromised Installers and ISO

 

While the number of BazarLoader detections increased in the third quarter, two new delivery methods have been added to the list of delivery mechanisms used by threat actors for data theft and ransomware. Malicious actors combine BazarLoader with genuine products, hence one of the approaches involves using corrupted software installers. The second approach involves loading a Windows link (LNK) and dynamic link library (DLL) payload into an ISO file. The Americans have been discovered to have the highest amount of BazarLoader attacks.

Researchers detected the tainted versions of VLC and TeamViewer software included with BazarLoader, according to reports. While the original delivery technique has yet to be discovered, it's possible that the use of these packages is part of a bigger social engineering campaign aimed at convincing individuals to download and install infected installers. A BazarLoader executable is dumped and executed when the installers load. It's also one of the most noticeable differences from recent BazarLoader arrival approaches, which appeared to support dynamic link libraries (DLL).

Meanwhile, a distribution technique based on ISO files has been uncovered, in which the BazarLoader DLL is launched via DLL and LNK files included in the ISO files. The LNK file uses a folder icon to fool the user into double-clicking it, letting the BazarLoader DLL programme to be launched. The "EnterDLL" export function, which was recently used by BazarLoader, is then called. Before injecting itself into a suspended MS Edge process, Rundll32.exe launches the malicious DLL and connects to the C&C server. 

As threat actors change their assault techniques to avoid detection, the number of arrival mechanism modifications utilized in BazarLoader campaigns continues to rise. Due to the limitations of single detection methods, both techniques are significant and still work despite their lack of novelty. 

While the usage of compromised installers has been seen with other malware, the huge file size might still pose a problem for detection systems, such as sandboxes, that apply file size constraints. LNK files used as shortcuts, on the other hand, will very certainly be obfuscated due to the additional layers generated between the shortcut and the malicious files. 

BazarLoader will continue to evolve as a standalone information stealer, an initial access malware-as-a-service (MaaS) for other malware operators, and a secondary payload distribution mechanism for even more destructive attacks like modern ransomware. For unknown risks, security teams must deploy multi-layered systems capable of pattern recognition and behavior monitoring, as well as making monitoring and tracking for known dangers more evident based on known data.

RedLine Stealer Identified as Major Source of Stolen Credentials on Dark Web Markets

 

A significant proportion of stolen credentials being traded on two dark web underground marketplaces were gathered via the RedLine Stealer malware, according to Insikt Group, Recorded Future's cybersecurity research arm. 

The RedLine Stealer, first discovered in March 2020, is a part of the info stealer family, a form of malware that once infects a computer and its primary goal is to capture as much user data as possible and then deliver it to the attackers, who often sell it online. 

The RedLine Stealer has data gathering features such as the ability to extract login credentials from web browsers, FTP applications, email apps, instant messaging clients, and VPNs. RedLine can also harvest authentication cookies and card numbers from browsers, chat logs, local files, and cryptocurrency wallet databases. 

Since March 2020, the malware has been sold on many underground hacking sites by a coder called REDGlade. After good feedback in a hacking forum thread, unauthorized versions of the RedLine Stealer were distributed on hacker forums a few months later, in August of this year, facilitating it to proliferate to even more threat actors who did not have to pay for it. 

But, even before the cracked version was released, RedLine had gained a devoted following. According to a report published last week by Insikt Group, the majority of stolen credentials available for sale on two underground marketplaces originate from computers infected with the RedLine Stealer. 

Insikt researchers stated, “Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs.” 

The results of the Insikt team follow similar research by threat intelligence firm KELA from February 2020, which discovered that around 90% of stolen credentials sold on the Genesis Market originated from infections with the AZORult infostealer. 

According to the two reports, underground cybercrime marketplaces are fragmented and often operate with their own independent suppliers, just as legal markets have their own choices for particular business partners. 

By going after the producers and dealers of these infostealers, this fragmentation opens the path to impairing the supply of multiple underground markets. In February 2020, a Chrome upgrade (which modified how credentials were saved inside the browser) halted the flow of newly stolen credentials on Genesis Market for months until the AZORult stealer was modified to assist the new format.