Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks

A recent report has shown that an unidentified threat actor used a self-extracting archive (SFX) file to attempt to establish persistent backdoor access to a victim’s environment.

SFX files are capable of extracting data without needing dedicated software, but they can also contain hidden malicious functionality. In this particular case, compromised credentials were used to run a legitimate Windows accessibility application called Utility Manager (utilman.exe) and launch a password-protected SFX file.

The SFX archive acted as a password-protected backdoor by exploiting WinRAR setup options, rather than containing malware. It could run PowerShell, Command Prompt, and Task Manager with system privileges by providing the right password to the archive. Traditional antivirus software might not detect this type of attack because it is not looking for behaviour from an SFX archive decompressor stub, instead looking for malware inside an archive.

SFX files have been used before in attacks; for example, in September 2022, a malware campaign used links to password-protected files to propagate RedLine Stealer. Therefore, it’s recommended that SFX archives are analysed through unarchiving software to identify any potential scripts or binaries that extract and run upon execution to reduce the threat.

Source – https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks

Google’s Threat Analysis Group has linked a cluster of attacks on government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. to a North Korean government-backed threat actor called ARCHIPELAGO.

The group is a subset of APT43 and is believed to have been active since 2012. ARCHIPELAGO targets individuals with expertise in North Korea policy issues, aligning with the priorities of North Korea’s Reconnaissance General Bureau.

Its phishing emails contain malicious links that redirect to fake login pages designed to harvest credentials. ARCHIPELAGO invests time building a rapport with targets, corresponding with them by email before sending malicious links or files.

It is also known to use the browser-in-the-browser technique to render rogue login pages inside actual windows to steal credentials. ARCHIPELAGO also employs fraudulent Google Chrome extensions to harvest sensitive data.

The group has evolved from basic credential phishing to advanced and novel techniques such as custom Chrome extensions and the use of Google Drive for command-and-control. The phishing messages have posed as Google account security alerts to activate the infection, with the group hosting malware payloads like BabyShark on Google Drive in the form of blank files or ISO optical disc images.

Source – https://thehackernews.com/2023/04/google-tag-warns-of-north-korean-linked.html

Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

The developer of Typhon Reborn, an information-stealing malware, has released an updated version that improves its anti-analysis and data-stealing features. The new version, which has been offered for sale on the dark web for $59 per month or $540 for a lifetime subscription, is marketed as an improvement over the older, unstable Typhon Stealer.

The updated version has removed keylogging and cryptocurrency mining features to reduce the chances of detection and also includes anti-analysis and anti-virtualisation checks to evade detection. It also transmits collected data via HTTPS using the Telegram API. Unlike the previous version, it removes its persistence features and terminates itself after exfiltrating data. Typhon Reborn V2 targets systems globally except those in Ukraine and Georgia.

In a related development, a new Python-based malware called Creal that targets cryptocurrency users has been discovered. It siphons data from Chromium-based web browsers, instant messaging, gaming, and crypto wallet apps. The source code of Creal is available on GitHub, enabling other threat actors to alter it to suit their needs. The use of open source code in malware is growing, as it enables cybercriminals to create customised and sophisticated attacks at minimal costs.

Source – https://thehackernews.com/2023/04/typhon-reborn-stealer-malware.html

Law Firm for Uber Loses Drivers’ Data to Hackers in Yet Another Breach

A law firm representing Uber Technologies has notified an unknown number of its drivers that sensitive data, including their names and Social Security numbers, has been stolen by cyberattackers. It’s the third data breach in six months for the ride-share giant.

Law firm Genova Burns LLC, based in Newark, NJ, first noticed suspicious activity at the end of January, and discovered that its systems had been compromised and data on an undisclosed number of Uber drivers had been stolen, according to a letter published online on April 4. Uber sent the information to the law firm in connection with its legal representation, the letter stated.

Some major breaches have targeted legal firms, which typically hold very sensitive data and often do not have a dedicated information-security director. In January and February, two cybercriminal campaigns — GootLoader and SocGholish — hit six different law firms with cyberattacks. Notably, the cyberattackers behind GootLoader used search terms that refer to contracts, agreements, and other legal forms as bait in a drive-by download campaign.

