Apr 01, 2024NewsroomCryptocurrency / Financial Fraud

The Indian government said it has rescued and repatriated about 250 citizens in Cambodia who were held captive and coerced into running cyber scams.

The Indian nationals “were lured with employment opportunities to that country but were forced to undertake illegal cyber work,” the Ministry of External Affairs (MEA) said in a statement, adding it had rescued 75 people in the past three months.

It also said it’s working with “with Cambodian authorities and with agencies in India to crack down on those responsible for these fraudulent schemes.”

The development comes in the wake of a report from the Indian Express that said more than 5,000 Indians stuck in Cambodia were forced into “cyber slavery” by organized crime rackets to scam people in India and extort money by masquerading as law enforcement authorities in some cases.

The report also tracks with an earlier disclosure from INTERPOL, which characterized the situation as human trafficking-fuelled fraud on an industrial scale.

This included an accountant from the state of Telangana, who was “lured to Southeast Asia where he was forced to participate in online fraud schemes in inhuman conditions.” He was subsequently let go after paying a ransom.

In another instance highlighted by the Indian Express, one of the rescued men was recruited by an agent from the south Indian city of Mangaluru for a data entry job, only to be asked to create fake social media accounts with photographs of women and use them to contact people.

“We had targets and if we didn’t meet those, they would not give us food or allow us into our rooms,” the individual, identified only as Stephen, was quoted as saying.

China and the Philippines have undertaken similar efforts to free hundreds of Filipinos, Chinese, and other foreign nationals who were entrapped and forced into criminal activity, running what’s called pig butchering scams.

These schemes typically start with the scammer adopting a bogus identity to lure prospective victims into investing in non-existing crypto businesses that are designed to steal their funds. The fraudsters are known to gain their target’s trust under the illusion of a romantic relationship.

In a report published in February 2024, Chainalysis said the cryptocurrency wallets associated with one of the pig butchering gangs operating out of Myanmar has recorded close to $100 million in crypto inflows, some of which is also estimated to include the ransom payments made by the families of trafficked workers.

“The brutal conditions trafficking victims face on the compounds also lend additional urgency to solving the problem of romance scamming — not only are consumers being bilked out of hundreds of millions of dollars each year, but the gangs behind those scams are also perpetuating a humanitarian crisis,” the blockchain analytics firm said.

News of the rescue efforts also follow research from Check Point that threat actors are exploiting a function in Ethereum called CREATE2 to bypass security measures and gain unauthorized access to funds. Details of the scam were previously disclosed by Scam Sniffer in November 2023.

The crux of the technique is the use of CREATE2 to generate a new “temporary” wallet address that has no history of being reported for criminal activity, thus allowing threat actors to make the illicit transactions to the address once the victim approves the contract and circumvent protections that flag such addresses.

“The attack method involves tricking users into approving transactions for smart contracts that haven’t been deployed yet, allowing cyber criminals to later deploy malicious contracts and steal cryptocurrencies,” the Israeli company said.

Mar 14, 2024NewsroomCyber Espionage / Malware

The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant (PCA) to execute malicious commands.

“The Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs,” Trend Micro said in an analysis published this month.

“Adversaries can exploit this utility to enable command execution and bypass security restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool to obscure their activities.”

RedCurl, which is also called Earth Kapre and Red Wolf, is known to be active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.

In July 2023, F.A.C.C.T. revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to pilfer confidential corporate secrets and employee information.

The attack chain examined by Trend Micro entails the use of phishing emails containing malicious attachments (.ISO and .IMG files) to activate a multi-stage process that starts with the use of cmd.exe to download a legitimate utility called curl from a remote server, which then acts as a channel to deliver a loader (ms.dll or ps.dll).

The malicious DLL file, in turn, leverages PCA to spawn a downloader process that takes care of establishing a connection with the same domain used by curl to fetch the loader.

Also used in the attack is the use of the Impacket open-source software for unauthorized command execution.

The connections to Earth Kapre stem from overlaps in the command-and-control (C2) infrastructure as well as similarities with known downloader artifacts used by the group.

“This case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of industries across multiple countries,” Trend Micro said.

“The actor employs sophisticated tactics, such as abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious commands, showcasing its dedication to evading detection within targeted networks.”

The development comes as the Russian nation-state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.

Pelmeni – which masquerades as libraries related to SkyTel, NVIDIA GeForce Experience, vncutil, or ASUS – is loaded by means of DLL side-loading. Once this spoofed DLL is called by the legitimate software installed on the machine, it decrypts and launches Kazuar, Lab52 said.

Jan 26, 2024NewsroomCyber Crime / Malware

40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.

The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

“Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses,” DoJ said. “While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants.”

Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022.

The cybercrime crew’s allegiance to Russia during the Russo-Ukrainian war led to a series of leaks dubbed ContiLeaks and TrickLeaks, which precipitated its shutdown in mid-2022, resulting in its fragmentation into numerous other ransomware and data extortion groups.

