Mar 16, 2024NewsroomMalware / Cybercrime

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.

The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

“The repositories look similar, featuring a README.md file with the promise of free cracked software,” the German cybersecurity company said.

“Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.”

The list of repositories is as follows, with each of them pointing to a download link (“digitalxnetwork[.]com”) containing a RAR archive file –

• andreastanaj/AVAST
• andreastanaj/Sound-Booster
• aymenkort1990/fabfilter
• BenWebsite/-IObit-Smart-Defrag-Crack
• Faharnaqvi/VueScan-Crack
• javisolis123/Voicemod
• lolusuary/AOMEI-Backupper
• lolusuary/Daemon-Tools
• lolusuary/EaseUS-Partition-Master
• lolusuary/SOOTHE-2
• mostofakamaljoy/ccleaner
• rik0v/ManyCam
• Roccinhu/Tenorshare-Reiboot
• Roccinhu/Tenorshare-iCareFone
• True-Oblivion/AOMEI-Partition-Assistant
• vaibhavshiledar/droidkit
• vaibhavshiledar/TOON-BOOM-HARMONY

The RAR archive, which requires the victims to supply a password mentioned in the repository’s README.md file, contains an installer file, which unpacks the next-stage payload, an executable file that’s inflated to 699 MB in an effort to crash analysis tools like IDA Pro.

The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.

Written in C++, it’s designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims’ data. Interestingly, recent research from Checkmarx showed that it’s possible to infiltrate and forward messages from an attacker’s bot to another Telegram account.

The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that “employs a multifaceted approach to data exfiltration.”

“The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information,” Splunk said. “Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data.”

Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.

“The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats,” Flashpoint noted in January 2024. “While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use.”

Mar 07, 2024NewsroomVulnerability / Information Stealer

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data.

“The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram,” Cybereason researcher Kotaro Ogino said in a technical report.

Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence.

The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.

Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus.

The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.

The Vietnamese connection is further bolstered by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language.

“All of the variants support Cốc Cốc Browser, which is a well known Vietnamese Browser used widely by the Vietnamese community,” Ogino said.

Over the past year, multiple information stealers targeting Facebook cookies have appeared in the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.

The development comes as Meta has come under criticism in the U.S. for failing to assist victims whose accounts have been hacked into, calling on the company to take immediate action to address a “dramatic and persistent spike” in account takeover incidents.

It also follows a discovery that threat actors are “using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware,” according to OALABS Research.

Specifically, the malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved.

“This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link,” the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.

The U.S. Department of State has announced monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation.

It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person “conspiring to participate in or attempting to participate in Hive ransomware activity.”

The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort covertly infiltrated and dismantled the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. One person with suspected ties to the group was arrested in Paris in December 2023.

Hive, which emerged in mid-2021, targeted more than 1,500 victims in over 80 countries, netting about $100 million in illegal revenues. In November 2023, Bitdefender revealed that a new ransomware group called Hunters International had acquired the source code and infrastructure from Hive to kick-start its own efforts.

There is some evidence to suggest that the threat actors associated with Hunters International are likely based in Nigeria, specifically an individual named Olowo Kehinde, per information gathered by Netenrich security researcher Rakesh Krishnan, although it could also be a fake persona adopted by the actors to cover up their true origins.

Blockchain analytics firm Chainalysis, in its 2023 review published last week, estimated that ransomware crews raked in $1.1 billion in extorted cryptocurrency payments from victims last year, compared to $567 million in 2022, all but confirming that ransomware rebounded in 2023 following a relative drop off in 2022.

“2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022,” it said.

The decline in ransomware activity in 2022 has been deemed a statistical aberration, with the downturn attributed to the Russo-Ukrainian war and the disruption of Hive. What’s more, the total number of victims posted on data leak sites in 2023 was 4,496, up from 3,048 in 2021 and 2,670 in 2022.

Palo Alto Networks Unit 42, in its own analysis of ransomware gangs’ public listings of victims on dark web sites, called out manufacturing as the most impacted industry vertical in 2023, followed by profession and legal services, high technology, retail, construction, and healthcare sectors.

While the law enforcement action prevented approximately $130 million in ransom payments to Hive, it’s said that the takedown also “likely affected the broader activities of Hive affiliates, potentially lessening the number of additional attacks they could carry out.” In total, the effort may have averted at least $210.4 million in payments.

Adding to the escalation in the regularity, scope, and volume of attacks, last year also witnessed a surge in new entrants and offshoots, a sign that the ransomware ecosystem is attracting a steady stream of new players who are attracted by the prospect of high profits and lower barriers to entry.

Cyber insurance provider Corvus said the number of active ransomware gangs registered a “significant” 34% increase between Q1 and Q4 2023, growing from 35 to 47 either due to fracturing and rebranding or other actors getting hold of leaked encryptors. Twenty-five new ransomware groups emerged in 2023.

“The frequency of rebranding, especially among actors behind the biggest and most notorious strains, is an important reminder that the ransomware ecosystem is smaller than the large number of strains would make it appear,” Chainalysis said.

Besides a notable shift to big game hunting, which refers to the tactic of targeting very large companies to extract hefty ransoms, ransom payments are being steadily routed through cross-chain bridges, instant exchangers, and gambling services, indicating that e-crime groups are slowly moving away from centralized exchanges and mixers in pursuit of new avenues for money laundering.

In November 2023, the U.S. Treasury Department imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds. Some of the other sanctioned mixers include Blender, Tornado Cash, and ChipMixer.

The pivot to big game hunting is also a consequence of companies increasingly refusing to settle, as the number of victims who chose to pay dropped to a new low of 29% in the last quarter of 2023, according to data from Coveware.

“Another factor contributing to higher ransomware numbers in 2023 was a major shift in threat actors’ use of vulnerabilities,” Corvus said, highlighting Cl0p’s exploitation of flaws in Fortra GoAnywhere and Progress MOVEit Transfer.

“If malware, like infostealers, provide a steady drip of new ransomware victims, then a major vulnerability is like turning on a faucet. With some vulnerabilities, relatively easy access to thousands of victims can materialize seemingly overnight.”

Cybersecurity company Recorded Future revealed that ransomware groups’ weaponization of security vulnerabilities falls into two clear categories: vulnerabilities that have only been exploited by one or two groups and those that have been widely exploited by multiple threat actors.

“Magniber has uniquely focused on Microsoft vulnerabilities, with half of its unique exploits focusing on Windows Smart Screen,” it noted. “Cl0p has uniquely and infamously focused on file transfer software from Accellion, SolarWinds, and MOVEit. ALPHV has uniquely focused on data backup software from Veritas and Veeam. REvil has uniquely focused on server software from Oracle, Atlassian, and Kaseya.”

The continuous adaptation observed among cybercrime crews is also evidenced in the uptick in DarkGate and PikaBot infections following the takedown of the QakBot malware network, which has been the preferred initial entry pathway into target networks for ransomware deployment.

“Ransomware groups such as Cl0p have used zero-day exploits against newly discovered critical vulnerabilities, which represent a complex challenge for potential victims,” Unit 42 said.

“While ransomware leak site data can provide valuable insight on the threat landscape, this data might not accurately reflect the full impact of a vulnerability. Organizations must not only be vigilant about known vulnerabilities, but they must also develop strategies to quickly respond to and mitigate the impact of zero-day exploits.”