Mandiant Managed Defense has reliably resolved GOOTLOADER infections since January 2021. When spreading GOOTLOADER, malicious actors cast a wide net, affecting a variety of industrial verticals and geographical areas.
Gootkit Malware
The Gootkit Trojan is Javascript-based malware that carries out a number of malicious tasks, such as authorizing threat actors remote access, recording video, capturing keystrokes, stealing emails, stealing passwords, and having the ability to inject malicious files to steal online banking login details.
Gootkit previously spread malware in the disguise of freeware installers, but now it deceives users into downloading these files by presenting them as legal documents. A user enters a search query into a search engine to begin the attack chain.
Mandiant Managed Defense believes that UNC2565, a group it tracks, is the sole group that the GOOTLOADER virus and infrastructure belong to at this time. Due to these breaches' rapid detection and mitigation, Mandiant's observation of post-compromise GOOTLOADER activities has mostly been restricted to internal surveillance.
If the GOOTLOADER file is successfully executed, other payloads like FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that are saved in the registry will be downloaded. Future phases include PowerShell being used to execute these payloads.
The. NET-based loader FONELAUNCH is intended to load an encoded payload into memory, while the downloader SNOWCONE is responsible for obtaining next-stage payloads, notably IcedID, through HTTP.
The primary aims of Gootkit have remained the same, however, the attack process has undergone substantial modifications. Currently, the JavaScript file contained in the ZIP archive is trojanized and contains a different JavaScript file that is obfuscated and then begins to execute the malware.
Furthermore, to avoid detection, the malware's creators allegedly used three distinct strategies to cloak Gootkit, including hiding the code inside modified versions of trustworthy JavaScript libraries like jQuery, Chroma.js, and Underscore.js. These modifications show how actively developing and expanding UNC2565's capabilities remain.
Riot Games reported last week that a social engineering attempt had infiltrated the systems in their software platform. Motherboard got the ransom note that was sent to Riot Games and reported that hackers demanded $10 million in exchange for keeping the stolen source code a secret and erasing it from their servers.
The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months. The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens.
The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.
Researchers suggest that a widespread cache of email addresses related to roughly 200 million users is probably a revised version of the larger cache with duplicate entries deleted from the end of 2022 when hackers are selling stolen data from 400 million Twitter users.
A flaw in a Twitter API that appeared from June 2021 until January 2022, allowed attackers to submit personal details like email addresses and obtain the corresponding Twitter account. Attackers used the vulnerability to harvest information from the network before it could be fixed.
The bug also exposed the link between Twitter accounts, which are frequently pseudonymous, numbers and addresses linked to them, potentially identifying users even if it did not allow hackers to obtain passwords or other sensitive data like DMs.
The email addresses for a few listed Twitter profiles were accurate, according to the data that Bleeping Computer downloaded. It also discovered that the data had duplicates. Ryushi, the hacker, asked Twitter to pay him $200,000 (£168,000) in exchange for providing the data and deleting it. The information follows a warning from Hudson Rock last week regarding unsubstantiated claims made by a hacker that he had access to the emails and phone numbers of 400 million Twitter users.
Troy Hunt, the founder of the security news website Have I Been Pwned, also investigated the incident and tweeted his findings "Acquired 211,524,284 distinct email addresses; appears to be primarily what has been described," he said.
The social network has not yet responded to the enormous disclosure, but the cache of information makes clear how serious the leak is and who might be most at risk as a consequence. Social media companies have consistently and quickly minimized previous data scrapes of this nature and have dismissed them as not posing substantial security risks for years.
Volvo revealed in a press release that some of its research and development assets were the target of a cyberattack.
The ransomware organization Snatch reportedly released pictures of stolen Volvo papers into the darknet on November 30, according to the Swiss tech news blog INSIDE IT.
As per the company, owned by Geely of China, "Volvo Cars have learned that one of the file sources has been unlawfully acquired by a third party. The limited amount of R&D assets stolen during the hack has been confirmed by investigations so far."
An effort to sell data seized from Volvo Cars was initially discovered by French cybersecurity expert Anis Haboubi on a popular phishing site.
On December 31, 2022, a forum user going by the online alias IntelBroker reported that VOLVO CARS had been the target of a ransomware attack. He alleges that the Endurance Ransomware gang attacked the business and stole 200GB of private information that is now being peddled.
