• Malware Chronicles
  • Posts
  • Exclusive Insights into Phishing, Ransomware, and Global Cyber Crisis

Exclusive Insights into Phishing, Ransomware, and Global Cyber Crisis

Author

8erg
August 22, 2024

Hi, my fellow malware enthusiast,

The cold weather is back. I went for a run Tuesday. I’m lucky I was well covered or else…🥶 I was surprised to see people running in shorts and t-shirts. What I also love about running is that whenever you see a fellow runner, we always show mutual respect. I’m talking to you like I love running, but believe me, I hate it! 😂 I’m sure you hate it too, right!? Anyway enough about running, let’s get into today’s newsletter! Enjoy!

What?? No comment about the introduction!? I’m getting better right? This is the only part where I did not use Chat-GPT to help me😂

📰In today’s newsletter

  • Phishing Campaigns Target U.S. and Israeli High-Profile Individuals

  • The Ransomware Collective with Multiple Identities

  • The New Threat Targeting Azerbaijan and Israel

  • Africa’s Cybersecurity Crisis Grows with Economic Expansion

  • Vulnerability in Pixel Devices from Pre-Installed App

  • ValleyRAT Campaign Exploiting Chinese Enterprises

  • North Korean Hackers Breach South Korean Spy Plane Data

  • Cybercriminals Exploit Popular Software Searches

Phishing Campaigns Target U.S. and Israeli High-Profile Individuals

Iran-linked hackers, identified as APT42, have intensified phishing attacks against high-profile individuals in the U.S. and Israel, including those affiliated with U.S. presidential campaigns. Over the past six months, APT42 has targeted former Israeli military officials, diplomats, academics, and political entities. In the U.S., the group has focused on the personal email accounts of individuals connected to President Joe Biden and former President Donald Trump. APT42 employs sophisticated social engineering tactics, often masquerading as legitimate organizations, to engage targets in conversation and eventually compromise their credentials. Despite these efforts, Google's security team has successfully detected and disrupted several of these attacks. Concerns continue to rise over Iran's potential interference in the U.S. election through cyberattacks and influence campaigns.

💡It shouldn’t surprise anyone that Israeli people are being targeted right now…

Cybercriminals are taking advantage of Google search ads to target users with fake Google product pages. They even use Google’s own tools, like Looker Studio, to lock users' browsers and push tech support scams. This sophisticated scheme has left many vulnerable, especially since the attackers cleverly mimic official Google products. As these tactics become more widespread, staying vigilant online is crucial.

Curious about how these scams work? Read more.

The Ransomware Collective with Multiple Identities

Brain Cipher, the group behind a significant ransomware attack on Indonesia's national data center, is part of a larger operation using at least three other names. The June 20 attack caused widespread disruption across Indonesia, affecting over 200 government agencies. Despite an initial $8 million ransom demand, Brain Cipher abandoned it under pressure, releasing a free decryptor.

Researchers have linked Brain Cipher to other ransomware groups like Reborn Ransomware, EstateRansomware, and SenSayQ, indicating that these entities might be operating under multiple identities. This strategy allows the group to target various regions, complicate attribution, and possibly prepare for future exit scams. Their use of different encryptors, including those based on the leaked Lockbit 3.0 builder and Babuk variants, further broadens their impact across multiple systems and environments.

💡Well, it looks like the remnants of Lockbit are stil present

👉For more information about this ransomware group, click here

A recent discovery shows that some iPhone apps are abusing iOS push notifications to collect user data without consent. These apps trick users into allowing notifications and then use them to track behavior and gather personal information. This sneaky tactic bypasses Apple's privacy controls, raising concerns about user privacy and data security. If you're curious about how these apps are exploiting your trust, you'll want to dig deeper into this issue.

Find out more here.

The New Threat Targeting Azerbaijan and Israel

A previously unknown threat actor, dubbed Actor240524, has been linked to a series of sophisticated attacks against diplomats in Azerbaijan and Israel. First detected by NSFOCUS on July 1, 2024, this campaign uses spear-phishing emails to deliver malicious Microsoft Word documents. When recipients enable content, a macro activates ABCloader, which decrypts and loads the ABCsync DLL malware.

