Tag Archive for: returns

Lokibot Returns to the Index and Emotet Regains Top Spot

/in


Check Point Research reveals that the InfoStealer, Lokibot, is back in the most prevalent malwares list while Emotet has taken first place away from Trickbot. Apache Log4j is still wreaking havoc as the number one most exploited vulnerability.

SAN CARLOS, Calif., Feb. 08, 2022 (GLOBE NEWSWIRE) — Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for January 2022. Researchers report that Emotet has now pushed Trickbot out of first place after a long stay at the top, and is this month’s most prevalent malware, affecting 6% of organizations worldwide. Log4j is also still proving to be a problem, impacting 47.4% of organizations globally and the most attacked industry continues to be Education/Research.

After only two and a half months since its return, Emotet has surged into the top spot. The notorious botnet is most commonly spread via phishing emails that contain malicious attachments or links. Its increased use has only been helped by the prevalence of Trickbot that acts as a catalyst, spreading the malware even further. Meanwhile Dridex has dropped from the top ten list altogether, replaced by Lokibot, an InfoStealer which is used to obtain data such as email credentials, passwords to CryptoCoin wallets and FTP servers.

“It’s unsurprising that Emotet is back with a vengeance. It’s an evasive malware, making it difficult to detect, while the fact that it uses multiple methods to infect networks only further adds to the continuing rise of this threat. It is unlikely that this will be a short-lived problem,” said Maya Horowitz, VP Research at Check Point Software. “This month we’ve also seen Dridex disappear from our top ten list and Lokibot resurface. Lokibot takes advantage of victims at their busiest moments, being distributed through well disguised phishing emails. These threats, alongside the ongoing battle with the Log4j vulnerability, emphasise the importance of having the best security across networks, cloud, mobile and user endpoints.”

Check Point Research (CPR) revealed this month that…

Source…

Hacker behind $600M Poly Network theft returns stolen cryptocurrency

/in


Poly Network, the cross-chain decentralized finance platform provider that had about $600 million in cryptocurrency stolen from it earlier this month, has had all the funds returned.

The hack, first reported Aug. 10, involved the theft of Binance Chain, Ethereum and Polygon assets, with estimates that they were worth at the time up to $611 million. The hacker took advantage of a cryptography issue to exploit functions that modified contracts on Poly.

The following day, the hacker, who went by the name of “Etherhood,” started returning small amounts of some of the stolen funds. Etherhood said that the primary motivation for the hack was “for fun” that they had gone after the Poly Network as “cross-chain hacking is hot.”

Etherhood went on to explain that he or she had stolen the cryptocurrency to keep it safe before insiders exploited the vulnerability. That was capped off with the statement, “I prefer to stay in the dark and save the world.”

It was speculated at the time that some of the funds were being returned in an attempt to avoid criminal charges after researchers had tracked down identifying information. Etherhood, who did promise to return all the funds, has now done so.

Bleeping Computer reported that the hacker, now going by the name of “Mr. White Hat,” gave Poly Network access to the last tranche of stolen digital assets in their wallet, worth around $141 million earlier today.

“At this point, all the user assets that were transferred out during the incident have been fully recovered,” Poly Network wrote on Medium. “Thanks to Mr. White Hat’s cooperation, Poly Network has officially entered the fourth phase of our roadmap ‘Asset Recovery.’ We are in the process of returning full asset control to users as swiftly as possible.”

Poly Network paid the hacker a $500,000 reward in cryptocurrency, officially as a bug bounty for uncovering the cryptography issue. The payment could also be argued to be a reward for doing the right thing and returning the stolen cryptocurrency, however.

The hacker, who is strangely very talkative, left a message on the final transfer, apologizing and promising to return more funds that were originally…

Source…

DirtyMoe Botnet Returns With Undetectable Threat Profile

/in


The malware botnet known as DirtyMoe has been around since at least 2016, but its newest version makes some major changes that put it back in the spotlight. Take a look at how the new version works, what is different about it and how to defend against it.

Back in 2016, NuggetPhantom appeared as its first iteration. NuggetPhantom and several of the threat’s other early samples didn’t work well, however. They tended to be unstable and they yielded symptoms expected of a compromise.

Fast forward five years, and DirtyMoe is a different malware. Avast analyzed its most recent variants and found that they match other threats in terms of their anti-forensic, anti-debugging and anti-tracking capabilities. On top of this, the DirtyMoe botnet balances a modular structure with a threat profile that can’t be detected or tracked.

How the DirtyMoe Botnet Works

DirtyMoe’s attack chain begins with the attackers attempting to gain admin privileges on a target’s Windows machine.

One of their preferred techniques is relying on the PurpleFox exploit kit to misuse EternalBlue, an opening in Windows. In spring 2019, researchers discovered a campaign in which digital attackers leveraged the flaw to distribute cryptomining malware.

DirtyMoe’s authors also used infected files and phishing emails. These contained URLs to exploit Internet Explorer flaws as a means of gaining higher privileges. Once they gain admin rights, the attackers can use the Windows MSI installer to deploy DirtyMoe. They used Windows Session Manager to overwrite ‘sens.dll,’ the system file which pertains to the Windows System Event Notification. The compromise enabled the main DirtyMoe botnet service to run at the system level.

Loading that service started up a rootkit driver concealing DirtyMoe’s services, files and registry entries. At the time when it was discovered, the malware authors used their creation mostly to engage in cryptojacking. Other researchers found the threat could conduct distributed denial-of-service (DDoS) attacks, as well.

All the while, attackers used VMProtect and the malware’s own encryption algorithm to hide what they were doing. They also employed…

Source…

Hacker behind biggest cryptocurrency heist ever returns stolen funds

/in


Hacker behind $600M cryptocurrency heist returning stolen funds

The threat actor who hacked Poly Network’s cross-chain interoperability protocol yesterday to steal over $600 million worth of cryptocurrency assets is now returning the stolen funds.

AAs the Chinese decentralized finance (DeFi) platform Poly Network shared two hours ago, the hacker has already returned almost $260 million worth of stolen cryptocurrency.

In total, the attacker has transferred back $256 million Binance Smart Chain (BSC) tokens, $3.3 million in Ethereum tokens, and $1 million in USD Coin (USDC) on the Polygon network.

To send back all the stolen funds, the hacker still has to return another $269 million on Ethereum and $84 million on Polygon.

Motives behind returning the stolen assets unknown

The threat actor explained the motivation for the hack by embedding Q&A messages in transactions (as Elliptic Chief Scientist and Co-founder Tom Robinson found), the motives behind their decision to give back the stolen cryptocurrency are not yet known.

However, it could have been prompted by blockchain security firm SlowMist’s claims that it traced the attacker’s email address, IP address, and device fingerprint.

SlowMist also discovered that the assets used to fund the attack were Monero (XMR) exchanged to BNB, ETH, MATIC, and other tokens.

In a weird twist of events, Poly Network also urged the hacker to return the cryptocurrency stolen from “thousands of crypto community members” to avoid landing on law enforcement’s radar.

The biggest cryptocurrency hack ever

Following a preliminary investigation of the attack, Poly Network said the threat actor exploited a vulnerability between contract calls which allowed them to gain ownership of funds and transfer them to attacker-controlled wallets:

“This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function,” SlowMist further explained.

“Therefore, the attacker uses this function to pass in carefully constructed data to…

Source…