German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes.
The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS

Cyber Attack / Browser Security

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as **Kimsuky** using rogue browser extensions to steal users' Gmail inboxes.

The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS).

The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted.

Kimsuky, also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests."

Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military, manufacturing, academic, and think tank organizations.

"This threat actor's activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea," Google-owned threat intelligence firm Mandiant disclosed last year.

Recent attacks orchestrated by the group suggest an expansion of its cyber activity to encompass Android malware strains such as FastFire, FastSpy, FastViewer, and RambleOn.

The use of Chromium-based browser extensions for cyber espionage purposes is not new for Kimsuky, which has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue.

The SharpTongue operation also overlaps with the latest effort in that the latter is also capable of stealing a victim's email content using the rogue add-on, which, in turn, leverages the browser's DevTools API to perform the function.

But in an escalation of Kimsuky's mobile attacks, the threat actor has been observed logging into victims' Google accounts using credentials already obtained in advance through phishing tactics and then installing a malicious app on the devices linked to the accounts.

"The attacker logs in with the victim's Google account on the PC, accesses the Google Play Store, and requests the installation of a malicious app," the agencies explained. "At this time, the target's smartphone linked with the Google account is selected as the device to install the malicious app on."

It's suspected that the apps, which embed FastFire and FastViewer, are distributed using a Google Play feature known as "internal testing" that allows third-party developers to distribute their apps to a "small set of trusted testers."

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

A point worth mentioning here is that these internal app tests, which are carried out prior to releasing the app to production, cannot exceed 100 users per app, indicating that the campaign is extremely targeted in nature.

Both the malware-laced apps come with capabilities to harvest a wide range of sensitive information by abusing Android's accessibility services. The apps are listed below -

*   com.viewer.fastsecure (FastFire)
*   com.tf.thinkdroid.secviewer (FastViewer)

The disclosure comes as the North Korean advanced persistent threat (APT) actor dubbed ScarCruft has been linked to different attack vectors that are employed to deliver PowerShell-based backdoors onto compromised hosts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics

Categories: News
Tags: emotet

Tags:  malware

Tags:  IRS

Tags:  scam

Tags:  email

Tags:  W-9

Tags:  word

Tags:  document

Tags:  macro

Tags:  macros

We look at a current tax scam in circulation which looks to make an Emotet deposit on your PC.



(Read more...)




The post Beware: Fake IRS tax email delivers Emotet malware appeared first on Malwarebytes Labs.

Tax season is upon us and, as with every year, we're seeing tax scammers rearing their heads.

Below, we have an example of a tax scam currently in circulation along with some suggestions for avoiding these kinds of attacks.

**An IRS W-9 tax form scam**

A Form W-9 is a form you fill in to confirm certain personal details with the IRS. Name, address, and Tax Identification Number are all things you can expect to fill in on one of these forms.

In this case, the Form W-9 is being used as a lure for people to download something sinister. Our Senior Director of Threat Intelligence, Jerome Segura, found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. The email, which contains an attachment and very little text, looks like this:

The rather short message reads as follows:

> Let me know if you would like a hard copy mailed as well.
> 
> Respectifully \[SIC\]
> 
> Barbara LaCosta
> 
> Inspector
> 
> Department of Treasure

The attachment, W-9 form.zip, is 709 KB in size.

Opening the attachment up reveals a Word document called W-9 form.doc

This file’s size is 548,164 KB (548 MB), which is very suspicious. You won’t find many genuine Word documents weighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background. Malware authors are artificially pumping up the size of the document in order to try and fool or break security tools. This is because the large file size may prove too difficult for the tools to get a handle on and properly analyse.

Opening the document quickly becomes a game of Macro-related risk. Macros, used to automate aspects of your documents, are a tried and tested way of infecting a PC with malware. This is why you’ll almost always see a message saying that Macros are disabled when opening a downloaded document.

Malware authors know this, and will do everything in their power to make you enable them. This is no exception. When opening W-9 form.doc, you’ll see the following message:

> This document is protected  
> Previewing is not available for protected documents. You have to press “enable editing” and “enable content” buttons to preview this document.

Enabling this will result in Emotet being downloaded onto the system.

Emotet has been around since 2014. Originally created as a banking trojan, later versions added malware delivery and spam services. Mostly featuring in email spam campaigns, a big focus of fake mails helping to deliver the infection include subjects like parcel shipping, invoices, and other forms of payment.

In fact, Emotet features as one of the top five cyberthreats businesses face in our 2023 State of Malware report. Flagged by Europol as "The world's most dangerous malware", law enforcement has never quite been able to shut it down permanently despite its entire global infrastructure being taken offline in 2021. Emotet's ability to push additional forms of malware onto target systems including threats like TrickBot, IcedID, and Conti ransomware make it a formidable proposition for any security team to handle.

**Avoiding tax scams**

Here are some of the ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and social engineering attacks which come around every year during tax season.

*   **File early**. One of the quickest ways to stumble into a trap is to leave filing your tax return until the last minute. That added pressure can mean responding to fake mails you otherwise would have ignored.
*   **Be careful around suspicious refunds**. Tax agencies have a proper process for issuing refunds, found on their websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone the tax office directly and ask if what you have is the real deal or a fake.
*   **Beware of fake bank portals**. Some tax scams will ask you who you bank with, and then open up a phishing page for that bank. Always navigate directly to your banking website, click throughs and redirects typically spell danger.
*   **Avoid the pressure pitch**. Tax scammers like to hurry you along to data theft and malware installs. Claims of only having 24 or 48 hours to file for a refund should be treated with skepticism. As with most solutions for these forms of social engineering, contact the tax entity directly.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Beware: Fake IRS tax email delivers Emotet malware

**SAN JOSE, Calif.****,** **March 22, 2023** **/PRNewswire/ --** Vectra AI, the leader in AI-driven hybrid cloud threat detection and response, today announced the introduction of Vectra Match. Vectra Match brings intrusion detection signature context to Vectra Network Detection and Response (NDR), enabling security teams to accelerate their evolution to AI-driven threat detection and response without sacrificing investments already made in signatures.

"As enterprises transform embracing digital identities, supply chains and ecosystems — GRC and SOC teams are forced to keep pace. Keeping pace with existing, evolving and emerging cyber threats requires visibility, context and control for both known and unknown threats. The challenge for many security organizations is doing so without adding complexity and cost," says Kevin Kennedy, SVP Products at Vectra. "Vectra NDR now enables security teams to unify signatures for known threats and AI-driven behavior-based detection for unknown threats in a single solution."

With the addition of Vectra Match, Vectra NDR addresses core GRC and SOC use cases enabling more efficient and effective:

*   Correlation and validation of threat signals for accuracy.
*   Compliance for network-based CVE detection with compensating controls.
*   Threat hunting, investigation and incident response processes.

According to Gartner®, "recent trends in the NDR Market indicate many NDR offerings have expanded to capture new categories of events and to analyze additional traffic patterns. This includes **new detection techniques:** by adding support for more traditional signatures, performance monitoring, threat intelligence and sometimes malware detection engines. This move toward more multifunction network detection aligns well with the use case of network/security operations convergence, but also with midsize enterprises."1

"The attack surface cyber attackers have at their disposal continues to grow exponentially creating unknown threats on top of the tens of thousands of known vulnerabilities that exist. Attackers simply have exponentially more ways to infiltrate an organization and exfiltrate data — and do so with far more frequency, velocity and impact. Keeping pace with attackers exploiting known vulnerabilities and unknown threats is an immense challenge for every Security, Risk and Compliance officer," says Ronald Heil, Global Risk Advisory Lead for Energy and Natural Resources and Partner at KPMG Netherlands. "Today, cyber-resilience and compliance requires complete visibility and context for both known and unknown attacker methods. Without it, disrupting and containing their impact becomes an exercise in brand reputation and customer trust damage control. Vectra Match capabilities allow us to combine both worlds, having the continued AI-based detection of real-time "movement", while also having the ability to check against specific Suricata indicators — often required during incident response or proof of compliancy (e.g., Log4J). Consolidating AI-based and signature-based detection enables optimization, because in our case, less is more."

"When it comes to shadow IT, we know people with admin rights are 'building boxes off the grid.' Our SOC team cannot protect what we cannot see, thus making these unknown systems prime targets for attackers. No doubt, behavior-based AI-driven detections are great for catching attackers deploying new, evasive methods, but when it comes to attackers leveraging CVEs to compromise unknown, unpatched systems, we need signature-based detection. Combining signature-based detection with behavior-based detection gives our SOC team visibility for both the known-unknown and unknown-unknown threats. It's the best of both worlds," says Brett Fernicola, Sr. Director, Security Operations at Anywhere.re.

