Espionage Group Aka Apt33 Targeting Various Organization in Saudi Arabia and US by Deploying A Variety of Malware In Their Network




An unceasing surveillance group otherwise known as APT33 group (Elfin) known for explicitly targeting on corporate networks has now set its sights by focusing on various organizations in Saudi Arabia and US by sending an assortment of malware in their system.

The hacker group which has reportedly compromised around 50 organizations in various countries since 2015, so far its attackers have bargained a wide range of targets including, governments alongside associations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.

The cybercriminals scan the defenseless sites of a particular target and later use it for either command and control server or malware attacks if the site will be undermined effectively.

In spite of the fact that the gathering fundamentally focused on Saudi Arabia, with the 42% of attacks since 2016 and it’s compromised 18 organizations in the U.S alone in the course of recent years.

 In any case, for this situation, Elfin focused on organization including engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors in the U.S alone.





Amid the attack, Elfin is said to have used an assortment of open source hacking instruments, custom malware, and commodity malware to compromise the diverse targets.

Elfin Adept utilizes various openly accessible hacking instruments, including:
  • LaZagne (SecurityRisk.LaZagne): A login/password retrieval tool
  • Mimikatz (Hacktool.Mimikatz): Tool designed to steal credentials
  • Gpppassword: Tool used to obtain and decrypt Group Policy Preferences (GPP) passwords
  • SniffPass (SniffPass): Tool designed to steal passwords by sniffing network traffic


Additionally, numerous commodity malware tools were utilized for these attacks and the malware accessible for purchase on the digital underground including:
  • DarkComet (Backdoor.Breut)
  • Quasar RAT (Trojan.Quasar)
  • NanoCore (Trojan.Nancrat)
  • Pupy RAT (Backdoor.Patpoopy)
  • NetWeird (Trojan.Netweird.B)

Other than these, the custom malware family incorporates Notestuk (Backdoor.Notestuk), a malware in order to access the backdoor and assembling the data, Stonedrill (Trojan.Stonedrill), a custom malware equipped for opening a secondary passage on an infected PC and downloading the additional records.


London hackers may be behind ransomware attack on Lucknow hotel

In a first-of-its-kind ransomware attack in Lucknow, cybercriminals breached and blocked the computer system of The Piccadily, a five-star hotel in the capital of Uttar Pradesh, and demanded a ransom to allow data access. Ransomware is a malware unleashed into the system by a hacker that blocks access to owners till ransom is paid.

The hotel management lodged an FIR with the cyber cell of police and also roped in private cyber detectives to probe the crime and suggest a remedy.

The hotel’s finance controller in Alambagh, Jitendra Kumar Singh, lodged an FIR on March 9, stating the staff at the hotel was unable to access the computer system on February 27 around 11:45 pm when they were updating monthly business data. This was followed by screen pop-ups which read — Oops, your important files are encrypted. The staff initially ignored the pop-ups and rebooted the system following which it crashed. Later, the hotel management engaged a software engineer to track down the malfunction after which it came to light the system has been hit by ransomware.

Nodal officer of the cyber cell deputy superintendent of police (DySP) Abhay Mishra said the case happens to be first of its kind of ransomware attack in the city. The demand for ransom in such cases are also made through ‘Bitcoin’, he said. “They are investigating into the matter, but are yet to make any breakthrough,” Singh told TOI. The staff initially ignored the pop-ups and rebooted the system following which it crashed.

The cyber cell of Lucknow police believes the ransomware attack could have been made from London. Sleuths of the cyber cell made these claims after authorities of the Piccadily said they had been getting frequent phone calls from London-based number after the attack.

Singh said, “We received for calls from the same number a day after the attack. The callers inquired about the ransomware attack and asked about the progress in the case. Later, they also agreed to offer assistance.”

Anubis Malware Re-Emerges Yet Again; Hackers Distributing It via Google Play Store





The Anubis banking malware arises once more with the threat actors allocating the malware on Google Play store applications keeping in mind the end goal to steal login credentials to banking apps, e-wallets, and payment cards.

Hackers are constantly known for finding better approaches to sidestep the Google play store security as well as ways to distribute the malware through Android applications that will additionally go about as the initial phase in an "infection routine" schedule that gets the BankBot Anubis mobile banking Trojans by means of C&C server.

