Tag Archive for: evil

Attackers can buy evil Play apps for as little as $3000 – Security


Thrifty bad actors could pay as little as US$2000 ($3000) to get a malicious app into the Google Play store, according to Kaspersky researchers, but prices also range as high as $US20,000.

In research published at Securelist, the researchers analysed offers of Google Play threats for sale between 2019 and 2023, and found that the most popular app categories to hide malware were cryptocurrency trackers, financial apps, QR code scanners and dating apps.

The researchers price-benchmarked a variety of criminal services on offer: as well as pushing malware onto users’ Android devices, they looked at the cost of malware obfuscation, and advertising.

Between the two extremes, Kaspersky wrote, the average price for a compromised Google Play loader – which injects malicious code into a target app, which replaces the original on Play – is US$6975.

“However, if cyber criminals want to buy the loader source code, the price immediately rockets, reaching the upper limit of the price range,” the researchers added.

The researchers said that the criminals “most frequently … promise to inject code into an app with 5000 downloads or more.”

Binding services, another popular delivery mechanism, insert malicious code in an app, but rather than distributing it through Play, attackers push the app at victims via phishing text or “dubious websites with cracked games and software”.

These services, Kaspersky said, “usually cost about US$50 to US$100, or US$65 per file” for a successful installation.

Malware obfuscation helps malicious apps get past Google Play’s checks, and Kaspersky found it is offered per application, “or for a subscription, for example, once per month.”

The advantage of subscriptions is the same as in the legal world, the researchers wrote:
“One of the sellers offers obfuscation of 50 files for US$440, while the cost of processing only one file by the same provider is about US$30.”

Advertising to get users to pick up the compromised apps varies greatly: “The average price is US$0.50, with offers ranging from US$0.10 to US$1.”

Source…

Raspberry Robin Malware Connected to Russian Evil Corp Gang


Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp.

Researchers from IBM Security reversed engineered two dynamic link libraries (DLLs) dropped during a Raspberry Robin infection and compared them to the Dridex malware loader, which is a tool that has been definitively linked to Evil Corp. in the past — in fact, the US Department of the Treasury sanctioned the Russia-based Evil Corp for developing Dridex in 2019.

They found that the decoding algorithms worked similarly, using random strings in the portable executables as well as having an intermediate loader code that decoded the final payload in a similar manner and contained anti-analysis code.

“The results show that they are similar in structure and functionality,” Kevin Henson, a malware reverse engineer at IBM Security, wrote in the analysis. “Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks.”

Raspberry Robin Takes Flight

Security firm Red Canary first analyzed and named Raspberry Robin in May. Soon after, it came to the attention of other researchers, including IBM Security.

The worm spreads quickly throughout internal networks, hitchhiking on USB devices passed between workers. While Raspberry Robin relies on social engineering techniques to convince victims to plug in an infected USB device, infections took off during the summer, with 17% of IBM Security’s managed clients in targeted industries seeing infection attempts.

However, the malware puzzled researchers initially, because it simply hibernated on infected systems and appeared to have no second-stage payload. In July that changed: IBM and Microsoft researchers discovered that infected systems had begun downloading the FakeUpdates malware, typically a precursor to ransomware used by Evil Corp.

FakeUpdates, also known as SocGhoulish, masquerades as a legitimate software update, but installs popular attack software such as Cobalt Strike and Mimikatz, or ransomware, on the victim’s computer.

Microsoft noted at the time that FakeUpdates is usually attributed…

Source…

Evil Corp Switches to Ransomware-as-a-Service to Evade US Sanctions


Evil Corp—or at least a hacking group affiliated with it—is mixing things up.

Mandiant reports(Opens in a new window) that a threat actor it’s been tracking as UNC2165 appears to be related to the cybercrime group, which was sanctioned(Opens in a new window) by the US Treasury Department in 2019 for using “the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.”

Those sanctions prevent organizations from paying a ransom to restore access to their systems. Financially motivated threat actors like Evil Corp aren’t targeting organizations for the fun of it, or looking to further a nation-state’s agenda, so they have to maximize their chances of getting paid. That means they need to make it harder for their victims to identify them.

A timeline of ransomware strains used by groups affiliated with Evil Corp

Which is why Mandiant says that hacking groups affiliated with Evil Corp have used a variety of ransomware strains over the last two years. The groups initially used WastedLocker(Opens in a new window), but after that ransomware’s connection to Evil Corp was revealed, they switched to a ransomware family known as Hades(Opens in a new window). Now they’ve started using a ransomware-as-a-service (RaaS) called Lockbit.

Mandiant says that using a RaaS offering makes sense for groups affiliated with Evil Corp:

Recommended by Our Editors

Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice. Using this RaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on the use of an exclusive ransomware. Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.

The company says it expects similar groups “to take steps such as these to obscure their identities in order to ensure that it is not a limiting factor to receiving payments from victims.”…

Source…

Russian hacking gang Evil Corp shifts its extortion strategy after sanctions


A back-lit computer keyboard.

A back-lit computer keyboard. (Chris Ratcliffe/Bloomberg)

A notorious Russian cybercrime group has updated its attack methods in response to sanctions that prohibit U.S. companies from paying it a ransom, according to cybersecurity researchers.

The security firm Mandiant said Thursday it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit. Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cybercrime groups, rather than its own brand of malicious software to hide evidence of the gang’s involvement so that compromised organizations are more likely to pay an extortion fee, researchers said.

The U.S. Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cybersecurity firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group’s use of LockBit could cause hacked organizations to believe that another hacking group, other than Evil Corp, was behind the breach.

Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than $100 million from companies across 40 countries, according to the U.S. government.

Alleged members are on the wanted lists of law enforcement across the U.S., UK and Europe, including accused mastermind Maksim Yakubets, who the Treasury Department said previously worked for Russia’s Federal Security Service. The 35-year-old Russian man is reported to own a tiger and drive a personalized Lamborghini with a license plate that translates to say “thief,” according to the U.K.’s National Crime Agency.

The U.S. has increasingly used sanctions to try to curb cybercriminal operations, including prohibiting American organizations from paying ransom fees to known groups like Evil Corp and cryptocurrency exchanges which are often used to funnel ransom payments.

Source…