Tag Archive for: Campaign

Cryptomining Campaign Unleashes Modified Mirai Botnet

/in


Cryptocurrency Fraud
,
Endpoint Security
,
Fraud Management & Cybercrime

Latest Campaign Injects Song Lyrics and Other ‘Immature’ Elements Into Its Code

Prajeet Nair (@prajeetspeaks) •
January 10, 2024    

Cryptomining Campaign Unleashes Modified Mirai Botnet
A quirky Mirai botnet variant is dropping cryptomining malware. (Image: Shutterstock)

A new cryptomining campaign uses a quirkily customized Mirai botnet to spread cryptomining malware designed to hide the digital wallet that collects the ill-gotten gains.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Security researchers at Akamai dubbed the Mirai variation NoaBot and said that it uses a unique SSH scanner but also exhibits an unexpected touch of immaturity.

Mirai is a wormable botnet infamous for targeting Linux-based IoT devices. Numerous versions of Mirai are in the wild thanks to an anonymous coder who leaked source code online before its three original authors pleaded guilty in 2017.

Akamai researchers first spotted NoaBot in early 2023. They also identified a link between NoaBot and the P2PInfect worm, discovered in July 2023 by Unit 42.

Unlike the original Mirai, NoaBot spreads malware through secure shell protocol – not Telnet. The SSH scanner “seems to be custom made, and quite peculiar,” Akamai wrote. Once it establishes a connection, it sends a string “hi.” It makes sense to establish and quickly terminate a connection from an infected system. “Hi” is not a valid SSH packet, so Wireshark marks it as malformed.

“Why does it bother sending ‘hi,’ though? That’s a mystery,” Akamai…

Source…

Russia’s APT28 used new malware in a recent phishing campaign

/in


Russia-linked APT28 used new malware in a recent phishing campaign

Pierluigi Paganini
December 29, 2023

Ukraine’s CERT (CERT-UA) warned of a new phishing campaign by the APT28 group to deploy previously undocumented malware strains.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new cyber espionage campaign carried out by the Russia-linked group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”).

The group employed previously undetected malware such as OCEANMAP, MASEPIE, and STEELHOOK to steal sensitive information from target networks.

APT28

CERT-UA discovered multiple phishing attacks aimed at government organizations between December 15 and December 25. The phishing emails attempt to trick recipients into clicking on an embedded link to view a document.

Upon clicking the links, the victims are redirected to a web resource where, with the help of JavaScript and features of the application protocol “search” (“ms-search”) [1], a shortcut file (LNK) is downloaded.

Once the file is opened, a PowerShell command downloads a decoy document from a remote server, along with the Python programming language interpreter and the Client.py file classified as MASEPIE.

MASEPIE is a Python tool used to upload/unload files and execute commands. The malware communicated with C2 infrastructure via TCP, it use the AES-128-CBC algorithm to encrypt the traffic. The 16-byte key is generated during the initial connection setup. The backdoor maintains persistence by setting the ‘SysUpdate’ key in the OS registry and storing the LNK file ‘SystemUpdate.lnk’ in the startup directory.

Threat actors also used the MASEPIE malware to load and execute OPENSSH (for building a tunnel), STEELHOOK PowerShell scripts (stealing data from Chrome/Edge Internet browsers), and the OCEANMAP backdoor. 

“In addition, IMPACKET, SMBEXEC, etc. are created on the computer within an hour from the moment of the initial compromise, with the help of which network reconnaissance and attempts at further horizontal movement are carried out.” reads the advisory published by CERT-UA. “According to the combination of tactics, techniques, procedures and tools, the…

Source…

New QakBot phishing campaign appears, months after FBI takedown

/in


Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered.

QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was one of the most deployed malware loaders in 2023 until an FBI-led takedown in August took the operation offline and untethered 700,000 compromised machines from the botnet.

In a Dec. 15 posted on X (previously Twitter), Microsoft’s Threat Intelligence team said they had identified a new QakBot phishing campaign.

“The campaign began on December 11, was low in volume, and targeted the hospitality industry,” the researchers said.

Targets of the new campaign received an email purporting to be from a U.S. Internal Revenue Service (IRS) employee. The email included a PDF attachment containing a URL that downloaded a digitally signed Windows Installer (.MSI) file.

If victims executed the MSI file, it launched QakBot malware. The payload was configured with a previously unseen version of the malware, 0x500, the Microsoft researchers said.

While the unique versioning suggested updates may have been introduced over the past few months, another researcher said on X: ““All in all, this new Qbot version feels basically the same as the old stuff just with some minor tweaks.”

The ‘duck hunt’ is set to resume

As well as dismantling the botnet in August – in what was dubbed “Operation Duck Hunt” – authorities also seized infrastructure and $8.6 million in cryptocurrency belonging to the gang responsible for QakBot.

While taking out such a major botnet that had taken years to build was considered a significant victory, researchers warned at the time that because arrests were not made, there was a possibility the threat actors responsible for QakBot could regroup.

In October, Cisco Talos said it believed the same gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the QakBot takedown. Talos researchers said while the August raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.

QakBot was first observed in 2008…

Source…

Hiring? New scam campaign means ‘resume’ downloads may contain malware

/in


A cybercrime gang is targeting hiring managers and recruiters in a new campaign to spread the “more_eggs” backdoor malware.

Emails from supposed job seekers are luring victims to malicious “resume” downloads using sophisticated social engineering and infrastructure, Proofpoint said in a security briefing Tuesday.

The briefing outlines the evolving tactics of the threat actor tracked as TA4557, which Proofpoint researchers have been monitoring since 2018.

Spear phishing strategy convinces recruiters to stray from safety

Secure email gateways are one of the most common endpoint security measures used by organizations; new methods by TA4557 seek to bypass these measures and lure job recruiters to attacker-controlled websites.

“The social engineering is very compelling leading up to the download of the file from the resume website,” Proofpoint Senior Threat Analyst Selena Larson told SC Media.

The attacks, which Proofpoint first detected in October 2023, begin with an email inquiring about an open position. With no links or attachments, the seemingly benign email gets the foot in the door to start building trust.

If the victim responds, the attack chain continues with the supposed job candidate inviting the hiring manager or recruiter to download a resume from their “personal website.”

Unlike classic jobs scams targeting job seekers themselves, there is no need to impersonate an established business through methods like typosquatting. Additionally, researchers began seeing in early November that attackers avoided sending links altogether by directing their victims to “refer to the domain name of my email address to access my portfolio.”

Requiring the victim to copy and paste the malicious domain name increases the likelihood the emails will make it past secure email gateways. Plus, with unassuming domain names like “wlynch[.]com” for a candidate named William Lynch and “annetterawlings[.]com” for a candidate named Annette Rawlings, the emails are less likely to raise alarm bells than those from free email providers like Gmail or Yahoo.

The attacker-controlled “candidate” websites were found to apply filters based on details like the victim’s IP address to…

Source…