By using malicious search engine optimisation techniques, the attackers in that case lured potential victims to malicious sites, which then attempt to compromise the user’s machine with their malware.

Uber has been a frequent target of hackers. The ride-sharing service provider had previously leaked information on 50,000 drivers and their license plates in May 2014, followed by a more serious breach in October 2016, when cybercriminals gained access to the private data of 57 million Uber users. In 2022, two more attacks — one through a third-party cloud provider — successfully captured sensitive data, and one resulted in the company’s CISO resigning.

Genova Burns joins a growing group of law firms that have become victims of cyberattackers. In 2021, attackers accessed systems at Campbell Conroy & O’Neill, a law firm with hundreds of major corporate clients, that included names, birthdates, driver’s license numbers, Social Security numbers, passport numbers, and even medical information.

Source – https://www.darkreading.com/attacks-breaches/law-firm-uber-loses-drivers-data-hackers-breach

Arid Viper Hacking Group Using Upgraded Malware in Middle East Cyber Attacks

The threat actor known as Arid Viper also known as Mantis, APT-C-23 and Desert Falcon has been using updated versions of its malware toolkit to target Palestinian entities since September 2022.

Mantis has been linked to attacks on Palestine and the Middle East since at least 2014 and is believed to be based in Palestine, Egypt, and Turkey. The group uses homemade malware tools such as ViperRat, FrozenCell, and Micropsia to execute and conceal its campaigns across Windows, Android, and iOS platforms.

Mantis has been observed going to great lengths to maintain a persistent presence on targeted networks, using spear-phishing emails and fake social credentials to lure targets into installing malware on their devices. The most recent attacks described involve the use of updated versions of Micropsia and Arid Gopher implants to breach targets and exfiltrate stolen data.

Arid Gopher, which is an executable coded in the Go programming language, is a variant of the Micropsia malware that was first documented in March 2022. Micropsia is designed to log keystrokes, take screenshots, and save Microsoft Office files within RAR archives for exfiltration using a bespoke Python-based tool. Mantis moved to deploy three distinct versions of Micropsia and Arid Gopher on three sets of workstations between December 18, 2022, and January 12, 2023, as a way of retaining access. Arid Gopher has received regular updates and complete code rewrites, with the attackers aggressively mutating the logic between variants to evade detection.

In April 2022, high-profile Israeli individuals employed in sensitive defense, law enforcement, and emergency services organizations were targeted with a novel Windows backdoor called BarbWire. Previous reporting has linked Mantis to the cyber warfare division of Hamas.

Mantis appears to be a determined adversary, willing to put time and effort into maximising its chances of success. The group rewrites its malware extensively and compartmentalizes attacks against single organizations into multiple separate strands to reduce the chances of the entire operation being detected. The threat actors are believed to be native Arabic speakers and have shown an ability to adapt their tactics and techniques over time.

Source – https://thehackernews.com/2023/04/arid-viper-hacking-group-using-upgraded.html

FBI seizes stolen credentials market Genesis in Operation Cookie Monster

The FBI has seized the domains and infrastructure of Genesis Market, a popular marketplace for stolen credentials, as part of Operation Cookie Monster.

While the administrators of the marketplace have not been caught or identified, the takedown has prompted a large number of arrests around the world, with 119 users of the platform arrested and 208 properties searched.

Genesis Market started in 2017 and by 2020 became the most popular online shop for account credentials for various services, device fingerprints, and cookies.

The platform used custom JavaScript code dropped on victim machines to collect logins and fingerprint data to compose digital identities, with profits coming from renting the account identities through bots that provided stolen accounts and sensitive info, complete with the fingerprint data that made the access appear legitimate.

Genesis Market offered access to a wide list of services with user accounts from all over the world, including Gmail, Facebook, Netflix, Spotify, WordPress, PayPal, Reddit, Amazon, LinkedIn, Cloudflare, Twitter, Zoom, and Ebay.