Dunaev is said to have provided specialized services and technical abilities to further the TrickBot scheme between June 2016 and June 2021, using it to deliver ransomware against hospitals, schools, and businesses.

Specifically, the defendant developed browser modifications and malicious tools that made it possible to harvest credentials and sensitive data from compromised machines as well as enable remote access. He also created programs to prevent the Trickbot malware from being detected by legitimate security software.

Another TrickBot developer, a Latvian national named Alla Witte, was sentenced to two years and eight months in prison in June 2023.

News of Dunaev’s sentencing comes days after governments from Australia, the U.K., and the U.S. imposed financial sanctions on Alexander Ermakov, a Russian national and an affiliate for the REvil ransomware gang, for orchestrating the 2022 attack against health insurance provider Medibank.

Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT.

As JimJones, he has also been observed attempting to recruit unethical penetration testers who would supply login credentials for vulnerable organizations for follow-on ransomware attacks in exchange for $500 per access and a 5% cut of the ransom proceeds.

“These identifiers are linked to a wide range of cybercriminal activity, including network intrusions, malware development, and ransomware attacks,” the company said, offering insights into his cybercrime history.

“Ermakov had a robust presence on cybercriminal forums and an active role in the cybercrime-as-a-service economy, both as a buyer and provider and also as a ransomware operator and affiliate. It also appears that Ermakov was involved with a software development company that specialized in both legitimate and criminal software development.”

The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive “criminal affiliate program,” new findings from Infoblox reveal.

The latest development demonstrates the “breadth of their activities and depth of their connections within the cybercrime industry,” the company said, describing VexTrio as the “single largest malicious traffic broker described in security literature.”

VexTrio, which is believed to be have been active since at least 2017, has been attributed to malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content.

This also includes a 2022 activity cluster that distributed the Glupteba malware following an earlier attempt by Google to take down a significant chunk of its infrastructure in December 2021.

In August 2023, the group orchestrated a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary command-and-control (C2) and DDGA domains.

What made the infections significant was the fact that the threat actor leveraged the Domain Name System (DNS) protocol to retrieve the redirect URLs, effectively acting as a DNS-based traffic distribution (or delivery or direction) system (TDS).

VexTrio is estimated to operate a network of more than 70,000 known domains, brokering traffic for as many as 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh.

“VexTrio operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate,” Infoblox said in a deep-dive report shared with The Hacker News. “VexTrio’s affiliate relationships appear longstanding.”

Not only can its attack chains can include multiple actors, VexTrio also controls multiple TDS networks to route site visitors to illegitimate content based on their profile attributes (e.g. geolocation, browser cookies, and browser language settings) in order to maximize profits, while filtering out the rest.

These attacks feature infrastructure owned by different parties wherein participating affiliates forward traffic originating from their own resources (e.g., compromised websites) to VexTrio-controlled TDS servers. In the next phase, this traffic is relayed to other fraudulent sites or malicious affiliate networks.

“VexTrio’s network uses a TDS to consume web traffic from other cybercriminals, as well as sell that traffic to its own customers,” the researchers said. “VexTrio’s TDS is a large and sophisticated cluster server that leverages tens of thousands of domains to manage all of the network traffic passing through it.”

The VexTrio-operated TDS comes in two flavors, one which is based on HTTP that handles URL queries with different parameters, and another based on DNS, the latter of which began to be first put to use in July 2023.

It’s worth noting at this stage that while SocGholish (aka FakeUpdates) is a VexTrio affiliate, it also operates other TDS servers, such as Keitaro and Parrot TDS, with the latter acting as a mechanism for redirecting web traffic to SocGholish infrastructure.

According to Palo Alto Networks Unit 42, Parrot TDS has been active since October 2021, although there is evidence to suggest that it may have been around as early as August 2019.

“Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server,” the company noted in an analysis last week. “This injected script consists of two components: an initial landing script that profiles the victim, and a payload script that can direct the victim’s browser to a malicious location or piece of content.”

The injections, in turn, are facilitated by the exploitation of known security vulnerabilities in content management systems (CMS) such as WordPress and Joomla!

The attack vectors adopted by the VexTrio affiliate network for gathering victim traffic is no different in that they primarily single out websites running a vulnerable version of the WordPress software to insert rogue JavaScript into their HTML pages.

In one instance identified by Infobox, a compromised website based in South Africa was found to be injected with JavaScript from ClearFake, SocGholish, and VexTrio.

That’s not all. Besides contributing web traffic to numerous cyber campaigns, VexTrio is also suspected to carry out some of its own, making money by abusing referral programs and receiving web traffic from an affiliate and then reselling that traffic to a downstream threat actor.

“VexTrio’s advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy,” Infoblox concluded.

“Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years.”