**Vectra NDR with Vectra Match**

Vectra NDR — a key component of the Vectra platform — provides end-to-end protection against hybrid and multicloud attacks. Deployed on-premises or in the cloud, the Vectra NDR console is a single source of truth (visibility) and first line of defense (control) for attacks traversing cloud and data center networks. By harnessing AI-driven Attack Signal Intelligence, Vectra NDR empowers GRC and SOC teams with:

*   AI-driven Detections that think like an attacker by going beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the entire cyber kill chain post compromise, with 90% fewer blind spots and 3x more threats proactively identified.
*   AI-driven Triage that knows what is malicious by utilizing ML to analyze detection patterns unique to the customer's environment to score how meaningful each detection is, thus reducing 85% of alert noise — surfacing only relevant true positive events that require analyst attention.
*   AI-driven Prioritization that focuses on what is urgent by automatically correlating attacker TTPs across attack surfaces, evaluating each entity against globally observed attack profiles to create an attack urgency rating enabling analysts to focus on the most critical threats to the organization.

Vectra NDR empowers security and risk professionals with next-level intrusion detection. Armed with rich context on both known and unknown threats, GRC and SOC teams not only improve the effectiveness of their threat detection, but the efficiency on their threat hunting, investigation and incident response program and processes. Vectra NDR with Vectra Match is available for evaluation and purchase today. For additional information, please visit the following resources.

**Blog:** Vectra AI Announces Vectra Match for Signature-Based Detections

**Solution Brief:** Stop Network Exploits with Vectra NDR and Vectra Match 

**Product page:** Vectra NDR

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai. 

1Gartner Market Guide for Network Detection and Response, Published 14 December 2022 \- ID G00730869 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

SOURCE Vectra

Vectra Unifies AI-Driven Behavior-Based Detection and Signature-Based Detection

**HERZLIYA,** **Israel** **and** **PALO ALTO, Calif.****,** **March 22, 2023** **/PRNewswire/ --** XM Cyber, the leader in hybrid cloud security, announced today the acquisition of Confluera, a pioneer in next-generation cyber attack detection and response for the cloud. XM Cyber now offers a comprehensive CNAPP (Cloud Native Application Protection Platform) solution using its unique attack path modeling to prioritize and assess real risk to the critical assets in your cloud environment.

Together with Confluera, XM Cyber's Continuous Exposure Management platform will provide all aspects of cloud security, from identifying and fixing risk regarding cloud identities (CIEM), identifying vulnerabilities and the detection and response of actual cyber attacks in real time (CWPP), and best practice and compliance management (CSPM).

The rapid rise in sophisticated attacks across hybrid cloud environments requires organizations to equip themselves with a dual strategy that combines advanced preventative capabilities with active detection and response. Classic EDRs that were originally meant for endpoint protection aren't equipped to deal with the runtime protection of cloud infrastructures. Detection in the cloud requires the next-generation capabilities of CxDR (Cloud eXtended Detection and Response), which leverages visibility from different vantage points and accurately combines them to identify multi-stage attacks propagating across distributed cloud environments.

The XM Cyber solution enables organizations to see their on-prem and cloud environments just like an attacker would and identify weaknesses that can potentially be exploited on attack paths to critical assets. With the addition of Confluera, organizations will now have the ability to continuously monitor their cloud environments in real-time to see if they are actually being exploited and effectively block the attacker's progress before any damage is caused.

"We work so well together because we're both looking at the environment through attack path modeling," said Boaz Gorodissky, co-founder and CTO of XM Cyber. "For example, XM Cyber shows our customers how an attacker could take advantage of a cloud secret found in the on-prem environment, move into the cloud, escalate privileges of an EC2, and compromise S3 buckets with sensitive information through a chain of events. Now with Confluera, we will detect if this attack path is actually happening in real time, alert our customers and help them stop the attack before it reaches the S3 buckets."

Confluera co-founder and CTO Abhijit Ghosh, who will be leading the development and integration of the CxDR with XM Cyber as VP CxDR, added: "We are very excited to join forces with XM Cyber to deliver a comprehensive cloud security platform. The technologies complement one another. They cover the prevention and detection aspects of security, with a common attack path modeling-based approach of unifying diverse visibility to identify multi-stage attacks. We are thrilled about leveraging this synergy to address our shared mission of protecting hybrid cloud environments from advanced attacks." Confluera co-founder Niloy Mukherjee further added that "the offensive cybersecurity knowledge of XM Cyber's research team will greatly enrich Confluera's engine to discover and intercept any form of security threat possible across any cloud plane."

The acquisition of Confluera comes less than a year after XM Cyber acquired Cyber Observer to expand its CSPM capabilities.

"Integrating Confluera into our offering just made so much sense. We compared their detection capabilities on workloads with a prominent CWPP solution and were able to detect several attacks that the other CWPP solutions did not. And perhaps just as significantly, it did not create unnecessary noise for the security teams," said Noam Erez, co-founder and CEO of XM Cyber. "Today, security teams are overwhelmed with an overwhelming amount of alerts and multiple security tools that they can't keep track of. They are demanding the consolidation of solutions that can accurately and holistically analyze risk and pinpoint high priority exposures to be remediated efficiently. Confluera aligns perfectly with this core value that we deliver within our suite of services and is a natural fit for us."

The new real-time detection and response capabilities will be available to XM Cyber customers soon. To learn more, please visit: confluera.com. XM Cyber will be attending RSA 2023 and providing demos at their booth #1755 in the South Hall Expo. 

**About XM Cyber** 

XM Cyber is a leading hybrid cloud security company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

**About Confluera**

Confluera is the leading provider of next-generation Cloud eXtended Detection and Response (CxDR) solutions. Founded by Abhijit Ghosh and Niloy Mukherjee, Confluera's patented real-time attack storyboarding, built for hybrid cloud environments, gives organizations full visibility into active attack progressions and helps to drastically reduce the industry average time to detect and respond to advanced attacks. To learn more about Confluera's award-winning solution, visit confluera.com.

XM Cyber Announces Acquisition of Confluera, Adding Run-Time Protection on Cloud Workloads

**WOBURN, Mass.****,** **March 22, 2023** **/PRNewswire/ --** Kaspersky has released new survey results showing that one third of crypto owners in the U.S. have experienced theft of their currency or other assets, at an average cost of $97,583. This, and other findings, are part of a new report, "Crypto Threats 2023," based on a survey of 2,000 American adults in October 2022.

Crypto trading has skyrocketed in popularity in recent years. Twenty-four percent of respondents to the survey said they currently own cryptocurrency or other crypto assets. However, scammers are continuously seeking new ways to capitalize on that popularity and defraud users, with tactics such as impersonating legitimate exchanges or launching phishing attacks to steal login credentials. They also use cryptojacking malware to generate currency by stealing computing resources from unknowing victims.

A third of respondents who said they own or have owned cryptocurrency or other crypto assets said they have fallen victim to a fraudulent crypto\-related website, app or investment scam at some point. Among those victims, 19% said they experienced identity theft as a result, while 27% had payment details stolen and money taken from their bank account.

"From fake apps to cryptojacking, there is a long list of threats lurking online to target cryptocurrencies," said Marc Rivero, senior security researcher at Kaspersky's Global Research and Analysis Team. "Without any regulation or established common knowledge, people need to take care to protect themselves. This survey data shows a lot of people are getting their crypto stolen and even experiencing identity theft. Users should keep a close eye out for scams, and should employ any extra security measures that are available to them, such as multi-factor authentication."

The survey revealed that there is often more users could be doing to protect their crypto assets. On average, respondents said the last time they checked on their crypto investments was six weeks ago. Twenty-seven percent of users said they keep their crypto stored in an exchange account with no added protection, while only 34% use multi-factor authentication to protect their account. Only 15% of users said they use a "cold wallet," storing their crypto in external storage not connected to the internet. Thirty-two percent of respondents who own or have owned cryptocurrency or other crypto assets said they have lost access to a crypto\-related account at some point.

The survey also yielded some interested findings with respect to age differences among crypto traders. Thirty-six percent of respondents aged 25-44 said they currently own cryptocurrency or crypto assets, compared to just 10% of respondents aged 55 and up. Older respondents who do own crypto, however, appeared to be doing a much better job at protecting their assets. Just 8% of crypto owners aged 55+ said they have had cryptocurrency or a crypto asset stolen, and only 14% in that age group said they have fallen victim to a fraudulent crypto\-related app, website or investment scam. Meanwhile, nearly half (47%) of crypto owners aged 18-24 said they had been victimized by theft, with 46% saying they've fallen victim to a scam.

The full report is available here.

In order to avoid falling victim to cryptocurrency\-related scams, Kaspersky recommends:

*   Use strong and unique passwords for each of your crypto accounts. This will help prevent password cracking and brute force attacks.
*   Avoid phishing attacks: Be wary of suspicious emails and links, and always double-check the URL before entering your login information.
*   Don't share your private keys: your private keys unlock your cryptocurrency wallet. Keep them private and never share them with anyone.
*   Use security solutions: a reliable security solution will protect your devices from various types of threats. Kaspersky's consumer portfolio prevents cryptocurrency fraud, as well as unauthorized use of your computer's processing power to mine cryptocurrency.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments, and consumers around the globe. The company's comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies, and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

SOURCE Kaspersky

Kaspersky Survey Finds One in Three Users Have Experienced CryptoTheft

With more than $36M nearly swindled away, an almost-successful BEC attempt in the commercial real estate space shows how sophisticated and convincing fraud attacks are becoming.

In an attempt to fraudulently obtain more than $36 million, a threat actor emailed an escrow officer and their client, a commercial real estate company, while impersonating the senior vice president and general counsel of a trusted partner company. The business email compromise (BEC) attack was caught due to a flaw in a domain name, behavioral AI, and an advanced modeling system.

Included in the email was an invoice and instructions for payment for a loan worth $36.4 million. While this may be a number that might ring alarm bells for anyone else, commercial real estate involves the use of large-sum loans, according to an analysis from Abnormal Security, so there was no initial concern. A false company letterhead was used to legitimize the scam, and the cyberattackers added another reputable real estate investment company to the email chain to make it even more convincing. 

The escrow officer may have fallen for it, but the BEC attempt was caught due to artificial intelligence (AI) technology spotting signs of fraud, such as discrepancies in the wiring instructions, newly registered email domains, and irregular language patterns in the email. In addition to this, there was a minor change in the sender domain from ".com" to ".cam."

Though this attempt was caught, BEC attacks are becoming more popular — increasing by 84% in the first half of 2022 alone. They are continuing to prove to be successful against organizations, particularly those without multifactor authentication or security awareness training.

AI might be increasingly necessary to catch ever-more-savvy BEC attacks. "As attackers shift from executive impersonation to vendor fraud and increase their payment requests, the need for security leaders to keep their organizations safe increases," according to Abnormal Security. "Because modern supply chain attacks use seemingly genuine messages, traditional tools which look for indicators like malicious attachments are becoming less effective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$36M BEC Fraud Attempt Narrowly Thwarted by AI

Administrator shutters the forum on fears that it had been breached by federal authorities but assured members it's not the end for the popular underground hacking site.

The BreachForums underground hacker site — which emerged to replace RaidForums nearly a year ago — now also has gone offline less than a week after its leader was arrested in New York.

The forum's administrator, who goes by the online moniker "Baphomet," said in a post on the group's Telegram channel March 19 that he was closing down the forum due to concerns that the FBI had access to the site, researchers from Dark Owl, a provider of Dark Web data and intelligence, said in a blog post.

Baphomet apologized to members of the forum for closing it down but said he would set up another Telegram group for further information and news, teasing that the launch of another site or other support for their activities was in the works, according to the post.

"I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is," he wrote in the message, according to a screenshot shared in the Dark Owl blog post. "You are allowed to hate me, and disagree with my decision, but I promise what is to come will be better for us all."

**BreachForums Leader Apprehended**

The shutdown came just five days after US federal agents arrested man called Conor Brian Fitzpatrick, who they allege is behind the forum's administrator handle "pompompurin," and its chief operator. Fitzpatrick was arrested in Peekskill, NY, on March 15, according to an affidavit made in a New York district court.

Fitzpatrick was charged with one count of conspiracy to commit access device fraud, and bail was set at $300,000, which was paid for by his parents, Dark Owl researchers said. When arrested, he admitted to his role as admin on BreachForums and the use of the alias, which the researchers said was surprising.

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, allowing users to buy and sell data obtained from cybercriminal activity, with site administrators running an escrow service ensuring that sellers received the funds that they had requested, the researchers said.

Cybercriminals widely used BreachForums to purchase stolen data and host data from controversial leaks, such as data stolen from the Washington, DC, healthcare exchange, they said. Pompompurin also conducted cyberattacks of his own, revealing in an interview for the KrebsOnSecurity site in November 2021 that he was responsible for sending fake emails using the fbi.gov domain, the researchers said.