According to the Dutch Police, one victim lost almost €70,000 after a Genesis Market customer used his digital identity to make various online purchases, while the Romanian Police seized more than $200,000 in cash and over 9 kilograms of pure gold following a raid on a suspected cybercriminal who used Genesis Market.

Users who want to check if their accounts were compromised and sold on Genesis Market can check a portal from the Dutch Police specifically built for this purpose.

Source – https://www.bleepingcomputer.com/news/security/fbi-seizes-stolen-credentials-market-genesis-in-operation-cookie-monster/

Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies

Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that’s both sophisticated and fast.

Rorschach stands out from other ransomware strains due to its high level of customisation and its technically unique features that have not been seen before in ransomware. Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.

Analysis of Rorschach’s source code revealed similarities to Babuk ransomware, which suffered a leak in September 2021, and LockBit 2.0. On top of that, the ransom notes sent out to the victims appear to be inspired by that of Yanluowang and DarkSide.

The most significant aspect of the intrusion is the use of a technique called DLL side-loading to load the ransomware payload, a method rarely observed in such attacks. The development marks a new sophistication in the approaches adopted by financially motivated groups to sidestep detection. Specifically, the ransomware is said to have been deployed by abusing Palo Alto Network’s Cortex XDR Dump Service Tool (cy.exe) to sideload a library named “winutils.dll.”

Another unique characteristic is its highly customisable nature and the use of direct syscalls to manipulate files and bypass defense mechanisms.

Rorschach ransomware is also tasked with terminating a predefined list of services, deleting shadow volumes and backups, clearing Windows events logs to erase forensic trail, disabling the Windows firewall, and even deleting itself after completing its actions.

The ransomware, like other malware strains observed in the wild, skips machines that are located in the Commonwealth of Independent States (CIS) countries by checking the system language. The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes.

This process is designed to only encrypt a specific portion of the original file content instead of the entire file, and employs additional compiler optimization methods that make it a “speed demon.” In five separate tests in a controlled environment, 220,000 files were encrypted using Rorschach within four minutes and 30 seconds on average. LockBit 3.0, on the other hand, took approximately seven minutes.

Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects. Additionally, Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks.

The findings come as two emerging ransomware families called PayMe100USD, a Python-based file-locking malware, and Dark Power, which is written in the Nim programming language have been identified.

Rorschach attacks have been seen targeting small and medium-sized companies and industrial firms across Asia, Europe, and the Middle East.

Source – https://thehackernews.com/2023/04/rorschach-ransomware-emerges-experts.html

4.8 Million Impacted by Data Breach at TMX Finance

Consumer loan company TMX Finance has started informing over 4.8 million individuals that their personal information was stolen in a data breach.

Operating roughly 1,100 stores in 15 states, TMX offers loans under three brands, namely TitleMax (title lending services), TitleBucks (car title loans), and InstaLoan (fast-approval personal loan services).

The data breach was identified on February 13, 2023, and impacted the customers of all services, reads the notification letter to the affected individuals, a copy of which was submitted to the Maine Attorney General’s Office.

According to TMX, the attackers accessed its systems in December 2022, but the data exfiltration only happened between February 3 and February 14, 2023.

Compromised personal information includes names, addresses, phone numbers, email addresses, birth dates, driver’s license and passport numbers, ID numbers, Social Security numbers, tax identification numbers, and/or financial account details. The company says it has contained the incident and rotated all employee passwords but continues to monitor its network for suspicious activity. It also informed law enforcement of the incident.

TMX informed the Maine Attorney General that more than 4.8 million individuals were impacted by the data breach. The company did not say how the intruders gained access to its network and whether ransomware was used in the attack.

TMX is facing a class action lawsuit as a result of the data breach.

Source – https://www.securityweek.com/4-8-million-impacted-by-data-breach-at-tmx-finance/

Capita cyberattack disrupted access to its Microsoft Office 365 apps

British outsourcing services provider Capita announced today that a cyberattack on Friday prevented access to its internal Microsoft Office 365 applications. London-based Capita employs 50,000 specialists and offers a wide range of services for clients in the finance, IT, healthcare, education, and government sectors.

