Tag Archive for: dismantles

U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

/in


Feb 11, 2024NewsroomMalware / Cybercrime

Warzone RAT Infrastructure

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT.

The domains – www.warzone[.]ws and three others – were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers,” the DoJ said.

Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of “illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses.”

Cybersecurity

Meli is alleged to have offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Prior to Warzone RAT, he had sold another RAT known as Pegasus RAT.

Like Meli, Odinakachi also provided online customer support to purchasers of Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector towards the end of 2018 using phishing emails bearing bogus Microsoft Excel files exploiting a known security flaw in the Equation Editor (CVE-2017-11882).

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as an information stealer and facilitates remote control, thereby allowing threat actors to commandeer the infected hosts for follow-on exploitation.

Some of the notable features of the malware include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate the computer’s webcams without the…

Source…

US Dismantles IPStorm Botnet Proxy Service

/in


The US authorities have shut down a major botnet comprising tens of thousands of infected endpoints, which cyber-criminals hired to launch various attacks anonymously.

The IPStorm botnet and its infrastructure were dismantled earlier this year, according to the Department of Justice (DoJ).

Its alleged administrator, Russian and Moldovan national Sergei Makinin, pleaded guilty back in September to three counts of fraud and related activity in connection with computers. Each count carries a maximum sentence of 10 years.

The botnet operated from June 2019 to December 2022, turning compromised Windows, Linux, Mac and Android devices from around the world into proxies. These could then be rented out by cyber-criminals through two of Makinin’s websites: proxx.io and proxx.net.

Read more on proxies: FBI: Beware Residential IPs Hiding Credential Stuffing

The proxies enabled threat actors to bypass security filters and anonymize their traffic as they launched various cyber-attacks on victims. According to the DoJ, a single customer could pay hundreds of dollars a month to route their traffic through the botnet.

Makinin is said to have run around 23,000 such proxies as part of the botnet and admitted making at least $550,000 from the scheme.

“It is no secret that in present times, much criminal activity is conducted or enabled through cybernetic means. Cyber-criminals seek to remain anonymous and derive a sense of security because they hide behind keyboards, often thousands of miles away from their victims,” said Joseph González, special agent in charge of the FBI’s San Juan Field Office.

“The FBI’s cyber mission has been to impose risk and consequences on our adversaries, ensuring cyberspace is no safe space for criminal activity. This case is one example of how we are doing just that.”

The FBI urged device owners to keep up to date with the latest security and software patches to mitigate the risk of their machines becoming compromised and conscripted into such a botnet.

Source…

Europol Dismantles Ragnar Locker Ransomware Infrastructure, Nabs Key Developer

/in


Ragnar Locker Ransomware

Europol on Friday announced the takedown of the infrastructure associated with Ragnar Locker ransomware, alongside the arrest of a “key target” in France.

“In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain, and Latvia,” the agency said. “The main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.”

Five other accomplices associated with the ransomware gang are said to have been interviewed in Spain and Latvia, with the servers and the data leak portal seized in the Netherlands, Germany, and Sweden.

The effort is the latest coordinated exercise involving authorities from Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Two suspects associated with the ransomware crew were previously arrested from Ukraine in 2021. A year later, another member was apprehended in Canada.

Ragnar Locker, which first emerged in December 2019, is known for a string of attacks targeting critical infrastructure entities across the world. According to Eurojust, the group has committed attacks against 168 international companies worldwide since 2020.

“The Ragnar Locker group was known to employ a double extortion tactic, demanding extortionate payments for decryption tools as well as for the non-release of the sensitive data stolen,” Europol said.

Cybersecurity

Ukraine’s Cyber Police said it conducted raids at one of the suspected members’ premises in Kyiv, confiscating laptops, mobile phones and electronic media.

The law enforcement action coincides with the Ukrainian Cyber Alliance (UCA) infiltrating and shutting down the leak site run by the Trigona ransomware group and wiping out 10 of the servers, but not before exfiltrating the data stored in them. There is evidence to suggest that the Trigona actors used Atlassian Confluence for their activities.

Just as the dismantling of Hive and Ragnar Locker represents ongoing efforts to tackle the ransomware menace, so are the initiatives undertaken by threat actors to evolve and rebrand under new names. Hive, for instance, has resurfaced as Hunters International.

The development…

Source…

SSU dismantles an infowar botnet. HIMARS, atrocities, provocation, and disinformation. A Russian disinformation mouthpiece raises the prospect that there are highly placed traitors in the GRU. Rewards for Justice works toward securing elections from Russian meddling. The case that Russia’s war is genocidal. The case that pan-Slavism has found wayward, but sincere, expression in Mr. Putin’s war.

/in


At a glance.

  • SSU dismantles an infowar botnet.
  • HIMARS, atrocities, provocation, and disinformation.
  • A Russian disinformation mouthpiece raises the prospect that there are highly placed traitors in the GRU.
  • Rewards for Justice works toward securing elections from Russian meddling.
  • The case that Russia’s war is genocidal.
  • The case that pan-Slavism has found wayward, but sincere, expression in Mr. Putin’s war.

Ukraine claims to have taken down a massive Russian bot farm.

The Security Service of Ukraine (SSU) says it dismantled a large Russian botnet operation that was being used to spread Russian propaganda and disinformation. The bots, about a million strong, were herded from locations within Ukraine itself, in the cities of Kyiv, Kharkiv, and Vinnytsia, BleepingComputer reports. Their output took the form of social media posts from inauthentic accounts associated with fictitious personae. The SSU describes the operation as follows: “Their latest ‘activities’ include the distribution of content on the alleged conflict between the leadership of the President’s Office and the Commander-in-Chief of the Armed Forces of Ukraine as well as a campaign to discredit the first lady. To spin destabilizing content, perpetrators administered over 1 million of their own bots and numerous groups in social networks with an audience of almost 400,000 users. In the course of a multi-stage special operation, the SSU exposed the leader of this criminal group. He is a russian citizen who has lived in Kyiv and positioned himself as a ‘political expert.’”

On the other side of the information war, BleepingComputer also reported earlier this week that Ukrainian hacktivists, “Torrents of Truth,” were bundling instructions on how to bypass Russian censorship into movie torrents whose intended audience would be Russian viewers.

HIMARS, atrocities, provocation, and disinformation.

The killing of Ukrainian prisoners of war in Olenivka is by now clearly a Russian atrocity–the prisoners were apparently murdered by their captors. (And we note in passing that the International Committee of the Red Cross still has not been given the access to the prison international law requires.) The prisoners did not die in a…

Source…