Tag: spreading | SpinSafe

Ransomware associated with LockBit still spreading 2 days after server takedown

February 22, 2024/in Internet Security

A stylized skull and crossbones made out of ones and zeroes.

Two days after an international team of authorities struck a major blow at LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can’t publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can’t attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren’t part of the official operation.

“When builds are leaked, it can also muddy the waters with regards to attribution,” researchers from security firm Trend Micro said Thursday. “For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon,…

Source…

Remcos RAT Spreading Through Adult Games in New Attack Wave

January 16, 2024/in Computer Security

Jan 16, 2024NewsroomBotnet / Malware

The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea.

WebHard, short for web hard drive, is a popular online file storage system used to upload, download, and share files in the country.

While webhards have been used in the past to deliver njRAT, UDP RAT, and DDoS botnet malware, the AhnLab Security Emergency Response Center’s (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT.

In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named “ffmpeg.exe.”

This results in the retrieval of Remcos RAT from an actor-controlled server.

A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enabling threat actors to exfiltrate sensitive data.

This malware, although originally marketed by Germany-based firm Breaking Security in 2016 as a bonafide remote administration tool, has metamorphosed into a potent weapon wielded by adversaries actors to infiltrate systems and establish unfettered control.

“Remcos RAT has evolved into a malicious tool employed by threat actors across various campaigns,” Cyfirma noted in an analysis in August 2023.

“The malware’s multifunctional capabilities, including keylogging, audio recording, screenshot capture, and more, highlight its potential to compromise user privacy, exfiltrate sensitive data, and manipulate systems. The RAT’s ability to disable User Account Control (UAC) and establish persistence further amplifies its potential impact.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…

Android: This Android malware that can make your bank account empty is spreading

October 11, 2023/in Computer Security

TIMESOFINDIA.COM | Oct 11, 2023, 14:58 IST

A new Android malware variant called GoldDigger has been detected targeting financial organizations in Vietnam. The malware disgui…
Read More

A recently discovered Android malware variant is currently spreading and can be very dangerous for users. This new bug has the ability to illegally extract funds from several banking apps. In a blog post, cybersecurity researchers Group-IB confirmed that this Android trojan was detected in August. The malware is currently targeting financial organisations in Vietnam. So. Indian users shouldn’t need to worry about the malware which is codenamed GoldDigger. The security research company also noted that it has informed clients in Vietnam and beyond about its findings. Moreover, the cybersecurity company has also shared its data with VNCERT (Vietnam Computer Emergency Response Team).

How this trojan can affect users
This GoldDigger Android trojan has been active since June 2023, Group-IB claims. The malware disguises itself as a fake Android app and can impersonate both a Vietnamese government portal and a local energy company.

The main goal of the Android bug is to steal banking credentials. Just like many other Android Trojans, the malware abuses Accessibility Service to extract personal information, intercept SMS messages, and perform various user actions. GoldDigger also has a remote access capability.

How the malware remains undetectable
One of the main features of GoldDigger is its use of an advanced protection mechanism. Virbox Protector, a legitimate software, was identified in all discovered samples of GoldDigger. This software allows the trojan to…

Source…

Phantom Hackers Threat Spreading Across U.S.

October 6, 2023/in Computer Security

(TNS) — A growing nationwide scam could target your grandparents, the FBI warns.

“Phantom hacker” scams are on the rise and are disproportionately affecting older people, according to a Sept. 29 FBI public service announcement. It’s an “evolution of more general tech support scams,” federal officials say, as these “phantom hackers” claim to be technology support, bank staff and government officials in order to gain the trust of those they’re scamming.

The three-step scam can result in people losing their “entire banking, savings, retirement, or investment accounts,” officials say, all while the scammers are convincing them to “protect” their assets.

In the first half of 2023, 19,000 complaints were filed with the FBI Internet Crime Complaint Center, according to the release. The estimated loss from the reported scams totaled over $542 million.

Around 66% of total losses were from people over 60 years old, officials say.

FBI offices in San Francisco and Cleveland also sent out specific advisories for their regions about the “phantom hacker” scam.

“These scammers are cold and calculated. They are targeting older members of our community who are particularly mindful of potential risks to their nest eggs. The criminals are using the victims’ own attentiveness against them,” FBI special agent in charge John S. Morales said in the San Francisco release.

‘Phantom hackers’ and their 3-step approach

The FBI breaks down the “phantom hacker” scam into three phases.

The first phase starts with a “tech support imposter,” officials say. The scammer typically reaches out as someone who works at a legitimate business by phone, text message or email. They tell the person that they’re looking to assist them, where they eventually get the scam victim to download software on their personal computer that gives the hacker remote access to their device.

Then, the scammer lies and tells the person they’ve detected a virus on the computer and instructs the person to open up their financial accounts to ensure no one has taken money out illegitimately, officials say.

After targeting a specific…

Source…

Tag Archive for: spreading

Muddying the attribution waters