Apr 11, 2024NewsroomEndpoint Security / Ransomware

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign.

“This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors,” Proofpoint said. “Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM).”

TA547 is a prolific, financially motivated threat actor that’s known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware.

In recent years, the group has evolved into an initial access broker (IAB) for ransomware attacks. It has also been observed employing geofencing tricks to restrict payloads to specific regions.

The email messages observed as part of the latest campaign impersonate the German company Metro AG and contain a password-protected ZIP file containing a ZIP archive that, when opened, initiates the execution of a remote PowerShell script to launch the Rhadamanthys stealer directly in memory.

Interestingly, the PowerShell script used to load Rhadamanthys includes “grammatically correct and hyper specific comments” for each instruction in the program, raising the possibility that it may have been generated (or rewritten) using an LLM.

The alternate hypothesis is that TA547 copied the script from another source that had used generative AI technology to create it.

“This campaign represents an example of some technique shifts from TA547 including the use of compressed LNKs and previously unobserved Rhadamanthys stealer,” Proofpoint said. “It also provides insight into how threat actors are leveraging likely LLM-generated content in malware campaigns.”

The development comes as phishing campaigns have also been banking on uncommon tactics to facilitate credential-harvesting attacks. In these emails, recipients are notified of a voice message and are directed to click on a link to access it.

The payload retrieved from the URL is heavily obfuscated HTML content that runs JavaScript code embedded within an SVG image when the page is rendered on the target system.

Present within the SVG data is “encrypted data containing a second stage page prompting the target to enter their credentials to access the voice message,” Binary Defense said, adding the page is encrypted using CryptoJS.

Other email-based attacks have paved the way for Agent Tesla, which has emerged as an attractive option for threat actors due to it “being an affordable malware service with multiple capabilities to exfiltrate and steal users’ data,” according to Cofense.

Social engineering campaigns have also taken the form of malicious ads served on search engines like Google that lure unsuspecting users into downloading bogus installers for popular software like PuTTY, FileZilla, and Room Planner to ultimately deploy Nitrogen and IDAT Loader.

The infection chain associated with IDAT Loader is noteworthy for the fact that the MSIX installer is used to launch a PowerShell script that, in turn, contacts a Telegram bot to fetch a second PowerShell script hosted on the bot.

This PowerShell script then acts as a conduit to deliver another PowerShell script that’s used to bypass Windows Antimalware Scan Interface (AMSI) protections as well as trigger the execution of the loader, which subsequently proceeds to load the SectopRAT trojan.

“Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks,” Jérôme Segura, principal threat researcher at Malwarebytes, said.

Mar 30, 2024NewsroomMalware / Cryptocurrency

Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users.

The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims’ Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.

One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites (“airci[.]net”) that serve the malware.

“Interestingly, the malicious website cannot be accessed directly, as it returns an error,” security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. “It can only be accessed through a generated sponsored link, presumably to evade detection.”

The disk image file downloaded from the counterfeit website (“ArcSetup.dmg”) delivers Atomic Stealer, which is known to request users to enter their system passwords via a fake prompt and ultimately facilitate information theft.

Jamf said it also discovered a phony website called meethub[.]gg that claims to offer a free group meeting scheduling software, but actually installs another stealer malware capable of harvesting users’ keychain data, stored credentials in web browsers, and information from cryptocurrency wallets.

Much like Atomic stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – also prompts the user for their macOS login password using an AppleScript call to carry out its malicious actions.

Attacks leveraging this malware are said to have approached victims under the pretext of discussing job opportunities and interviewing them for a podcast, subsequently asking them to download an app from meethub[.]gg to join a video conference provided in the meeting invites.

“These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers,” the researchers said. “Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.”

The development comes as MacPaw’s cybersecurity division Moonlock Lab disclosed that malicious DMG files (“App_v1.0.4.dmg”) are being used by threat actors to deploy a stealer malware designed to extract credentials and data from various applications.

