Tag Archive for: deploys

TA866 Deploys WasabiSeed & Screenshotter Malware

/in


Invoice Phishing Alert

The threat actor tracked as TA866 has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter.

The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files.

“The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset,” the enterprise security firm said.

TA866 was first documented by the company in February 2023, attributing it to a campaign named Screentime that distributed WasabiSeed, a Visual Basic script dropper that’s used to download Screenshotter, which is capable of taking screenshots of the victim’s desktop at regular intervals of time and exfiltrating that data to an actor-controlled domain.

There is evidence to suggest that the organized actor may be financially motivated owing to the fact that Screenshotter acts as a recon tool to identify high-value targets for post-exploitation, and deploy an AutoHotKey (AHK)-based bot to ultimately drop the Rhadamanthys information stealer.

Cybersecurity

Subsequent findings from Slovak cybersecurity firm ESET in June 2023 unearthed overlaps between Screentime and another intrusion set dubbed Asylum Ambuscade, a crimeware group active since at least 2020 that also engages in cyber espionage operations.

The latest attack chain remains virtually unchanged save for the switch from macro-enabled Publisher attachments to PDFs bearing a rogue OneDrive link, with the campaign relying on a spam service provided by TA571 to distribute the booby-trapped PDFs.

Invoice Phishing Alert

“TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety of malware for their cybercriminal customers,” Proofpoint researcher Axel F said.

This includes AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (aka Qbot), and DarkGate, the last of which allows attackers to perform various commands such as information theft, cryptocurrency mining, and execution of arbitrary programs.

“Darkgate…

Source…

North Korea’s ScarCruft Deploys RokRAT Malware via LNK File Infection Chains

/in


May 02, 2023Ravie LakshmananThreat Intelligence

RokRAT Malware

The North Korean threat actor known as ScarCruft began experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.

“RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains,” Check Point said in a new technical report.

“This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources.”

ScarCruft, also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools.

Cybersecurity

The adversarial collective, unlike the Lazarus Group or Kimsuky, is overseen by North Korea’s Ministry of State Security (MSS), which is tasked with domestic counterespionage and overseas counterintelligence activities, per Mandiant.

The group’s primary malware of choice is RokRAT (aka DOGCALL), which has since been adapted to other platforms such as macOS (CloudMensis) and Android (RambleOn), indicating that the backdoor is being actively developed and maintained.

RokRAT and its variants are equipped to carry out a wide range of activities like credential theft, data exfiltration, screenshot capture, system information gathering, command and shellcode execution, and file and directory management.

RokRAT Malware

The collected information, some of which is stored in the form of MP3 files to cover its tracks, is sent back using cloud services like Dropbox, Microsoft OneDrive, pCloud and Yandex Cloud in a bid to disguise the command-and-control (C2) communications as legitimate.

Other bespoke malware used by the group include, but not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. It’s also known to use commodity malware such as Amadey, a downloader that can receive commands from the attacker to…

Source…

Cypriot Operator Cyta Deploys IPification’s Mobile Authentication Solution

/in


IPification, the leading global provider of mobile IP address-based authentication and phone verification, has deployed its solutions within Cyta, the largest mobile network operator in Cyprus. 

Mobile app developers whose users subscribe to Cyta can now implement IPification into their apps to streamline their onboarding and sign-in processes.


IPification authenticates users within milliseconds and with only one click via the users’ unique mobile ID key composed of their phone number, device, and network data. IPification offers mobile app developers a way to improve their registration and login experience to increase their user acquisition, engagement and retention rates while also providing the users with bank-grade mobile security services.

With this partnership, Cyta is enabling IPification for all mobile app developers and their subscribers, cementing the company’s image as one of the biggest innovators in the region.

Petros Charalambous, Director of IT at Cyta
It is a privilege for Cyta to partner with IPification, the leading global provider of mobile IP authentication. We believe that this collaboration will allow us to offer our clients the simplest, fastest, and most secure authentication process available. In today’s fast-paced world, the simplicity of process and a friendly user experience have become core values.

Stefan Kostic, IPification CEO
We’re looking forward to revolutionizing the way in which mobile authentication is done in Cyprus together with them, and we hope to onboard mobile apps in a variety of industries from fintech, banking, ride-hailing, gaming, taxi and delivery, entertainment, streaming, OTT, etc.

Source…

Pro-India APT Group Deploys Android Spyware

/in


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

SunBird and HornBill Malicious Apps Mainly Target Users in South Asia

Akshaya Asokan (asokan_akshaya) •
February 12, 2021    

Pro-India APT Group Deploys Android Spyware

Researchers at the San Franciso-based security firm Lookout have identified two new Android spyware tools used for cyberespionage campaigns in South Asia which they say are linked to “Confucius,” a pro-India advanced persistent threat group

See Also: Top 50 Security Threats

Confucius has been active since 2013, and mainly targets victims in Pakistan and other parts of South Asia, Lookout says.

The spyware tools, SunBird and Hornbill, have been deployed as malicious Android apps. The malware is designed to exfiltrate SMS, encrypted messaging app content, geolocation data and other sensitive information from Android devices.

The malware, which has been active since December, has targeted personnel linked to Pakistan’s military and nuclear authorities as well as Indian election officials in Kashmir.

Malware Capabilities

SunBird and HornBill are disguised as legitimate chat applications, such as Fruit Chat, Cucu Chat and Kako Chat, Lookout researchers say. Once the malicious apps are downloaded from third party app stores, they exfiltrate call logs, contacts, contact details, unique mobile identification number, geolocation and images on the victims’ phones and access WhatsApp contents.

SunBird, which is a remote access Trojan, has been designed with additional capabilities. These include the ability to exfiltrate information about the installed apps, steal browser history and run arbitrary commands with root…

Source…