ABCsync communicates with a remote server to execute commands, exfiltrate data, and perform environment checks to avoid detection. Actor240524's activities suggest a strategic intent to undermine the close economic and political ties between Azerbaijan and Israel, focusing on the theft of sensitive diplomatic information.

💡Actor240524, lacking inspiration for these threat actors…?😂

👉Want to know more? Dive into the blog for the full scoop!

Kaspersky researchers have discovered a "lightweight method" called iShutdown to identify spyware on iPhones, including Pegasus and Predator. By analyzing the Shutdown.log file, which logs system reboots, researchers can detect traces of spyware that prevent normal shutdowns. This log file, stored in a sysdiagnose archive, offers a quicker alternative to traditional forensic techniques and can store entries for years. Kaspersky also developed Python scripts to automate this analysis.

Africa’s Cybersecurity Crisis Grows with Economic Expansion

As Africa's economy rapidly expands, cybercrime is growing just as fast. In 2023, weekly cyberattacks on African businesses surged by 23%, with ransomware and business email compromise (BEC) being the top threats. Despite Africa's GDP expected to reach $4 trillion by 2027, challenges like digital illiteracy, outdated infrastructure, and a lack of cybersecurity professionals are making it difficult to curb economic losses from cybercrime.

South Africa alone loses 2.2 billion Rand (US $123 million) annually due to cybercrime, often due to a lack of awareness among users. Experts stress the need for stronger cybersecurity regulations and regional collaboration to protect the continent’s digital future.

AI could play a key role in boosting cybersecurity, potentially adding US $130 billion to sub-Saharan Africa's economy. However, better data is needed, as current estimates of cybercrime costs are likely overinflated. The actual impact may be closer to 0.3% of Africa's GDP, rather than the exaggerated 10% often cited.

💡I guess it’s time to pack my bags, I’m heading to Africa, they need my help and I’m sure they will not ask me for 20 years of experience😂

👉For more insights, read the full article.

Vulnerability in Pixel Devices from Pre-Installed App

A significant number of Google's Pixel devices shipped since September 2017 contain a dormant vulnerability stemming from a pre-installed app, "Showcase.apk." This app, developed by Smith Micro for Verizon in-store demos, has excessive system privileges, enabling it to execute remote code and install arbitrary packages.

The issue arises because the app downloads a configuration file over an unencrypted HTTP connection, making it vulnerable to adversary-in-the-middle (AitM) attacks. Although there is no evidence of exploitation in the wild, the app's presence in the firmware makes it a potential risk. Google has announced plans to remove the app from all affected devices in an upcoming update.

💡I have a iPhone, this does not concern me, but just for you I’ll leave this section here😂

Monobank, a popular Ukrainian online bank, recently faced an unprecedented DDoS attack, peaking at 7.5 billion requests per second. The attack, which lasted from Friday evening to Monday morning, specifically targeted a service used to raise military donations. Despite the scale, Monobank's operations remained unaffected thanks to collaboration with Ukraine’s security services and Amazon Web Services. Curious about the details and potential implications?

Read more for the full story.

ValleyRAT Campaign Exploiting Chinese Enterprises

FortiGuard Labs has identified an ongoing ValleyRAT malware campaign targeting Chinese speakers, focusing on industries such as e-commerce, finance, and management. ValleyRAT is a multi-stage malware known for its use of shellcode to execute components directly in memory, minimizing its footprint on the victim's system.

The malware disguises itself as legitimate applications, often using financial document names to lure victims. Once executed, it ensures only one instance runs, removes certain registry entries, and stores its Command and Control (C2) server details in the registry. It also employs sandbox evasion techniques by checking for virtual machine-related services and using sleep obfuscation to evade detection.

The malware utilizes shellcode for reflective DLL loading, decrypting it using AES-256 and further obfuscating it with the BKDR hashing algorithm. The beaconing module, responsible for persistence and loading additional components, ensures that the malware gains administrator privileges and avoids detection by disabling AV-related processes.

ValleyRAT persists by adding a scheduled task and abusing the auto-elevate properties of legitimate Windows applications to run with high privileges without triggering UAC prompts.