This is accomplished by means of an obfuscated AppleScript and bash payload that’s retrieved from a Russian IP address, the former of which is used to launch a deceptive prompt (as mentioned above) to trick users into providing the system passwords.

“Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS’s Gatekeeper security feature,” security researcher Mykhailo Hrebeniuk said.

The development is an indication that macOS environments are increasingly under threat from stealer attacks, with some strains even boasting of sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.

In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (aka EugenLoader) and other information stealers like Rhadamanthys via a Go-based loader through decoy sites for popular software such as Notion and PuTTY.

Mar 16, 2024NewsroomMalware / Cybercrime

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.

The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

“The repositories look similar, featuring a README.md file with the promise of free cracked software,” the German cybersecurity company said.

“Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.”

The list of repositories is as follows, with each of them pointing to a download link (“digitalxnetwork[.]com”) containing a RAR archive file –

• andreastanaj/AVAST
• andreastanaj/Sound-Booster
• aymenkort1990/fabfilter
• BenWebsite/-IObit-Smart-Defrag-Crack
• Faharnaqvi/VueScan-Crack
• javisolis123/Voicemod
• lolusuary/AOMEI-Backupper
• lolusuary/Daemon-Tools
• lolusuary/EaseUS-Partition-Master
• lolusuary/SOOTHE-2
• mostofakamaljoy/ccleaner
• rik0v/ManyCam
• Roccinhu/Tenorshare-Reiboot
• Roccinhu/Tenorshare-iCareFone
• True-Oblivion/AOMEI-Partition-Assistant
• vaibhavshiledar/droidkit
• vaibhavshiledar/TOON-BOOM-HARMONY

The RAR archive, which requires the victims to supply a password mentioned in the repository’s README.md file, contains an installer file, which unpacks the next-stage payload, an executable file that’s inflated to 699 MB in an effort to crash analysis tools like IDA Pro.

The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.

Written in C++, it’s designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims’ data. Interestingly, recent research from Checkmarx showed that it’s possible to infiltrate and forward messages from an attacker’s bot to another Telegram account.

The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that “employs a multifaceted approach to data exfiltration.”

“The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information,” Splunk said. “Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data.”

Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.

“The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats,” Flashpoint noted in January 2024. “While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use.”

Mar 07, 2024NewsroomVulnerability / Information Stealer

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data.

“The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram,” Cybereason researcher Kotaro Ogino said in a technical report.

Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence.

The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.

Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus.

The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.

The Vietnamese connection is further bolstered by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language.

“All of the variants support Cốc Cốc Browser, which is a well known Vietnamese Browser used widely by the Vietnamese community,” Ogino said.

Over the past year, multiple information stealers targeting Facebook cookies have appeared in the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.

The development comes as Meta has come under criticism in the U.S. for failing to assist victims whose accounts have been hacked into, calling on the company to take immediate action to address a “dramatic and persistent spike” in account takeover incidents.

It also follows a discovery that threat actors are “using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware,” according to OALABS Research.

Specifically, the malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved.

“This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link,” the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.

Feb 21, 2024NewsroomMalware / Cyber Threat

Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed VietCredCare at least since August 2022.

The malware is “notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance,” Singapore-headquartered Group-IB said in a new report shared with The Hacker News.

The end goal of the large-scale malware distribution scheme is to facilitate the takeover of corporate Facebook accounts by targeting Vietnamese individuals who manage the Facebook profiles of prominent businesses and organizations.

Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain.

VietCredCare is offered to other aspiring cybercriminals under the stealer-as-a-service model and advertised on Facebook, YouTube, and Telegram. It’s assessed to be managed by Vietnamese-speaking individuals.

Customers either have the option of purchasing access to a botnet managed by the malware’s developers, or procure access to the source code for resale or personal use. They are also provided a bespoke Telegram bot to manage the exfiltration and delivery of credentials from an infected device.

The .NET-based malware is distributed via links to bogus sites on social media posts and instant messaging platforms, masquerading as legitimate software like Microsoft Office or Acrobat Reader to dupe visitors into installing them.

