A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale.

“Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries,” Netcraft said.

Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS.

A Chinese-language PhaaS, Darcula is advertised on Telegram and offers support for about 200 templates impersonating legitimate brands that customers can avail for a monthly fee to set up phishing sites and carry out their malicious activities.

A majority of the templates are designed to mimic postal services, but they also include public and private utilities, financial institutions, government bodies (e.g., tax departments), airlines, and telecommunication organizations.

The phishing sites are hosted on purpose-registered domains that spoof the respective brand names to add a veneer of legitimacy. These domains are backed by Cloudflare, Tencent, Quadranet, and Multacom.

In all, more than 20,000 Darcula-related domains across 11,000 IP addresses have been detected, with an average of 120 new domains identified per day since the start of 2024. Some aspects of the PhaaS service were revealed in July 2023 by Israeli security researcher Oshri Kalfon.

One of the interesting additions to Darcula is its capability to update phishing sites with new features and anti-detection measures without having to remove and reinstall the phishing kit.

“On the front page, Darcula sites display a fake domain for sale/holding page, likely as a form of cloaking to disrupt takedown efforts,” the U.K.-based company said. “In previous iterations, Darcula’s anti-monitoring mechanism would redirect visitors that are believed to be bots (rather than potential victims) to Google searches for various cat breeds.”

Darcula’s smishing tactics also warrant special attention as they primarily leverage Apple iMessage and the RCS (Rich Communication Services) protocol used in Google Messages instead of SMS, thereby evading some filters put in place by network operators to prevent scammy messages from being delivered to prospective victims.

“While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by this legislation by making the content of messages impossible for network operators to examine, leaving Google and Apple’s on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims,” Netcraft added.

“Additionally, they do not incur any per-message charges, which are typical for SMS, reducing the cost of delivery.”

The departure from traditional SMS-based phishing aside, another noteworthy aspect of Darcula’s smishing messages is their sneaky attempt to get around a safety measure in iMessage that prevents links from being clickable unless the message is from a known sender.

This entails instructing the victim to reply with a “Y” or “1” message and then reopen the conversation to follow the link. One such message posted on r/phishing subreddit shows that users are persuaded to click on the URL by claiming that they have provided an incomplete delivery address for the USPS package.

These iMessages are sent from email addresses such as pl4396@gongmiaq.com and mb6367587@gmail.com, indicating that the threat actors behind the operation are creating bogus email accounts and registering them with Apple to send the messages.

Google, for its part, recently said it’s blocking the ability to send messages using RCS on rooted Android devices to cut down on spam and abuse.

The end goal of these attacks is to trick the recipients into visiting bogus sites and handing over their personal and financial information to the fraudsters. There is evidence to suggest that Darcula is geared towards Chinese-speaking e-crime groups.

Phishing kits can have serious consequences as it permits less-skilled criminals to automate many of the steps needed to conduct an attack, thus lowering barriers to entry.

The development comes amid a new wave of phishing attacks that take advantage of Apple’s password reset feature, bombarding users with what’s called a prompt bombing (aka MFA fatigue) attack in hopes of hijacking their accounts.

Assuming a user manages to deny all the requests, “the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to ‘verify’ a one-time code,” security journalist Brian Krebs said.

The voice phishers have been found to use information about victims obtained from people search websites to increase the likelihood of success, and ultimately “trigger an Apple ID reset code to be sent to the user’s device,” which, if supplied, allows the attackers to reset the password on the account and lock the user out.

It’s being suspected that the perpetrators are abusing a shortcoming in the password reset page at iforgot.apple[.]com to send dozens of requests for a password change in a manner that bypasses rate limiting protections.

The findings also follow research from F.A.C.C.T. that SIM swappers are transferring a target user’s phone number to their own device with an embedded SIM (eSIM) in order to gain unauthorized access to the victim’s online services. The practice is said to have been employed in the wild for at least a year.

This is accomplished by initiating an application on the operator’s website or application to transfer the number from a physical SIM card to an eSIM by masquerading as the victim, causing the legitimate owner to lose access to the number as soon as the eSIM QR Code is generated and activated.

“Having gained access to the victim’s mobile phone number, cybercriminals can obtain access codes and two-factor authentication to various services, including banks and messengers, opening up a mass of opportunities for criminals to implement fraudulent schemes,” security researcher Dmitry Dudkov said.