Users as often as possible get tainted once they download and install the malevolent applications via the Google play store, despite the fact that the play store security investigates , all the applications that are transferred into Google Play, cybercriminals dependably execute the most complex and obscure strategies to evade the detection.

Researchers as of late discovered anew downloader’s in-app store that connected with Anubis banking malware. This campaign is known to contain no less than 10 malevolent downloaders masked as different applications. All the Downloader disseminated through Android applications is known to get in excess of 1,000 samples from the criminal's command-and-control (C&C) servers.

“In most Android banking Trojans, the malware launches a fake overlay screen when the user accesses a target app. The user then taps his or her account credentials into the fake overlay, which allows the malware to steal the data. BankBot Anubis streamlines this process.”

Cyber criminals transferring applications into Google play store influence it to resemble a live authentic one; they compromise the clients by controlling them to trust that they are giving an "expertise" as a service.

The researchers likewise found that these malignant play store applications that acted like the authentic ones, for the most part focus on the Turkish-speaking clients and the downloader applications in this specific crusade were intended to address Turkish clients just with a couple of various botnets and configurations.

All these applications are transferred to various categories, for example, online shopping to money related services and even an automotive app.

As indicated by an analysis by the X-Force, the adjustments in the downloader application propose that it is being kept up on a progressing premise, another sign that it is a ware offered to cybercriminals or a particular gathering that is centered on swindling particularly the Turkish mobile banking users.

Once the noxious downloader is effectively installed into the victims Android then the app brings BankBot Anubis from one of its C&C servers. The BankBot Anubis malware forces clients to concede the consent by acting like an application called "Google Protect." 

This accessibility will go about as a keylogger getting the infected user's credentials from infected users mobile.

BankBot Anubis is known to target users in numerous nations also for example, Australia, Austria, Azerbaijan, Belarus, Brazil, Canada, China, Czech Republic, France, Georgia, Germany, Hong Kong, India, Ireland, Israel, Japan Kazakhstan, Spain, Taiwan, Turkey, U.K. as well as U.S.


Hackers Target Travel Firm to Plunder Hundreds of Thousands from Clients




The Cyber criminals have now targeted a travel firm Booking.com in an offer to plunder hundreds and thousands of pounds from clients.

The clients were sent WhatsApp and text messages asserting a security break that implied that they needed to change their password.

Be that as it may, the link gave the attackers access to the bookings and they at that point, sent follow-up messages requesting full installment for holidays ahead of time with false bank details provided.

David Watts, the Marketing manager of Newcastle, got a WhatsApp message but realized it as a trick. He stated: "It looked exceptionally reasonable and I can now believe how people fell for it."

These seemed bona fide as they incorporated personal information of individuals  including their names, addresses, telephone numbers, dates and booking prices as well as reference numbers.





Code signing Certificates created on demand for Cybercriminals

Many organizations have as of late begun adopting certain strategies of using code-signing certificates to authenticate their software and protect it against tampering. Indeed, even Malware authors have for quite some time been utilizing such certificates for their malicious payloads so as to sneak past enterprise anti-malware tools.

A New research done by the Recorded Future shows that a growing number of code-signing certificates in the cyber underground are actually being created on demand for specific buyers by Dark Web vendors utilizing stolen corporate identities. Each certificate is unique to the buyer and is usually delivered within two- to four days.

The certificates are notwithstanding being issued by reputable companies for example Symantec, Comodo, and Thawte, and are accessible at costs ranging from $299 to $1,599.

This usage of code-signing certificates to distribute malware is not new but recently more malware authors have started depending on the strategy as a way to distribute malware.

"We do not have information on what percentage of all certificates circulating in the Dark Web were obtained using compromised corporate credentials," says Andrei Barysevich, director of advance collection at Recorded Future. "However, considering the malicious intent of hackers when utilizing such certificates, it is safe to assume that a high proportion of them were obtained fraudulently."

The certificates issued give users an approach to confirm the identity of the publisher and the integrity of the code. The Malware however is difficult to spot since it has been digitally signed with a valid code-signing certificate as it also happens that a majority of the anti-malware tools and browsers remain under the impression that the payload can be trusted because it is from a trusted publisher.

A recent incident that sparked wide spread interest was reported last October, by a security vendor Venafi that followed a six-month investigation conducted to show a thriving market for code signing certificates on the Dark Web.

