Tag Archive for: Sends

Lapsus$ gang sends a worrying message to would-be criminals • The Register

/in


Analysis The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country’s Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.

Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.

Days later, the group broke into Samsung, hoping to unlock the secrets of its TrustZone secure environment, and eventually leaked almost 200GB of data, including algorithms related to its biometric technologies, source code for bootloaders, activation servers, and authentication for Samsung accounts, and source code given to chip-designing partner Qualcomm.

Ubisoft, whose games include Assassin’s Creed, Prince of Persia and Watch Dogs, last week said in a brief statement it had “experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services. Our IT teams are working with leading external experts to investigate the issue.”

The development house added that all of its games and services were operating as normal despite the attack. The online criminals have reportedly claimed the disruption was their work.

Growing pains

The attacks on Nvidia, Samsung, and seemingly Ubisoft represent a sharp upward turn in terms of the size of Lapsus$’s targets.

Cybersecurity experts describe a still-maturing cybercriminal group that is testing its capabilities with a range of different attack methods – from data…

Source…

New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin

/in


Sextortion Emails

A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency.

MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems.

Chief among its methods to evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory.

Automatic GitHub Backups

MyloBot also leverages a technique called process hollowing, wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource file.

“The second stage executable then creates a new folder under C:\ProgramData,” Minerva Labs researcher Natalie Zargarov said in a report. “It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”

Sextortion Emails

APC injection, similar to process hollowing, is also a process injection technique that enables the insertion of malicious code into an existing victim process via the asynchronous procedure call (APC) queue.

Prevent Data Breaches

The next phase of the infection involves establishing persistence on the compromised host, using the foothold as a stepping stone to establish communications with a remote server to fetch and execute a payload that, in turn, decodes and runs the final-stage malware.

This malware is designed to abuse the endpoint to send extortion messages alluding to the recipients’ online behaviors, such as visiting porn sites, and threatening to leak a video that was allegedly recorded by breaking into their computers’ webcam.

Minerva Labs’ analysis of the malware also reveals its ability to download additional files, suggesting that the threat actor left behind a backdoor for carrying out further…

Source…

A $320 Million Crypto Hack Sends the DeFi World Reeling

/in


This week WIRED broke the news that a lone US hacker had spent the last two weeks intermittently taking down North Korea’s internet. Yes, the entire country’s. The hacker, who goes by the handle P4x, says that he launched the campaign as retaliation for the Hermit Kingdom’s hacks of Western security researchers last year. Frustrated by the lack of US response, he took it upon himself to send a message. 

In another exclusive, we published internal messages from Trickbot, the notorious Russian cybercrime gang, that sheds new light on the group’s organizational structure. The exchanges, several of which took place amid a sustained ransomware assault against hundreds of US hospitals, also bring Trickbot’s ruthlessness, ambition, and sense of impunity into sharp focus.

Over in China, the Winter Olympics start this week, meaning you can indulge in your quadrennial biathlon obsession. Multiple countries have warned their athletes to bring burner phones to the games in light of the host country’s record of aggressive surveillance; participants have also been informed that speaking out against China’s human rights abuses against the Uyghur population could spark retaliation.

We also took a look at how concerned you should really be about the kernel-level anti-cheat systems that game developers have increasingly turned to. And in 2022, expect more cyberattacks to have real-world consequences, a troubling inevitability as criminal groups become ever more aggressive.

And there’s more! Each week, we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

Decentralized finance systems promise to do away with the intermediaries that slow down or complicate transactions. A major hack of a major DeFi protocol this week, though, underscores that the future of money comes with its own set of risks. Attackers targeting Wormhole, which offers a bridge between the Solana and Ethereum blockchains for cross-chain transactions, made off with $320 million in various cryptocurrencies. It’s the second-biggest known DeFi theft of all time, after a hacker stole $610 million from Poly Network, only to return the bulk of it eventually. There’s no sign that…

Source…

Android app joins the dark side, sends malware update to millions

/in


Android app joins the dark side, sends malware update to millions

Google has removed a popular Android barcode scanner app with over 10 million installs from the Play Store after researchers found that it turned malicious following a December 2020 update.

After lying dormant for years, the previously legitimate Barcode Scanner app developed by LAVABIRD LTD self-updated and took over the users’ devices using malicious code now tagged by security vendors as trojan malware.

The malicious behavior experienced by its millions of users included seeing their default browser launching without any user interaction and displaying ads that promoted other, potentially malicious, Android apps.

“Many of the patrons had the app installed on their mobile devices for long periods of time (one user had it installed for several years),” Malwarebytes malware researcher Nathan Collier said.

“Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware!”

LAVABIT Barcode Scanner
Image: Malwarebytes

Even though this wouldn’t be the first time malicious code has been found in Android apps, such incidents usually involve the use of third-party software development kits (SDKs) used by free app versions to display ads for monetization.

However, in this case, the obfuscated and signed malicious code was bundled with the app and installed on the devices of more than 10 million users in one fell swoop.

“To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions,” Collier added. 

“Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.”

Google removed LAVABIRD’s Barcode Scanner app from the Play Store after receiving Malwarebytes’ disclosure in December.

Despite this, there might still be millions of other devices still affected and displaying unwanted ads to its unwitting userbase.

A LAVABIRD spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for comment.

Source…