One of its major selling points is its ability to extract credentials, cookies, and session IDs from web browsers like Google Chrome, Microsoft Edge, and Cốc Cốc, indicating its Vietnamese focus.

It can also retrieve a victim’s IP address, check if a Facebook is a business profile, and assess whether the account in question is currently managing any ads, while simultaneously taking steps to evade detection by disabling the Windows Antimalware Scan Interface (AMSI) and adding itself to the exclusion list of Windows Defender Antivirus.

“VietCredCare’s core functionality to filter out Facebook credentials puts organizations in both the public and private sectors at risk of reputational and financial damages if their sensitive accounts are compromised,” Vesta Matveeva, head of the High-Tech Crime Investigation Department for APAC, said.

Credentials belonging to several government agencies, universities, e-commerce platforms, banks, and Vietnamese companies have been siphoned via the stealer malware.

VietCredCare is also the latest addition to a long list of stealer malware, such as Ducktail and NodeStealer,that has originated from the Vietnamese cyber criminal ecosystem with the intent of targeting Facebook accounts.

“The stealer-as-a-service business model enables threat actors with little to no technical skills to enter the cybercrime field, which results in more innocent victims being harmed,” Group-IB said.

Feb 08, 2024NewsroomCyber Espionage / Malware

The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer.

The malware steals “SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures” from infected systems, South Korean cybersecurity company S2W said in a new technical report.

Troll Stealer’s links to Kimsuky stem from its similarities to known malware families, such as AppleSeed and AlphaSeed malware that have been attributed to the group.

Kimsuky, also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is well known for its propensity to steal sensitive, confidential information in offensive cyber operations.

In late November 2023, the threat actors were sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for gathering intelligence to further North Korea’s strategic objectives.

The adversarial collective, in recent months, has been attributed to spear-phishing attacks targeting South Korean entities to deliver a variety of backdoors, including AppleSeed and AlphaSeed.

S2W’s latest analysis reveals the use of a dropper that masquerades as a security program installation file from a South Korean company named SGA Solutions to launch the stealer, which gets its name from the path “D:/~/repo/golang/src/root.go/s/troll/agent” that’s embedded in it.

“The dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a valid, legitimate D2Innovation Co.,LTD’ certificate, suggesting that the company’s certificate was actually stolen,” the company said.

A stand-out feature of Troll Stealer is its ability to pilfer the GPKI folder on infected systems, raising the possibility that the malware has been put to use in attacks targeting administrative and public organizations in the country.

Given the absence of Kimsuky campaigns documenting the theft of GPKI folders, it has raised the possibility that the new behavior is either a shift in tactics or the work of another threat actor closely associated with the group that also has access to the source code of AppleSeed and AlphaSeed.

There are also signs that the threat actor may be involved with a Go-based backdoor codenamed GoBear that’s also signed with a legitimate certificate associated with D2Innovation Co., LTD and executes instructions received from a command-and-control (C2) server.

“The strings contained in the names of the functions it calls have been found to overlap with the commands used by BetaSeed, a C++-based backdoor malware used by the Kimsuky group,” S2W said. “It is noteworthy that GoBear adds SOCKS5 proxy functionality, which was not previously supported by the Kimsuky group’s backdoor malware.”

Jan 16, 2024NewsroomCryptocurrency / Windows Security

Threat actors have been observed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-source information stealer called Phemedrone Stealer.

“Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord,” Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.

“It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server.”

The attacks leverage CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a user into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.

The actively-exploited shortcoming was addressed by Microsoft as part of its November 2023 Patch Tuesday updates.

The infection process involves the threat actor hosting malicious Internet Shortcut files on Discord or cloud services like FileTransfer.io, with the links also masked using URL shorteners such as Short URL.

The execution of the booby-trapped .URL file allows it to connect to an actor-controlled server and execute a control panel (.CPL) file in a manner that circumvents Windows Defender SmartScreen by taking advantage of CVE-2023-36025.