 The research, conducted by the Cyber Security Research Institute, showed that such certificates are more expensive than even the stolen US passports, credit cards, and handguns. Venafi found that stolen code-signing certificates are being utilized as a part of a wide range of malicious activity including man-in-the-middle attacks, malware obfuscation, website spoofing, and data exfiltration and can get up to $1,200 in underground markets.

Recorded Future researchers say that their investigation shows that the cybercriminals are currently offering new code-signing certificates and domain-name registration services with SSL certificates.
They first observed a Dark Web vendor selling such certificates in 2015. From that point onward, they have seen no less than three new actors selling code-signing certificates obtained from major CAs using stolen corporate credentials. One of the vendors has even proceeded on to other activities while the remaining two are as of now continuing to sell counterfeit certificates primarily to Russian threat actors.

The cost associated with these certificates implies to the fact that they are likely to be of most interest to hackers with specific motives in mind, Barysevich says.

"Attackers who are engaged in targeted campaigns, such as corporate espionage or bank infiltration, are the most likely buyers of counterfeit code-signing certificates," he added further.
"That being said, there are many applications of compromised SSL EV {Extended Validation Assurance} certificates, and they could be used in a more widespread malware campaign."


The essential certificates without EV assurance are in any case available for $600 from the vendors, or twice the amount of $295 that an organization would normally pay for a code-signing certificate for legitimate use.

Cyber criminals convicted of stealing more than £1 million using Fake job ads

Organized criminal network of five men and one woman have been convicted for stealing more than £1million from job hunters using fake job advertisements.

The members of the criminal are Adjibola Akinlabi (aged 26), Damilare Oduwole (26), Michael Awosile (27), Nadine Windley (26) and Temitope Araoye (29) and a malware writer "Tyrone Ellis (27)".

The evidence gathered by authorities including phone and online chat records shows that they made more than £300,000 from their fraud scheme. However, the officers believe it could be much higher , possibly more than £1million ($1.6m).

According to the National Crime Agency report, the fraudsters targeted innocent job hunters with fake job ads. Those who responded to the ads were sent a link via email asking them to complete an application form. Once the user clicks the link , it inadvertently install malware in victim's system.

The malware is capable of recording keystrokes and capturing victim's financial and personal data.

The compromised information is used by the fraudsters to get a new credit and debit cards, pin numbers.

The crooks will remain in custody and expected to be sentenced on Thursday 14 November.

New Trojan targeting South Korea sets Anonymous Wallpaper in infected system

After publishing details about a new DDOS attack carried out by a group called "DarkSeoul" against South Korean sites, Symantec researchers have come across a new piece of Malware designed to wipe the disks in infected systems.

The malware detected as Trojan.Korhigh, is capable of deleting files and overwrite Master Boot Record(MBR) . In addition , it is also capable of changing user passwords to " highanon2013" and deleting specific file types including asp, html,php,jsp and etc.

The Cybercriminals who are behind the malware is interestingly designed the Trojan such that it will change the wallpaper of the compromised computers to Anonymous Image.



The Trojan also attempts to gather system information including OS version, computer name, current date and sends to remote server.

Mumbai Police salary accounts hacked, Money withdrawn in Greece


Cybercriminals have reportedly targeted the Salary accounts of Mumbai Police and managed to withdraw money from their account.

According to NDTV report, cybercriminals have managed to withdraw money from Axis bank accounts of at least 14 Policemen from ATMs in Greece.

It appears hackers in Greece have done this heist by cloning ATM cards of Policemen in Mumbai.

At this time, there is no further information about how much money has been withdrawn and how many policemen have been affected by this heist.

The Mumbai police has formed a team to investigate the hack and bank has been asked to investigate.

CyberCriminals leverage CNN Open Redirect vulnerability for spreading spam

Today, I(@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

"The diet porgram you told us about yesterday is soo good! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me" One of the tweets posted from the spammers' twitter account reads.

The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.


"I love myself even more after I started your diet porgram [link]" spam tweets read.  "Yahoo made an article about how amazing your new diet program is!! You look amazing" 

The technique provides several advantages to the cybercriminals including 
  • Getting trust of users
  • URL filtering won't block users from accessing the url because the request goes to CNN.  CNN website then redirects the user to scam website. 

 After further research, i discovered the spammers has also managed to exploit the open redirection security flaw in Yahoo.