👉For additional intel on it, read here.

Kaspersky's Q2 2024 APT Summary: Key Findings

Sophos analysts recently uncovered a new EDR-disabling tool named EDRKillShifter used by a criminal group during an attempted ransomware attack involving the ransomware RansomHub. Although the attack was ultimately unsuccessful, the analysis revealed the emergence of this sophisticated tool designed to terminate endpoint protection software.

Since 2022, there's been a rise in malware targeting Endpoint Detection and Response (EDR) systems as organizations increasingly rely on these tools for endpoint security. EDRKillShifter represents an evolution in this trend, following in the footsteps of similar tools like AuKill, which was previously identified by Sophos X-Ops.

How EDRKillShifter Works:

  • Loader Executable: EDRKillShifter functions as a "loader," delivering a legitimate but vulnerable driver, often referred to as a Bring Your Own Vulnerable Driver (BYOVD) tool. This allows attackers to bypass EDR protections.

  • Execution Process: The tool is executed with a command line that includes a password string. Upon receiving the correct password, it decrypts an embedded resource (named BIN) and executes it in memory.

  • Final Payload: The BIN code then unpacks and executes a final payload written in Go, which drops and exploits various vulnerable drivers. This process grants the attacker the necessary privileges to disable the EDR system's protections.

During the incident in May, the attackers attempted to use EDRKillShifter to disable Sophos protection on a targeted system, but the tool failed. Subsequently, their attempt to run the RansomHub ransomware also failed when the endpoint agent's CryptoGuard feature was triggered, preventing the ransomware from executing.

This discovery highlights the increasing sophistication of tools designed to counteract EDR systems and underscores the importance of robust security measures to protect against evolving threats.

👉Want to know more? you can read about it, here!

North Korean Hackers Breach South Korean Spy Plane Data

In a daring cyber-espionage operation, North Korean hackers have infiltrated South Korea's defense systems, stealing critical technical data related to a spy plane. This breach highlights the escalating cyber conflict between the two nations, as DPRK hackers continues to target South Korea’s military infrastructure. The stolen data could potentially compromise South Korea's intelligence capabilities, raising concerns about national security and the growing sophistication of North Korean cyber-attacks.

💡North Korea, South Korea, what is the difference? One has Kim Jong-un….

👉Curious about the implications? Read more.

Malwarebytes' latest report highlights a shift in ransomware trends, showing an increase in double extortion schemes where attackers encrypt and exfiltrate data. This has led to more aggressive ransom demands and a rise in ransomware-as-a-service (RaaS), making sophisticated attacks accessible to less-skilled cybercriminals. The report also notes a focus on critical infrastructure and supply chain attacks, posing severe risks to global operations.

For a deeper dive into these evolving threats, read the full article here.

Cybercriminals Exploit Popular Software Searches

Cybersecurity researchers have identified a troubling rise in malware infections originating from malvertising campaigns distributing a loader called FakeBat. This malware, also known as EugenLoader and PaykLoader, targets users searching for popular software like Brave, Zoom, and KeePass by redirecting them to fake websites that host trojanized installers. Once downloaded, FakeBat executes malicious scripts that install secondary payloads, including notorious malware like IcedID and Carbanak. The attackers, linked to a group known as UNC4536, are using this method to deliver Malware-as-a-Service (MaaS) operations, posing a significant threat to anyone downloading software from unverified sources.

The sophisticated attack leverages drive-by downloads and exploits users' trust in well-known software, making it difficult to detect. FakeBat not only gathers critical system information but also ensures persistence by creating shortcuts in the system’s StartUp folder. This campaign highlights the importance of downloading software from official sites and remaining vigilant to avoid falling victim to such deceptive tactics.

👉For more details, visit The Hacker News.

✉️ Wrapping Up

In the world of malware, understanding is key. As we delve into these threats together, remember that knowledge and vigilance are our best allies.

If you find this newsletter helpful and know others who might benefit from it, I'd be grateful if you could pass it along. 🙏

Until next time, stay informed and keep your defenses sharp. Here’s to staying one step ahead

Thanks for reading!