This behavior is likely what put him in the crosshairs of federal authorities, according to Dark Owl. "He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtedly put him higher on the FBI's radar, leading to his recent arrest," the researchers wrote.

**What Comes Next?**

Since BreachForums itself came about after the Department of Justice seized what at the time was one of the world's largest hacker forums — RaidForums — and arrested its founder and chief administrator, Portuguese national Diogo Santos Coelho, it's likely that a new forum will emerge from its ashes.

RaidForums was founded in 2015 and, prior to its seizure, was used by its members to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

BreachForums' Baphomet practically acknowledged that a new underground hacker site is in the works in his post on Telegram, the researchers noted. He said he is working to create new infrastructure that would replace BreachForums and even may collaborate with competitor marketplaces to keep support for members going.

However, for now, the BreachForums onion site is no longer reachable, and cybercriminals who used the site will have to take a wait-and-see approach until its current administrators regroup and create a new forum on which they can conduct their nefarious activity, the researchers said.

For its part, Dark Owl researchers said they "will continue to monitor the Dark Web and adjacent sources, such as Telegram, to identify any news of emerging groups and sites which may take the place of BreachForums."

BreachForums Shuts Down in Wake of Leader's Arrest

Categories: Threat Intelligence
Tags: Magecart

Tags: skimmer

Tags: Kritect

Tags: Magento

Compromised online stores have been injected with skimmers hiding around the Google Tag Manager script. We identified a new one that looked similar at first but is part of a different campaign.



(Read more...)




The post New Kritec Magecart skimmer found on Magento stores appeared first on Malwarebytes Labs.

Threat actors often compete for the same resources, and this couldn't be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once.

In the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn't seem to be documented yet.

In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors.

**Original campaign using WebSockets**

Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada's largest liquor store (LCBO). While details were not shared at the time, we were able to determine thanks to an archived crawl on urlscan.io that the skimmer was using WebSockets and is the same one as described in Akamai's blog. 

**Kritec campaign**

Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech\[.\]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.

We believe this is a different campaign and threat actor altogether. Here are some reasons why:

*   No WebSocket being used
*   Domains abusing Cloudflare
*   Intermediary loader
*   Completely different skimming code

To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:

We started calling this new skimmer 'Kritec' after one of its domain names. It has an interesting way of loading the malicious JavaScript we had not seen before either. The injected code calls out a first domain (seen above encoded in Base64) and generates a Base64 response:

Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):

The data exfiltration is also done differently as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer while on the right, it is a POST request:

**Google Tag Manager variants**

In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai's blog but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.

While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure.

Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

**Indicators of Compromise**

WebSocket Skimmer:

cloud-cdn\[.\]org

\--

Kritec skimmer:

kritec\[.\]pics

vitalmob\[.\]pics

flowit\[.\]pics

flagmob\[.\]quest

entrydelt\[.\]sbs

sanpatech\[.\]shop

prijetech\[.\]shop

nebiltech\[.\]shop

kruktech\[.\]shop

lavutele\[.\]yachts

tochdigital\[.\]pics

smestech\[.\]shop

klstech\[.\]shop

shotsmob\[.\]sbs

gemdigit\[.\]pics

nevomob\[.\]quest

vuroselec\[.\]quest

apexit\[.\]yachts

sorotele\[.\]yachts

bereelec\[.\]quest

bereelec\[.\]quest/ww\[.\]min\[.\]js

apexit\[.\]yachts/apex\[.\]min\[.\]js

vuroselec\[.\]quest/dych\[.\]min\[.\]js

nevomob\[.\]quest/elan-loader\[.\]js

gemdigit\[.\]pics/wpp-loader\[.\]js

gemdigit\[.\]pics/sun-loader\[.\]js

klstech\[.\]shop/opencart-cache-worker\[.\]min\[.\]js

tochdigital\[.\]pics/digital\[.\]min\[.\]js

vitalmob\[.\]pics/pre-loader\[.\]js

New Kritec Magecart skimmer found on Magento stores

The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.
According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection.
"

Cyber Threat Intelligence

The North Korean advanced persistent threat (APT) actor dubbed **ScarCruft** is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.

According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection.

"The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.

ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012.

Last month, ASEC disclosed a campaign that employed HWP files that take advantage of a security flaw in the Hangul word processing software to deploy a backdoor referred to as M2RAT.

But new findings reveal the threat actor is also using other file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets.

These infection chains often serve to display a decoy file and deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.