"hxxx://us.ard.yahoo.com/SIG=15ohh3h62/M=722732.13975606.14062129.13194555/D=regst/S=150002347:R2/Y=YAHOO/EXP=1275539597/L=hnNys0Kjqbp5Cok8Sr10cAJDTPYa3UwHFG0AANhn/B=VSDoPmKJiUs-/J=1275532397077354/K=rS6pwy3MN2NPP7SBqBCOAQ/A=6097785/R=0/SIG=11o4aqdmv/*hxxx://bit.ly/HealthDiet2"
This is not the first time the CNN website is being abused by cyber criminals.  In 2010, the spammers managed to exploit the open-redirect vulnerability in "ads.cnn.com".

*Update: security researcher Janne Ahlberg ‏discovered @50Cent who has 7.6M followers fell victim to this spam campaign and retweeted the spam tweet:


The screenshot apparently shows the tweet posted on 23rd May 2013.  At the time of writing, the tweet still appears in the account.

*Update 2:
It appears cybercriminals' campaign getting success which mentions various celebrities and media organizations in their tweets - one more celebrity falls victim to the spam campaign.

"“@honshadey: @ChiefKeef So happy you released a diet program! THANKS! hxxx://cgi.cnn.com/cgi-bin/redir?URL=hxxx://tumblrhealth.me …”Bitch U Know i aint Got no Diet Program 😒"  Keith Cozart better known by his stage name Chief Keef , American rapper from Chicago, replied to the spam tweet.

Unfortunately , more than 400 followers has retweeted the post that helps the spammers to spread their campaign.  

Cybercriminals hijacked Twitter accounts of Cher and Alec Baldwin

American singer and actress Cher fell victim to the twitter account hacks.  Cybercriminals hijacked her account and posted a message about a diet brand.

She come to know about the security breach after her followers told her account was hijacked.

"You guys I’m really upset about this hacking thing ! What diet are you all talking about ?!" In one of the tweets , she said.

She is not the only celebrity whose account compromised by the cybercriminals.  There are a number of celebrities fell victim to the twitter account hijack.  The list includes Alec Baldwin, Australian model Miranda Kerr and Donald Trump.

"This fu**ing hacking weight loss shit. GOOOOOODDD!!!" Tweets posted by Alec Baldwin. "IGNORE this weight loss trash. I mean, I'm all for weight loss. But DAMN!!!"

Scammer who stole financial info arrested by CIB


An alleged scammer who is responsible for stealing personal data of more than 10,000k people through a spam mail pretending to be from the Bureau of National Health Insurance has been arrested in China.

Surnamed Pan, tricks victims into download and open the attachment that contained a malicious software allowing him to steal the personal data from the affected computers.

According to China Post report, he used few techniques to avoid the antivirus detection and tested his malware numerous time before launching the real attack.

Criminal Investigation Bureau (CIB) said he had stolen "vast amounts of classified financial information from location companies".  He then used those details for accessing the online banking accounts and committed credit card fraud.

Hackers stole ₹2.4 crore from Mumbai Bank in 3 hours

 
Cybercriminals hacked into the Mumbai-based current account of the RPG Group of companies and stole Rs 2.4 crore within 3 hours on May 11, Times of India reported.

The TOI report says money has been transferred to 13 different bank accounts in Chennai, Coimbatore,Tirunelveli, Bangalore,Hyderabad and other places.

The bank blocked those accounts but the gang have already managed to withdraw some funds.

The police has arrested three members of the crew who came to withdraw the money in Coimbatore and Hyderabad.

It appears the Company fell victim when the company officials opened the malware attached mail sent by the gang.  The gang then probably harvested the bank login credentials using the malware.

Earlier this year, cyber criminals stole Rs 1 crore in Mulund from the current account of a cosmetics company.

PokerAgent Botnet steals more than 16k Facebook account credentials

A Botnet called "Poker Agent" identified about a year ago, which designed to steal Facebook account credentials, also stealing payment information linked to Facebook account and Zynga Poker.

According to the ESET analysis, the threat was mostly active in Israel. 800 computers were infected, over 16,000 Facebook credentials stolen.

Once the malware infect a system, it gets commands from remote C&C Server to log into Facebook accounts and collects the information including Zynga Poker Stats and Number of payment methods (i.e. credit cards) saved in the Facebook account.


The Trojan publish phishing link in the victims' wall in order to compromise more Facebook accounts credentials.

The Cybercriminals seemed to have ceased actively spreading the Trojan mid-February 2012. Israeli CERT and law enforcement have been notified and an investigation has been launched. Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.