Apr 11, 2024NewsroomEndpoint Security / Ransomware

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign.

“This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors,” Proofpoint said. “Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM).”

TA547 is a prolific, financially motivated threat actor that’s known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware.

In recent years, the group has evolved into an initial access broker (IAB) for ransomware attacks. It has also been observed employing geofencing tricks to restrict payloads to specific regions.

The email messages observed as part of the latest campaign impersonate the German company Metro AG and contain a password-protected ZIP file containing a ZIP archive that, when opened, initiates the execution of a remote PowerShell script to launch the Rhadamanthys stealer directly in memory.

Interestingly, the PowerShell script used to load Rhadamanthys includes “grammatically correct and hyper specific comments” for each instruction in the program, raising the possibility that it may have been generated (or rewritten) using an LLM.

The alternate hypothesis is that TA547 copied the script from another source that had used generative AI technology to create it.

“This campaign represents an example of some technique shifts from TA547 including the use of compressed LNKs and previously unobserved Rhadamanthys stealer,” Proofpoint said. “It also provides insight into how threat actors are leveraging likely LLM-generated content in malware campaigns.”

The development comes as phishing campaigns have also been banking on uncommon tactics to facilitate credential-harvesting attacks. In these emails, recipients are notified of a voice message and are directed to click on a link to access it.

The payload retrieved from the URL is heavily obfuscated HTML content that runs JavaScript code embedded within an SVG image when the page is rendered on the target system.

Present within the SVG data is “encrypted data containing a second stage page prompting the target to enter their credentials to access the voice message,” Binary Defense said, adding the page is encrypted using CryptoJS.

Other email-based attacks have paved the way for Agent Tesla, which has emerged as an attractive option for threat actors due to it “being an affordable malware service with multiple capabilities to exfiltrate and steal users’ data,” according to Cofense.

Social engineering campaigns have also taken the form of malicious ads served on search engines like Google that lure unsuspecting users into downloading bogus installers for popular software like PuTTY, FileZilla, and Room Planner to ultimately deploy Nitrogen and IDAT Loader.

The infection chain associated with IDAT Loader is noteworthy for the fact that the MSIX installer is used to launch a PowerShell script that, in turn, contacts a Telegram bot to fetch a second PowerShell script hosted on the bot.

This PowerShell script then acts as a conduit to deliver another PowerShell script that’s used to bypass Windows Antimalware Scan Interface (AMSI) protections as well as trigger the execution of the loader, which subsequently proceeds to load the SectopRAT trojan.

“Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks,” Jérôme Segura, principal threat researcher at Malwarebytes, said.

Mar 24, 2024NewsroomRansomware / Threat Intelligence

German authorities have announced the takedown of an illicit underground marketplace called Nemesis Market that peddled narcotics, stolen data, and various cybercrime services.

The Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said it seized the digital infrastructure associated with the darknet service located in Germany and Lithuania and confiscated €94,000 ($102,107) in cryptocurrency assets.

The operation, conducted in collaboration with law enforcement agencies from Germany, Lithuania, and the U.S., took place on March 20, 2024, following an extensive investigation that commenced in October 2022.

Founded in 2021, Nemesis Market is estimated to have had more than 150,000 user accounts and 1,100 seller accounts from all over the world prior to its shutdown. Almost 20$ of the seller accounts were from Germany.

“The range of goods available on the marketplace included narcotics, fraudulently obtained data and goods, as well as a selection of cybercrime services such as ransomware, phishing, or DDoS attacks,” the BKA said.

The agency said further investigations against criminal sellers and users of the platform are presently ongoing. That said, no arrests have been made.

The development comes a month after another coordinated law enforcement operation took down the LockBit ransomware group, taking control of the outfit’s servers and arresting three affiliates from Poland and Ukraine. The disruption prompted the gang to relaunch its cyber extortion operation.

In recent months, German authorities have also taken down Kingdom Market and Crimemarket, both of which boasted of thousands of users and offered a wide array of money laundering and cybercrime services.

Mar 23, 2024NewsroomCyber Espionage / Cyber Warfare

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft.

The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.

WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that’s believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.

Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

“The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload.”

WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

It’s said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.

WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.

“ROOTSAW continues to be the central component of APT29’s initial access efforts to collect foreign political intelligence,” the company said.

“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests.”

The development comes as German prosecutors have charged a military officer, named Thomas H, with espionage offenses after he was allegedly caught spying on behalf of Russian intelligence services and passing on unspecified sensitive information. He was arrested in August 2023.

“From May 2023, he approached the Russian Consulate General in Bonn and the Russian Embassy in Berlin several times on his own initiative and offered to cooperate,” the Office of the Federal Prosecutor said. “On one occasion, he transmitted information that he had obtained in the course of his professional activities for forwarding to a Russian intelligence service.”

Dec 21, 2023NewsroomDark Web / Cybercrime

German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to “tens of thousands of users.”

The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.

Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.

As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.

Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.

“The operators of ‘Kingdom Market’ are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics,” the BKA said, adding an investigation into the seized server infrastructure is ongoing.

In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.

The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware’s dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had “unseized” it.