Tag Archive for: Uncovered

Ransomware Mastermind Uncovered After Oversharing on Dark Web

/in


When researchers responded to an ad to join up with a ransomware-as-a-service (RaaS) operation, they wound up in a cybercriminal job interview with one of the most active threat actors in the affiliate business, who turns out to be behind at least five different strains of ransomware.

Meet “farnetwork,” who was unmasked after giving over too many specifics to a Group-IB threat researcher pretending to be a potential affiliate for the Nokoyawa ransomware group. The cybercriminal is also known by aliases including jingo, jsworm, razvrat, piparuka, and farnetworkit, the team learned.

After the undercover researcher was able to demonstrate they could execute privilege escalation, use ransomware to encrypt files, and ultimately demand cash for an encryption key, farnetwork was ready to talk details.

During the course of their correspondence, the Group-IB researcher learned farnetwork already had a foothold into various enterprise networks, and just needed someone to take the next step — i.e., to deploy the ransomware, and collect money. The deal would work like this, Group IB’s team learned: the Nokoyawa affiliate would get 65% of the extortion money, the botnet owner gets 20%, and the ransomware owner gets 15%.

But Nokayawa was just the latest ransomware operation farnetwork was running, Group-IB explained in its latest report. The threat actor ultimately gave over enough details for the team to trace farnetwork’s ransomware activities as far back as 2019.

Farnetwork bragged to the researchers about past operations with Nefilim and Karma ransomware, as well as being on the receiving end of ransomware payments as high as $1 million. The crook also mentioned past work with Hive and Nemty.

A ransom note
Source: Group-IB

That was enough information for the Group-IB team to piece together a prolific ransomware resume in farnetwork’s past.

From 2019 to 2021, Group-IB said farnetwork was behind ransomware strains JSWORM, Karma, Nemty, and Nefilim. Nefilim’s RaaS program alone accounted for more than 40 victims, the report added.

By 2022, farnetwork found a home with the Nokoyawa operation, and by last February, was actively recruiting affiliates to the program.

“Based on the timeline of their operations,…

Source…

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

/in


Jun 29, 2023Ravie LakshmananCyber Threat / Hacking

Info Stealer Malware

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name “CMK Правила оформления больничных листов.pdf.exe,” which translates to “CMK Rules for issuing sick leaves.pdf.exe.”

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

Cybersecurity

A notable trait of the malware is that it uses the string “3rd_eye” to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it’s likely that the malicious activity is aimed at Russian-speaking organizations.

“While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks,” Fortinet researchers said, adding the collected data is “valuable for understanding and narrowing down potential targets.”

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

“The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim’s system performance, and…

Source…

XE Group hacking operation uncovered

/in



Suspected Vietnamese hacking operation XE Group, also known as XeThanh, which has been targeting healthcare organizations, government agencies, and construction firms since at least 2013, had one of …

Source…

Researchers Uncovered C2 Infrastructure Used by Malware Ursnif

/in


C2 Infrastructure Ursnif

Bridewell’s Cyber Threat Intelligence (CTI) team has discovered previously undetected Ursnif infrastructure used in 2023 campaigns, suggesting that the malware operators have not yet utilized this highly elusive infrastructure.

Ursnif Banking Malware

Ursnif, originally a banking trojan also known as Gozi, has evolved into a ransomware and data exfiltration facilitator, with its latest variant, LDR4, being identified by Mandiant in June 2022, joining the ranks of malware like:-

In January 2023, a DFIR report highlighted a campaign involving the Urnsnif backdoor, followed by Cobalt Strike deployment and subsequent data exfiltration, with the added use of legitimate RMM tools Atera and Splashtop by the threat actor.

A phishing email was delivered to the Ursnif backdoor via a malicious ISO file. In March 2023, eSentire documented a Google Ads campaign using BatLoader to drop various second-stage payloads like Redline and Ursnif disguised as legitimate tools, followed by Cobalt Strike deployment for further intrusion activity in enterprise environments.

Ursnif Infrastructure Uncovered

In the pursuit of new Ursnif IP addresses, researchers examined recently published ones. They discovered distinctive characteristics within the associated SSL certificates, leading to the identification of potential hunting opportunities for these addresses in the wild.


By leveraging identifiable features and additional criteria, experts successfully pinpointed 72 additional servers of interest that aligned with their newly developed Ursnif hunting rule, allowing them to determine the geographical hosting locations and hosting providers associated with these servers.

Here in the below image, all the Hosting Providers are mentioned:-

Security vendors have yet to report or detect six of the 23 Ursnif C2 servers communicating with Ursnif files, despite researchers’ analysis identifying their existence.

Here below, we have mentioned those 6 detected C2 servers:-

  • 95[.]46[.]8[.]157
  • 193[.]164[.]149[.]143
  • 79[.]133[.]124[.]62
  • 45[.]11[.]181[.]117
  • 92[.]38[.]169[.]142
  • 31[.]214[.]157[.]31

After analysis, it was found that approximately 30%…

Source…