Mr. Big, obviously not revealing his real name, took to telegram where he posted an ad to his Telegram channel. In exchange for a 10% cut, he was looking for a "group of smuggling teams" to "complete the final conversion" of the stolen money by smuggling gold and valuable stones into southern China through Myanmar.
While it is still unclear whether Mr. Big succeeded in his plans, his ad has now been deleted and when the infamous investigative newsroom ProPublica tried to contact him, they were unable to get in touch with him. However, the website where he posted his advertisement reveals a lot about the reasons why Americans and individuals all over the world have been the subject of a massive wave of fraud that originated in Southeast Asia and is only now starting to be understood on a much larger scale.
In their recent event of crime investigation, Singapore police seized a whopping sum of more than $2 billion in a case of money laundering executed by a syndicate with alleged ties to organized crime, including "scams and online gambling."
The Telegram channel that contained Mr. Big's request for help was a Chinese-language forum that provided access to "white capital"—cash that has been laundered—and that was "guaranteed" by a casino owner in Myanmar, Fully Light Group. This operator claims to make sure that agreements made on the site are carried out.
Also, Fully Light has its own Telegram channel which provide advertisements of similar services. One such channel has around 117,000 participants, and features advertisements of cryptocurrency swaps for accessing “pure white,” Chinese renminbi or “white capital” Singaporean dollars.
Casinos further aids in such dealings, which is quite apparent. According to a new research conducted by the United Nations Office on Drugs and Crime, a vast number of casinos and other gambling operators in Southeast Asia have turned out to be a primary aspect in the functioning of underground banking system, aiding organized criminal groups. However, the research has not been officially published.
A report by UNODC notes that currently there are more than 340 physical casinos in Southeast Asia, and several online gambling operators that serve the escalation of infiltration in organized crimes.
However, with the rise in popularity of these apps, there has also been an increase in the number of fake apps that pose as extensions or premium versions of these popular messaging platforms.
In this blog post, we will discuss the recent discovery of fake Signal and Telegram apps that have been found to sneak malware into thousands of Android phones.
Researchers at the cybersecurity firm ESET recently discovered fake apps in the Google and Samsung app stores that posed as extensions or premium versions of the popular messaging platforms Signal and Telegram.
These malicious apps, called Signal Plus Messenger and FlyGram, were designed to steal user data. When users took certain actions, these fake apps could pull sensitive information from legitimate Signal and Telegram accounts, including call logs, SMS messages, locations and more.
By stealing sensitive information from legitimate Signal and Telegram accounts, these malicious apps can compromise the privacy and security of users’ conversations.
This can lead to identity theft, financial fraud, and other forms of cybercrime. It is therefore important for users to be vigilant when downloading apps from app stores and to only download apps from trusted sources.
Recently, a new Golang-based information stealer malware, named ‘Titan Stealer’ is being promoted by threat actors in their Telegram channel. Initial details regarding the malware were discovered by cybersecurity researcher Will Thomas in November 2022 by using the IoT search engine Shodan.
Titan is advertised as a malware builder that enables users to alter the malware binary's functionality and the type of data that will be extracted from a victim's system.
The malware, when launched, initiates a technique called ‘process hollowing’ in order to disseminate the malicious payloads into the memory of a legitimate process called AppLaunch.exe, Microsoft’s .NET ClickOnce Launch Utility.
According to a recent report by Uptycs security, researchers Karthickkumar Kathiresan and Shilpesh Trivedi say, “the stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.”
The Titan Stealer has been targeting web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. The crypto wallets singled out are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.
Additionally, it has the ability to collect data from the Telegram desktop app and compile a list of the host's installed programs.
The gathered information is then transmitted as a Base64-encoded archive file to a remote server under the attacker's control. Additionally, the malware includes a web panel that enables threat actors to access the stolen data.
The exact approach used to distribute the malware is still unclear, but the threat actors have utilized numerous methods, such as phishing, malicious ads, and cracked software.
"One of the primary reasons [threat actors] may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS," says Cyble in its analysis of Titan Stealer. "Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software."
The findings come a little over two months after SEKOIA unveiled Aurora Stealer, another Go-based malware that is being used by a number of criminal actors in their campaigns.
The malware often spreads through websites that mimic a renowned software, with the same domains being continuously updated to host trojanized versions of different programs.
It is also found to be taking advantage of a tactic called padding in order to artificially inflate the size of the executables to as much as 260MB by adding random data, in order to evade detection by antivirus software.
Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely.
The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms.
In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks.
There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds.
In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures.
The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees.
The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group.
It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020.
1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.
3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:
The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest.