Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Phishing mail. Show all posts

Hackers Using Malicious Versions of Popular Software Brands to Propagate RomCom RAT

 

The RomCom RAT (remote access trojan) hacker has launched a new campaign impersonating the official websites of popular software brands SolarWinds, KeePass, and PDF Technologies to propagate malware. 

Researchers from BlackBerry uncovered the malicious campaign while analyzing network artifacts linked with RomComRAT infections resulting from attacks targeting Ukrainian military institutions and some English-speaking nations including the United Kingdom. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play. It's quite likely there’s state-level planning behind the scenes. 

"At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being socially engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.” 

The RomCom hacker installed clone websites on malicious domains similar to the legitimate ones that they registered. Subsequently, the threat actor trojanized a legitimate application and propagated via the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors. 

The malicious campaign seems like a direct copycat of some attacks we examined during the pandemic where we witnessed a number of vendor products and support tools being impersonated or "wrapped" with malware, stated Andrew Barratt, vice president at Coalfire. 

“The wrapping means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt explained. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.” 

Earlier this year in August, Palo Alto Networks’ Unit 42 linked the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ the malware with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell.

However, the BlackBerry researchers said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Hence, it remains unclear who is behind RomCom RAT or what are the motives behind the attacks.

Hackers Target Desperate Homebuyers Using A Dumb Campaign That Works Every Time


Have criminals found a new way to manipulate wire transfers for down payments? Can a team of secret service agents protect you and your savings from this scam?

A real estate scam

For a long time, the Secret Service agent had been trying to find the scammers trafficking millions of stolen dollars via banks throughout the New York tri-state area. The quest, which started in May 2020, was taking an eternity and the agent was getting impatient. 

In his spare time, sitting in his office in New York, the agent began routinely digging into a government database called Internet Crime Complaints Center. The IC3 is open to all domestic law enforcement agencies and covers over two dozen types of crimes. this includes credit card scams, identity thefts, and ransomware attacks. Bloomberg reports:

"Reports about this alarming scheme exploded during the pandemic when home prices, bidding wars, and cash deals all rose. As transaction volume swelled, so did profits for real estate companies, lenders, and banks, and hackers smelled a growing opportunity. By targeting escrow wires, scammers are able to single out a particularly easy jackpot, a transaction involving multiple parties without proper internet security, and the rare instance in which a giant sum of cash is sent in a single wire."

Hackers send fake emails to eager home buyers

In 2021, it got around 2300 complaints per day, about one every 37 seconds. The agent was in search of business email compromises (BECs), a scam where actors hack into corporate accounts to send fake wire requests, like invoices or contract payments. 

BEC scams indiscriminately attack all kinds of industries, but in recent years they've found a new victim: the desperate homebuyer. 

Bachelors and couples, eager to finalize their dream home and overwhelmed with emails and paperwork, think they are transferring their down payment to a lawyer or a title company handling the closing process. 

However, by not paying attention to minute details in an email, like extra characters or spelling errors, hinting it's a fake- they accidentally wire tens, hundreds, or even thousands of dollars to cybercriminals.

Hackers intercept wire transfers, steal entire savings

In an instant, they lose their entire nest egg, along with the house they think they were about to shift into, with low odds of ever getting the money back. There are numerous ways to find the person behind a BEC scam: bank accounts where the money is wired, phone numbers, and email or internet addresses, to name a few. 

The agent did a deeper database search to find over 9$ million worth of stolen funds impacting 50-plus targets throughout various sectors, including real estate losses estimated at more than $2 million. 

As per experts, BEC scammers usually follow a shotgun approach. They put together contact info for random players involved in any real estate transaction-brokers, lawyers, mortgage lenders, title agencies- then send bulk phishing emails to this database, waiting for someone to walk into the trap. 

How do hackers bait buyers?

The scammed victims accidentally send out their login info to the attacker, giving them access to their email and confidential company info. The hackers also tap conversations and therefore are able to learn every little detail of a deal. 

The hackers jump into action during the down payment process, sending a fraudulent email to the buyer on behalf of real estate. As the result, the clueless buyer sends their entire savings to a criminal. 

According to Bloomberg:

"As for homebuyers, they’re still largely on their own. For the most part, the companies involved in real estate transactions are well-insulated from legal recourse. Real estate firms usually have a boilerplate warning about fraud in their emails but don’t mention it otherwise. Some even skirt their own rules by sending confidential information over unsecured accounts during negotiations and closings."