Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data wipers. Show all posts

Data Spyware Delivered via Telegram & Discord Bots

Hackers have utilized these messaging apps in a variety of ways to transmit their own malware, according to Intel 471's research. They have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with data theft in order to be able to steal credentials or other information from unwary users.

According to a recent study from Intel 471, threat actors are using the multifaceted nature of messaging apps — in particular, their content-creation and program-sharing components — as a basis for information stealing.

Tactics & Techniques

Researchers at Intel 471 have found a number of data thefts that are openly accessible and depend on Telegram or Discord to operate.

Additionally, these hackers conduct similar attacks against the Roblox and Minecraft gaming sites. Discord's content delivery network (CDN) is regularly used to store malware, as per researchers, because the platform doesn't place limitations on file storage.

One Telegram-focused botnet, dubbed X-Files, includes features that may be accessible through Telegram's bot commands. Once the malware has been installed on a victim's computer, criminal actors can take credit card information, login credentials, session cookies, and passwords, and send them to a Telegram channel of their choice. 

Several browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files. Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.

The following malware families have been seen hosting harmful payloads on Discord CDN: PrivateLoader,  Discoloader, Colibri, Warszone RAT, Modi loader, Raccoon thief, Smokeloader Amadey,  Tesla agent thief, GuLoader, Autohotkey, and njRAT.

Cautions

The entry threat for malicious actors is reduced by automation in well-known chat platforms. Data theft might be the initial step in initiating a targeted attack against an enterprise, even though they can not alone cause as much harm as malware like a data wiper or ransomware.

Although messaging services like Discord and Telegram are not often utilized for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.




JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Agrius – The Iranian Hacking Group Targets Israel Using Data Wipers

 

The hacking community of Agrius has switched from a strictly destructive wiper malware to a mix of wiper and ransomware functions — and pretends to keep data till the end of attacks. 

SentinelOne investigators announced on Tuesday that Agrius was the first to be found in attacks targeting Israeli groups in 2020, evaluating the threat group's new movements. 

The community utilizes a mixture of its customized toolkits and offensive security software, readily accessible, to deploy either a malicious wiper or a custom wiper-turned-ransomware variant. The attackers asked the targets to pay the ransom to simulate a ransomware attack to conceal the true nature of the attack. 

The Agrius Community has been functioning since the beginning of 2020, as per the experts. Initially targeted aggression in the Middle East area, Agrius expanded its presence since December 2020 to the Israeli targets. 

But unlike the other ransomware groups like Maze and Conti, Agrius doesn't seem to rely on money—instead, ransomware is indeed a recent addition and a boost to the cyber-espionage- and destruction-oriented attacks.

Moreover, Agrius claimed to be robbing and encrypting information for extorting victims in many of the attacks identified by SentinelOne only when the wiper was deployed, however, this information had already been lost. 

Agrius "intentionally masked their activity as a ransomware attack," the researchers said. 

Throughout the initial stages of the attack, Agrius uses tools for the virtual private network (VPN) software, also accessing publicly available applications and services that correspond to its intended target, often via compromised accounts and security vulnerabilities, before trying to exploit them. 

Agrius' toolkit consists of Deadwood, a malicious wiper malware strain, which is also referred to as Detbosit. Deadwood, assumed to be the APT33 work, was related to attacks against Saudi Arabia during 2019. 

The wipers, like Deadwood, Shamoon, and ZeroCleares, have also been linked to APT33 and APT34. 

During attacks, Agrius also drops the IPsec Helper, a custom.NET backdoor to bind to a command-and-control (C2) server. Moreover, a new .NET wiper known as an Apostle is being thrown away. 

Apostle seems to have been upgraded and changed to include usable modules in a recent attack towards state-owned facilities in the United Arab Emirates. Nevertheless, the team argues, that it is not the financial attraction Agrius focuses on throughout development but the disruptive aspects of ransomware — such as the ability to encrypt data. 

SentinelOne claims no "solid" links have indeed been developed with other established threat groups but because of the involvement of Agrius in Iranian issues, the deployment of web-based shells related to variants produced by the Iranians, and the primary use of wipers – an attack tactic linked to Iranian APTs since 2002 – indicated that the group is likely to originate in the Iranian Republic.