“When the malicious .CPL file is executed through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL,” the researchers said. “This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub.”

The follow-on payload is a PowerShell loader (“DATA3.txt”) that acts as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer.

Written in C#, Phemedrone Stealer is actively maintained by its developers on GitHub and Telegram, facilitating the theft of sensitive information from compromised systems.

The development is once again a sign that threat actors are getting increasingly flexible and quickly adapting their attack chains to capitalize on newly disclosed exploits and inflict maximum damage.

“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer,” the researchers said.

Jan 11, 2024NewsroomMalvertising / Cyber Attacks

Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities.

“It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules,” Malwarebytes’ Jérôme Segura said in a Wednesday report.

Atomic Stealer first emerged in April 2023 for a monthly subscription of $1,000. It’s capable of harvesting sensitive information from a compromised host, including Keychain passwords, session cookies, files, crypto wallets, system metadata, and the machine’s password via a fake prompt.

Over the past several months, the malware has been observed propagated via malvertising and compromised sites under the guise of legitimate software and web browser updates.

Malwarebytes’ latest analysis shows that Atomic Stealer is now being sold for a hefty $3,000/month rental fee, with the actors running a promotion coinciding with Christmas, offering the malware for a discounted price of $2,000.

Besides incorporating encryption to thwart detection by security software, campaigns distributing Atomic Stealer have undergone a slight shift, wherein Google search ads impersonating Slack are used as conduits to deploy Atomic Stealer or a malware loader called EugenLoader (aka FakeBat) depending on the operating system.

It’s worth noting that a malvertising campaign spotted in September 2023 leveraged a fraudulent site for the TradingView charting platform to deliver NetSupport RAT, if visited from Windows, and Atomic Stealer, if the operating system is macOS.

The rogue Slack disk image (DMG) file, upon opening, prompts the victim to enter their system password, thereby allowing threat actors to gather sensitive information that are access-restricted. Another crucial aspect of the new version is the use of obfuscation to conceal the command-and-control server that receives the stolen information.

“As stealers continue to be a top threat for Mac users, it is important to download software from trusted locations,” Segura said. “Malicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your password) for the malware to collect and exfiltrate your data.”

Jan 09, 2024NewsroomMalware / Cyber Threat

Threat actors are resorting to YouTube videos featuring content related to cracked software in order to entice users into downloading an information stealer malware called Lumma.

“These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly,” Fortinet FortiGuard Labs researcher Cara Lin said in a Monday analysis.

This is not the first time pirated software videos on YouTube have emerged as an effective bait for stealer malware. Previously similar attack chains were observed delivering stealers, clippers, and crypto miner malware.

In doing so, threat actors can leverage the compromised machines for not only information and cryptocurrency theft, but also abuse the resources for illicit mining.

In the latest attack sequence documented by Fortinet, users searching for cracked versions of legitimate video editing tools like Vegas Pro on YouTube are prompted to click on a link located in the video’s description, leading to the download of a bogus installer hosted on MediaFire.

The ZIP installer, once unpacked, features a Windows shortcut (LNK) masquerading as a setup file that downloads a .NET loader from a GitHub repository, which, in turn, loads the stealer payload, but not before performing a series of anti-virtual machine and anti-debugging checks.

Lumma Stealer, written in C and offered for sale on underground forums since late 2022, is capable of harvesting and exfiltrating sensitive data to an actor-controlled server.

The development comes as Bitdefender warned of stream-jacking attacks on YouTube in which cybercriminals take over high-profile accounts via phishing attacks that deploy the RedLine Stealer malware to siphon their credentials and session cookies, and ultimately promote various crypto scams.

It also follows the discovery of an 11-month-old AsyncRAT campaign that employs phishing lures to download an obfuscated JavaScript file that’s then utilized to drop the remote access trojan.

“The victims and their companies are carefully selected to broaden the impact of the campaign,” AT&T Alien Labs researcher Fernando Martinez said. “Some of the identified targets manage key infrastructure in the U.S.”