Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label TrickBot. Show all posts
TrickBot
Conti Cyber Crime Dark Web FBI ID Leak Internet Ransomware TrickBot

Mysterious Entity ExposedGang Exposes Cyber Criminals


An anonymous leaker is exposing the identities of the world’s most wanted cybercriminals. 

Recently, a mysterious leaker exposed leaders behind Trickbot and Conti ransomware, hacking groups that are known for some of the biggest extortions in recent times. 

Recently, The Register contacted an anonymous individual known by the alias GangExposed, who is on a personal mission to “fight against an organized society of criminals known worldwide”. GangExposed takes pleasure in thinking he can rid society of at least some of the cybercriminals. "I simply enjoy solving the most complex cases,” he said. 

Stern doxxed

One of the criminals doxxed is Stern, the mastermind of Conti ransomware operations and TrickBot. GangExposed claims Stern is Vitaly Nikolaevich, CySecurity reported about this case recently.

After the doxxing of Stern, GangExposed went after another important criminal, AKA professor, who is a 39-year-old Russian called Vladimir Viktorovich Kvitko. He is living in Dubai. Apart from exposing important individuals, GangExposed also leaked videos, ransom negotiations, and chat logs. 

About GangExposed

The leaker said it was not an “IT guy,” it just observed patterns that other people missed. 

"My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don't even notice," the leaker said. 

"I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than most of my investigations' subjects."

Leaked bought info to expose IDs

To expose the IDs of infamous threat actors, GangExposed used information received via “semi-closed databases, darknet services,” and through purchases. It has “access to the leaked FSB border control database.” GangExposed claims it purchased the database from the dark web for $250,000. 

GangExposed could have gotten at least $10 million in bounty from the FBI if it wanted to, but it has decided not to demand money.  This suggests the leakers may be resentful of former members looking for revenge, while some experts think taking the bounty would make them criminal as well. 

CySecurity had earlier reported on this incident, you can read the full story about the international crackdown on cybercrime gangs here

Read more »
Wizard Spider
BlackCat Conti Ransomware Cyber Crime Ryuk Ranomware System BC TrickBot Wizard Spider

Germany Police Have ID'd the Leader of Trickbot Criminal Gang

Cops in Germany have found cybercrime gang leader

The Federal Criminal Police of Journey “BKA” has claimed that Stern, the leader of TrickBot and Conti cybercrime gangs, is Vitaly Nikolaevich Kovalev, a 36-year-old Russian. 

According to BKA, he is suspected of founding the ‘TrickBot’ group, aka ‘Wizard Spider. ' This was part of Operation Endgame, a collaborative global crackdown against malware infrastructure and hackers behind it. The gang used TrickBot and other malware, such as SystemBC, Bazarloader, Ryuk, Diavol, Conti, and IcedID. 

Most wanted in Germany

According to Interpol, Kovalev is wanted in Germany. He is charged with being the mastermind of an unnamed criminal gang.

This is not the first time Kovalev has been charged with participating in a cybercrime organization. In 2023, he was one of seven Russians charged in the US for their connections to the Conti and TrickBot cybercrime gangs. 

At that time, he was only charged as a senior member of the TrickBot gang using the aliases “Bergen,” “Ben,” “Bentley,” and “Alex Konor.”

Leaks led to the identification

The sanctions were announced after massive information leaks from Conti and TrickBot members called ContiLeaks and TrickLeaks.

Contileaks gave access to the gang’s inside conversations and source code, and TrickLeaks even leaked the identities, and personal information of TrickBot members, and online accounts on X (former Twitter).

These chats revealed that Kovalev aka “Stern” was heading the TriickBot operation and Conti and Ryuk ransomware groups. The chats revealed members asking Stern permission before launching attacks or getting lawyers for TrickBot members captured in the U.S. 

The leaks led to a speedy crackdown on Conti, the gang members switching to other operations or forming new criminal groups such as BlackCat, LockBit, Royal, Black Basta, AvosLocker, Zeon, and DagonLocker. 

BKA’s investigation revealed that the “TrickBot group consisted of more than 100 members. It works in an organized and hierarchically structured manner and is project and profit-oriented.” 

BKA said that the “group is responsible for the infection of several hundred thousand systems in Germany and worldwide; through its illegal activities, it has obtained funds in the three-digit million range. Its victims include hospitals, public facilities, companies, public authorities, and private individuals."

Kovalev is in hiding and German police believe that he may be in Russia. The police have asked for any info that could lead to his arrest. 