Some of the new capabilities of Chinotto include capturing screenshots every five seconds and logging keystrokes. The captured information is saved in a ZIP archive and sent to a remote server.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The insights about ScarCruft's various attack vectors come from a GitHub repository maintained by the adversarial collective to host malicious payloads since October 2020.

"The threat actor was able to maintain a GitHub repository, frequently staging malicious payloads for more than two years without being detected or taken down," Zscaler researchers said.

Outside of malware distribution, ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.

It's however not clear how these pages are accessed by the victims, raising the possibility that they may have been embedded inside iframes on websites controlled by the attacker or sent as HTML attachments via email.

Also discovered by SEKOIA.IO is a piece of malware named AblyGo, a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.

The use of CHM files to smuggle malware appears to be catching on with other North Korea-affiliated groups as well, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques

On Thursday, Shou Zi Chew will meet a rare united front in the US Congress against the Chinese-owned social media app that has lawmakers in a tizzy.

March has been brutal for TikTok. Last week, the UK joined the US, Canada, and Belgium in banning TikTok on government devices. And FBI director Christopher Wray warned lawmakers that misinformation spread through the app can “divide Americans.” At the start of the month, Senate intelligence chair Mark Warner unveiled a new measure, the Restrict Act, which would enable the US commerce secretary to ban TikTok and any other tech from six “hostile” nations that the US intelligence community deems a national security threat.

The White House supports Warner’s bill, and the multi-agency Committee on Foreign Investment in the United States told TikTok it would be banned unless it’s completely divested from ByteDance. Lawmakers in both parties welcomed that announcement. “It’s a step toward banning them,” says senator Roger Wicker, a Mississippi Republican.

While many lawmakers embraced White House pressure, they aren’t sitting on the sidelines as they did when former president Donald Trump tried to ban TikTok through executive orders, which the courts ultimately shot down.

“I think it's absolutely a good first step. I'm not sure it's going to get us everywhere we want to be,” says senator John Hickenlooper, a Colorado Democrat. “I don't think we want to have a Chinese-owned company to have that kind of access to not just our kids, our culture.”

It’s not just espionage that worries lawmakers, who argue the app has a vulnerable captive audience among young people in the US. TikTok recently unveiled new efforts to limit users’ exposure to the app, including an hour-per-day time limit for children under 18, but it fails to address lawmaker’s concerns. “I'm not sure TikTok is a healthy ingredient to add to our children's psychological diet,” Hickenlooper says.

TikTok did not respond to WIRED's request for comment.

More than half of states prohibit TikTok’s use on government devices, and it’s banned by dozens of public schools, from grade schools to some of the nation’s largest universities. Tennessee attorney general Jonathan Skrmetti is leading an investigation on behalf of 46 states into whether the app is detrimental to children’s mental health. The US Department of Justice, meanwhile, is investigating reports that TikTok staffers spied on US journalists.

In short, Chew faces a daunting assignment given the hostility that awaits him at 10 am ET tomorrow. 

The debate at the Capitol is now over _how_ to punish TikTok, not _whether_ to punish TikTok. After supporting the Senate’s unanimous consent agreement to ban the app on government devices in December, senator Rand Paul, a Kentucky Republican, is one of the few lawmakers opposed to an outright ban. “I’m against banning TikTok. I think it violates the First Amendment. I think it also violates the prohibition on bills of attainder where one company is targeted by government,” Paul says. 

Other lawmakers dismiss claims that a TikTok ban would be unconstitutional. “We're not regulating the speech of the company, we're regulating the way it uses its data and its ownership on how it creates a national security vulnerability,” says Marco Rubio, the Senate Intelligence Committee vice chair and Florida Republican. 

With the Senate in Democrats’ hands and the House controlled by Republicans, TikTok is one of the few areas where the two chambers seem to agree. 

“TikTok in its current construct is unacceptable,” says senator Lindsey Graham, a South Carolina Republican. “I'd like to come up with a construct that people could enjoy the service, like 100 million people do, and not empower communist China. That's my preferred outcome.”  

With broader data privacy measures stalled in Congress and antitrust measures shelved by the new House Republican majority, TikTok has become the Big Tech bogeyman for both parties. And both parties seem fine with that—at least for now. “The reason why this is a good place to start is because we’re all agreed,” Krishnamoorthi says. “You may disagree about which American companies handle our data best, but nobody disagrees that the Chinese Communist Party should not have access to our private data.”

Tag

#intel