Database access, CICD access, Atlassian access, domain access, WiFi hotspots and logins, auth bearers, API access, PAC security access, employee lists, licenses, keys, and system files are all being offered by IntelBroker for $2500 in Monero, who has also shared a number of screenshots as evidence of the hack.
Based on the currently available information, the business does not believe this will affect the safety or security of its customers' cars or their personal information. Volvo, situated in Goteborg, is now investing money to electrify every vehicle in its lineup by 2030.
However, Bleeping Computer stated that the Snatch ransomware gang was claiming responsibility for the attack. A spokesman earlier told AFP that the company had not been hit by ransomware and remained in full control of its data.
On November 30, the extortion gang published a new post on their data leak website detailing how they had broken into Volvo Car Corporation's servers and taken files during the incursion. The entry included screenshots of the taken files as evidence.
Since then, Snatch has also released 35.9 MB of just what it claim are papers that were taken during the hack from Volvo's systems. Volvo refused to respond when a cybersecurity firm emailed it to ask if the screenshots published by the Snatch extortion group were actually of files stolen from its systems.
Security experts have cautioned that a new AI bot called ChatGPT may be employed by cybercriminals to educate them on how to plan attacks and even develop ransomware. It was launched by the artificial intelligence r&d company OpenAI last month.
Computer security expert Brendan Dolan-Gavitt questioned if he could command an AI-powered chatbot to create malicious code when the ChatGPT application first allowed users to communicate. Then he gave the program a basic capture-the-flag mission to complete.
The code featured a buffer overflow vulnerability, which ChatGPT accurately identified and created a piece of code to capitalize it. The program would have addressed the issue flawlessly if not for a small error—the number of characters in the input.
The fact that ChatGPT failed Dolan Gavitt's task, which he would have given students at the start of a vulnerability analysis course, does not instill trust in massive language models' capacity to generate high-quality code. However, after identifying the mistake, Dolan-Gavitt asked the model to review the response, and this time, ChatGPT did it right.
The Sophos 2022 Threat Report, released by Sophos, a pioneer in next-generation cybersecurity, illustrates how the gravitational influence of ransomware is attracting other cyber threats to building one vast, linked ransomware delivery system, having essential ramifications for IT security.
Entry-level hackers can buy malware and spyware installation tools from illicit markets like Genesis, and also sell illegal passwords or other data in mass. Access brokers increasingly sell other criminal groups' credentials and susceptible software exploits.
A new ransomware-as-a-service economy has emerged in the last decade due to the rising popularity of ransomware. In 2022, this as-a-service business model has grown, and almost every component of the cybercrime toolkit from initial infection to methods of evading detection is now accessible for purchase, according to the researchers.
Several step-by-step tools and methods that attackers might use to spread the ransomware were revealed when an affiliate of the Conti ransomware published the deployment guide supplied by the operators. RaaS affiliates and other ransomware operators can use malware distribution platforms and IABs to discover and target potential victims once they have the virus they require. The second significant trend predicted by Sophos is being fueled by this.
Gootloader was launching innovative hybrid operations in 2021, as per Sophos's research, that blended broad campaigns with rigorous screening to identify targets for particular malware packs.
Ransomware distribution and delivery will continue to be adapted by well-known cyber threats. Which include spam, spyware, loaders, droppers, and other common malware in addition to increasingly sophisticated, manually handled first access brokers.
Data theft and exposure, threatening phone calls, distributed denial of service (DDoS) assaults, and other pressure tactics were all included in the list of ten pressure methods Sophos incident responders compiled in 2021.
Cryptocurrency will continue to feed cybercrimes like ransomware and unlawful crypto mining. In 2021, Sophos researchers discovered crypto miners like Lemon Duck and MrbMiner, which installed themselves on machines and servers by using newly revealed vulnerabilities and targets that had already been compromised by ransomware operators. Sophos anticipates that the trend will continue until international cryptocurrencies are better regulated.
In addition to promoting their products, cybercrime vendors sometimes post job openings to hire attackers with specialized capabilities. In addition to profiles of their abilities and qualifications, job seekers are posting help-wanted sites on some markets, which also have technical hiring personnel.
As web services grow, different kinds of credentials, particularly cookies, can be utilized in a variety of ways to penetrate networks more deeply and even get through MFA. Credential theft continues to be one of the simplest ways for new criminals to enter gray markets and start their careers.