Read more »
TrickBot
Bumblebee Cyberattack Cybersecurity Europol malware MSI Netskope phishing Ransomware TrickBot

Bumblebee Malware Resurfaces in New Attacks Following Europol Crackdown

 

iThe Bumblebee malware loader, inactive since Europol's 'Operation Endgame' in May, has recently resurfaced in new cyberattacks. This malware, believed to have been developed by TrickBot creators, first appeared in 2022 as a successor to the BazarLoader backdoor, giving ransomware groups access to victim networks.

Bumblebee spreads through phishing campaigns, malvertising, and SEO poisoning, often disguised as legitimate software such as Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the dangerous payloads it delivers are Cobalt Strike beacons, data-stealing malware, and ransomware.

Operation Endgame was a large-scale law enforcement effort that targeted and dismantled over a hundred servers supporting various malware loaders, including IcedID, Pikabot, TrickBot, Bumblebee, and more. Following this, Bumblebee activity appeared to cease. However, cybersecurity experts at Netskope have recently detected new instances of the malware, hinting at a possible resurgence.

The latest Bumblebee attack involves a phishing email that tricks recipients into downloading a malicious ZIP file. Inside is a .LNK shortcut that activates PowerShell to download a harmful MSI file disguised as an NVIDIA driver update or Midjourney installer.

This MSI file is executed silently, and Bumblebee uses it to deploy itself in the system's memory. The malware uses a DLL unpacking process to establish itself, showing configuration extraction methods similar to previous versions. The encryption key "NEW_BLACK" was identified in recent attacks, along with two campaign IDs: "msi" and "lnk001."

Although Netskope hasn't shared details about the payloads Bumblebee is currently deploying, the new activity signals the malware’s possible return. A full list of indicators of compromise can be found on a related GitHub repository.
Read more »
TrickBot
BlackBerry Conti Ransomware Cyber Crime Encryption Intel 471 RaaS Russian Hackers TrickBot

Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Read more »
TrickBot
Antivirus APT Cobalt Strike Endpoint Privacy TrickBot

Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.


Read more »
TrickBot
Cobalt Strike Conti Ransomware malware Phishing Attacks TrickBot

Networks Breached via Bumblebee Loader


The Bumblebee loader is increasingly being used by hackers linked to the IcedID, TrickBot, and BazarLoader malware to infiltrate target networks and carry out additional post-exploitation operations.

When Google's Threat Analysis Group (TAG) exposed the actions of an initial access broker named Exotic Lily with connections to the TrickBot and the bigger Conti collectives in March 2022, Bumblebee initially came to light.

What is Bumblebee?

Researchers discovered that Bumblebee is a successor for the malware known as BazarLoader, which previously distributed the Conti ransomware.

Spam emails are where the Bumblebee virus first appears. The malicious Dynamic Link Library (DLL) file is finally dropped by the ISO file that can be downloaded using the link in this email. On the victim's computer, the DLL file continues to load Bumblebee's ultimate payload.

An identical replica of the data found on an optical disc, such as a CD or DVD, is stored in an archive file called an ISO file. They are primarily employed to distribute huge file sets intended for burning onto optical discs or backup optical discs.

Analysis by experts 

According to Cybereason, most Bumblebee infections were initiated by end users executing LNK files, which load the malware via a system binary.

As per experts from Cybereason Meroujan Antonyan and Alon Laufer, "the virus is distributed by phishing emails with an attachment or a link to the malicious archive containing Bumblebee."

Bumblebee operators apparently did extensive surveillance after system compromise and diverted command execution output to files for exfiltration.

The loader is launched using the command found in the LNK file, which serves as a conduit for subsequent steps including persistence, privilege escalation, reconnaissance, and data theft.

After attaining elevated access to infected endpoints, the threat actor also uses the Cobalt Strike adversary simulation framework to move laterally throughout the network. By deploying AnyDesk remote desktop software, persistence is achieved.

The technical report stated that the hackers 'disrupted Active Directory and used confidential data such as users' logins and passwords for lateral movement. Less than two days passed between the initial access and the compromising of Active Directory.

Cybereason asserts that Bumblebee needs to be handled as a serious threat due to the attack's proactivity.


Read more »
User Privacy
Botnet Conti Emotet Google Chrome malware Ransom Ransomware TrickBot Trojan User Data User Privacy

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.
Read more »
TrickBot
BazarLoader C&C Conti Ransomware cybercriminals Data Breach Encrypted Files Russian Hackers TrickBot

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.
Read more »
Subscribe to: Posts (Atom)