Mar 26, 2024NewsroomMoney Laundering / Digital Currency

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned three cryptocurrency exchanges for offering services used to evade economic restrictions imposed on Russia following its invasion of Ukraine in early 2022.

This includes Bitpapa IC FZC LLC, Crypto Explorer DMCC (AWEX), and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP).

In all, the designations cover thirteen entities and two individuals operating in the Russian financial services and technology sectors.

“Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions,” the Treasury said, adding the action seeks to “target companies servicing Russia’s core financial infrastructure and curtail Russia’s use of the international financial system to further its war against Ukraine.”

Bitpapa, which offers virtual currency exchange to Russian nationals, has been accused of facilitating transactions worth millions of dollars with sanctioned Russian entities Hydra Market and Garantex.

Crypto Explorer, the Treasury said, offers currency conversion services between virtual currencies, rubles, and UAE dirhams.

“AWEX offers cash services at its offices in Moscow and Dubai and also loads funds onto credit cards associated with OFAC-designated Russian banks such as Sberbank and Alfa-Bank,” it added.

Also sanctioned is another virtual currency exchange run by TOEP that’s alleged to have enabled digital payments in rubles and virtual currencies to sanctioned entities such as Sberbank, Alfa-Bank, and Hydra Market.

The penalty list also features Moscow-based fintech companies such as B-Crypto, Masterchain and Laitkhaus, which have partnered with sanctioned Russian banks to issue, exchange, and transfer cryptocurrency assets.

Pursuant to the sanctions, all properties and interests in the U.S. connected to designated individuals and entities will be frozen. Furthermore, entities at least 50% owned directly or indirectly by one or more blocked persons will also be subject to the blockade.

“Russia is increasingly turning to alternative payment mechanisms to circumvent U.S. sanctions and continue to fund its war against Ukraine,” said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

“As the Kremlin seeks to leverage entities in the financial technology space, Treasury will continue to expose and disrupt the companies that seek to help sanctioned Russian financial institutions reconnect to the global financial system.”

Dec 19, 2023The Hacker NewsSoftware Security / Threat intelligence

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.

“Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools,” ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.

“But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware.”

Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address.

While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that’s both inexpensive and reliable.

This technique is sneaky as it allows threat actors to blend their malicious network traffic with genuine communications within a compromised network, making it challenging to detect and respond to threats in an effective manner. As a result, the chances that an infected endpoint communicating with a GitHub repository will be flagged as suspicious is less likely.

The abuse of GitHub gists points to an evolution of this trend. Gists, which are nothing but repositories themselves, offer an easy way for developers to share code snippets with others.

It’s worth noting at this stage that public gists show up in GitHub’s Discover feed, while secret gists, although not accessible via Discover, can be shared with others by sharing their URL.

“However, if someone you don’t know discovers the URL, they’ll also be able to see your gist,” GitHub notes in its documentation. “If you need to keep your code away from prying eyes, you may want to create a private repository instead.”

Another interesting aspect of secret gists is that they are not displayed in the GitHub profile page of the author, enabling threat actors to leverage them as some sort of a pastebin service.

ReversingLabs said it identified several PyPI packages – namely, httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that masqueraded as libraries for handling network proxying, but contained a Base64-encoded URL pointing to a secret gist hosted in a throwaway GitHub account without any public-facing projects.

The gist, for its part, features Base64-encoded commands that are parsed and executed in a new process through malicious code present in the setup.py file of the counterfeit packages.

The use of secret gists to deliver malicious commands to compromised hosts was previously highlighted by Trend Micro in 2019 as part of a campaign distributing a backdoor called SLUB (short for SLack and githUB).

A second technique observed by the software supply chain security firm entails the exploitation of version control system features, relying on git commit messages to extract commands for execution on the system.

The PyPI package, named easyhttprequest, incorporates malicious code that “clones a specific git repository from GitHub and checks if the ‘head’ commit of this repository contains a commit message that starts with a specific string,” Zanki said.

“If it does, it strips that magic string and decodes the rest of the Base64-encoded commit message, executing it as a Python command in a new process.” The GitHub repository that gets cloned is a fork of a seemingly legitimate PySocks project, and it does not have any malicious git commit messages.

All the fraudulent packages have now been taken down from the Python Package Index (PyPI) repository.

“Using GitHub as C2 infrastructure isn’t new on its own, but abuse of features like Git Gists and commit messages for command delivery are novel approaches used by malicious actors,” Zanki said.