Among its customers are critical infrastructure organisations in the U.K. such as the National Health Service (NHS), the UK military, and the Department for Work and Pensions, as well as prominent companies like O2, Vodafone, and the Royal Bank of Scotland.

The cyber incident prompted Capita on March 31 to announce an IT issue that impacted its internal systems. The company did not offer any other details about what caused the incident, though. In a short press release today, Capita acknowledge that the outage was caused by a cyberattack. The incident occurred at 4 AM on Friday and it was discovered three hours later, when staff attempted to log into the system.

The company said that its immediate reaction successfully isolated and contained the security issue.

The disclosure informs that the attack impacted limited parts of the network and that the investigation did not find indications that data belonging to its customers, suppliers, or staff, has been exposed during the intrusion.

“Our IT security monitoring capabilities swiftly alerted us to the incident, and we quickly invoked our established and practiced technical crisis management protocols. The issue was limited to parts of the Capita network, and there is no evidence of customer, supplier, or colleague data having been compromised” – Capita

Capita says that the disruption only affected some services provided to individual clients, while most of its customer base didn’t experience any adverse impacts. The company has provided no details about the parties impacted by the cyberattack.

However, there are indications that the boroughs of Barnet, Dagenham, Barking, and the South Oxfordshire council – all of them clients of Capita – were impacted as they posted notifications on their websites that phone and email servers were unavailable.

Currently, Capita is working towards the complete restoration of access to Microsoft Office 365 and other client services and reports progress with this endeavour.

Source – https://www.bleepingcomputer.com/news/security/capita-cyberattack-disrupted-access-to-its-microsoft-office-365-apps/

Fake ransomware gang targets U.S. orgs with empty data leak threats

Fake extortionists are piggybacking on data breaches and ransomware incidents, threatening U.S. companies with publishing or selling allegedly stolen data unless they get paid. Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the message.

The attackers behind this activity use the name Midnight and started targeting companies in the U.S. since at least March 16. They have also impersonated some ransomware and data extortion gangs in emails and claimed to be the authors of the intrusion, stealing hundreds of gigabytes of important data.

In one email to the employee of a holding company in the industry of petroleum additives, the threat actor claimed to be the Silent Ransom Group (SRG) – a splinter of the Conti syndicate focused on stealing data and extorting the victim, also known as Luna Moth. The same message, however, used in the subject line the name of another threat actor, the Surtr ransomware group, first seen to encrypt company networks in December 2021.

The messages were sent to the address of a senior financial planner that had left the target company more than half a year before.

It’s a new wave of fake extorsion attempts where the authors use the names of better-known cybercriminals in an attempt to intimidate and give legitimacy to the threat. This method is cheap and easily conducted by low-skilled attackers. Much like 419 wirefraud scams, the scam relies on social engineering to extort victims by placing pressure on the victim to pay before a deadline. This trend is expected to continue indefinitely due to its cost effectiveness and ability to continue to generate revenue for cybercriminals.

Incidents like this have been identified since 2021, although activity started in early November 2019, when non-paying victims also experienced DDoS attacks. Nevertheless, the attacks were low-level DDoS and came with the threat of larger ones unless the extortionists got paid. Such incidents echo the activity of an extortion group that in 2017 sent DDoS threats to thousands of companies under the names of infamous hacker groups at the time (e.g. New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous).

It is unclear how victims are selected but one possibility is from publicly available sources, such as the initial attacker’s data leak site, social media, news reports, or company disclosures. However, the fake attackers identified some ransomware victims even when the info was not publicly available, possibly indicating collaboration with the initial intruders.

Ransomware actors often sell the data they steal from victims even when they get paid. If Midnight Group has access to the markets and forums where this data is traded or sold they could learn about ransomware victims that have yet to disclose the cyberattack.

Midnight Group’s extortion scam is not new. The tactic has been observed in 2019 by ransomware incident response company Coveware who calls it Phantom Incident Extortion.

The recommendation is to carefully analyse such emails to recognise the components of a phantom incident extortion message and dismiss them as an empty threat.

Source – https://www.bleepingcomputer.com/news/security/fake-ransomware-gang-targets-us-orgs-with-empty-data-leak-threats/

Smarttech247