Search This Blog

Showing posts with label Proofpoint. Show all posts

Growing Cyber-Underground Market for Initial-Access Brokers

 

Ransomware groups are increasingly purchasing access to corporate networks from "vendors" who have previously placed backdoors on targets. 

Email is a well-known entry point for fraudsters attempting to breach a corporate network. According to researchers instead of doing the heavy lifting themselves, ransomware groups are teaming with other criminal groups who have already opened the path for access using first-stage software. 

As per the report released Wednesday by Proofpoint, researchers discovered a "lucrative criminal ecosystem" that works together to launch effective ransomware attacks, such as the ones that have lately made headlines (Colonial Pipeline) and caused substantial damage around the world. 

According to the analysis, recognized ransomware gangs such as Ryuk, Egregor, and REvil first link up with threat actors who specialize in initial infection utilizing various forms of malware, such as TrickBot, BazaLoader, and IcedID, before unleashing the ultimate ransomware payload on the network. 

“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.” states report. 

Proofpoint has identified at least ten threat actors who utilize malicious email campaigns to spread first-stage loaders, which are then exploited by ransomware groups to deliver the final payload. Researchers discovered that the relationship between such threat actors and ransomware groups is not one-to-one, as multiple threat actors employ the same ransomware payloads. 

“Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021,” according to the report. 

Proofpoint has also seen ransomware spread via the SocGholish malware, which infects users with fake updates and website redirects, as well as the Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators employ to avoid detection, according to researchers. 

About Attackers and Malware of Choice: 

Proofpoint identifies 10 threat actors that researchers have been watching as initial access enablers to their malware and techniques of choice for getting network access, which they subsequently sell to various ransomware groups for more sinister objectives, according to the study. 

Researchers discovered that TA800, a prominent cybercrime actor that Proofpoint has been tracking since mid-2019, provides banking malware or malware loaders to the Ryuk ransomware gang, including TrickBot, BazaLoader, Buer Loader, and Ostap. 

Since mid-2020, Proofpoint has been tracking TA577, a cybercrime threat actor that "conducts broad targeting across numerous businesses and regions" to distribute payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike via emails with malicious Microsoft Office files. 

According to the research, the Sodinokibi or REvil ransomware organization is linked to TA577, which has had a 225 percent increase in activity in the last six months. 

Many other cybercrime groups were tracked like TA569, TA551, TA570, TA547, TA544, TA571, and TA575, which is a Dridex affiliate that has been tracked by Proofpoint since late 2020 and distributes malware via malicious URLs, Office attachments, and password-protected files, with each campaign transmitting an average of 4,000 emails to hundreds of businesses.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

CopperStealer Malware Steals Social Media Credentials

 

Researchers discovered a certain malware that was so far unidentified which silently hijacked Facebook, Apple, Amazon, Google, and other web giants' online accounts and then used them for nefarious activities. 

Cybercriminals have launched a new campaign to rob Facebook login credentials from Chrome, Edge, Yandex, Opera, and Firefox using malware 'CopperStealer.' 

The threat actors have used unauthorized access to Facebook and Instagram business accounts to run nefarious commercials and provide further malware in subsequent malware advertising campaigns as per the blog post published by the researchers at cyber safety company Proofpoint. In late January, researchers were first notified of the malware sample. The first samples found dated back from July 2019. 

Furthermore, CopperStealer versions targeting other major service providers such as Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter have been discovered in the proven analytic evaluation. The malware aims to steal login credentials for some of the most famous internet services from large technological platforms and service providers. 

Researchers suspect that CopperStealer is a family that has originally been undocumented in the same malware class as SilentFade and StressPaint. Facebook attributed the invention of SilentFade to ILikeAD Media International Ltd, a Hong Kong-based company, and reported over $4 million in damages during the 2020 virus bulletin conference. 

Researchers found dubious websites, which include keygenninja[.]com, piratewares[.]com, startcrack[.]com and crackheap[.]net, that was advertised as 'KeyGen' or 'Crack' sites, which included samples from several families of malware, including CopperStealer. 

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software. However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers. 

Malware also helps to find and send the saved passwords on one’s browser and uses stored cookies in order to extract a Facebook User Access Token. Once the User Access token has been collected, the malware will request multiple Facebook and Instagram API endpoints to gain additional contexts including the list of friends, any user's pay-out, and research listing the user's pages. "CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks," says Sherrod DeGrippo, senior director of threat research at Proofpoint. "These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers."