Darcula Device Phishing, KuCoin AML Charges, Finland APT31 Culprits – Cybersecurity News [March 25, 2024]

Here we are again with the latest in cybersecurity to help you keep up and stay a step ahead of threat actors and new scams. This week, we’ll share information about the Darcula phishing scheme targeting mobile devices, KuCoin’s failure to cope with the US AML requirements, the Finnish Police’s latest update on the parliament breach, the advanced PhaaS tool that bypasses MFA, and also how Google’s AI-powered search is promoting scam websites and malware. Let’s get into it.

New Darcula Phishing Scheme Targeting Apple and Android Devices

There’s a new PhaaS (Phishing as a Service) platform that is using over 20,000 domains to steal credentials from mobile users in over 100 countries. 

The PhaaS tool is named Darcula and has nearly 200 templates from which threat actors can choose. Threat actors have been using the tool to target organizations in multiple sectors, and it has also been noticed in high-profile cases. Analysts at Netcraft have been closely researching the tool and highlighting how it has been used in multiple phishing attacks since last year on both Apple and Android devices.

It’s not like legacy phishing methods; it uses JavaScript, Harbor, Docker, and React, and it does not need the clients to reinstall different phishing kits. Threat actors can select a brand to impersonate and run a script to create a phishing site for that brand.

Apart from this, Darcula also does not rely on traditional messages and uses RCS on Android devices and iMessage on iOS to distribute phishing links to the victims. Since both are E2EE (End-to-end encrypted), there’s nothing to intercept and block these messages or their content. 

It’s best to avoid all unsolicited links and keep an eye out for the tell-tale signs of phishing, like grammatical errors, and offers that are too good to be true. 

KuCoin Faces Charges Over Anti-Money Laundering Failures Allowing Cybercriminals to Cleanse Billions

In other news, the US DoJ (Department of Justice) charged KuCoin and its founders for allowing threat actors to launder money on the platform. 

KuCoin, one of the largest crypto market players was founded in 2017 by Chun Gan and Ke Tang. The US DoJ released an indictment in which they shared that KuCoin knowingly allowed US citizens to trade on KuCoin exchange even when they had not fulfilled any AML (Anti Money Laundering) obligations. According to the government, crypto exchanges need to implement a KYC (Know Your Customer) system so they can verify customer identities and file any suspicious activity to government authorities.

However, KuCoin did not comply with the rules, attempted to conceal its US customer base, and posed as an exempt entity under the US AML and KYC requirements. On the other hand, they also advertised that US citizens or users could use their platform without completing KYC. Since KuCoin has been found, it has received a whopping $5 billion and sent $4 billion of suspicious transfers. 

The founders are facing significant jail time for conspiracy to operate an unlicensed money-transmitting business and violating the Bank Secrecy Act.

Finland Identifies APT31 as Culprits in 2021 Parliament Cyberattack

Finland’s Police confirmed that the parliament breach that the country suffered in March 2021 was the work of the APT31 hacking group. 

The hacking group APT31 has been linked to the CMSS (Chinese Ministry of State Security). The Finnish Security and Intelligence Service has launched a joint criminal investigation along with international partners against the threat actor group who committed multiple cybercrimes against the government between 2020 and 2021.

In the cyber attack that occurred in 2021, the threat actors were able to access multiple email accounts belonging to members of the parliament. Several members of the gang have been exposed in recent arrests and sanctions. 

The OFAC (Office of Foreign Assets Control), which falls under the US Treasury, sanctioned two operatives of the gang that had been working as contractors for Wuhan XRZ (an enterprise that the Chinese MSS used as a front to breach US critical infrastructure). Known members that have been sanctioned include Zhao Guangzong, Ni Gaobi, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, and Xiong Wang. 

Advanced Phishing Tool Circumvents MFA to Target Microsoft 365 and Gmail Users

Threat actors have also been using another PhaaS platform to target Gmail and MS365 accounts and bypassing 2FA (Two-Factor Authentication).

The tool is called Typhoon 2FA and was analyzed by Sekoia last October. They shared the findings that the tool has been active since August 2023 and is offered via Telegram channels. The kit shared many tactics with AitM (Adversary in the Middle) platforms that hinted at code reuse, but recently, Tycoon 2FA got a new upgrade.

The attack starts with the threat actors stealing session cookies with the help of a phishing page on a reverse proxy server. The credentials entered are intercepted and also relayed to the authentic page, so the authentication is successful, but the threat actor is able to bypass MFA along with the victim.

Sokoia also shared how the latest kit has introduced better phishing and evasion tactics. There’s a broad user base of malicious actors using the tool, and the Bitcoin wallet linked to the tool has received over 1800 transactions since the end of 2019. 

To keep safe against this new kit, it’s best to use security keys for stronger protection instead of traditional 2FA, or app-based OTPs (One Time Passwords).

Google’s Latest AI Search Feature Unintentionally Highlights Websites Distributing Malware and Scams

The new AI-powered SGE (Search Generative Experience) by Google recommends scam sites that lead you to browser spam subscriptions, fake iPhone giveaways, and unwanted extensions.

Google began rolling out its SGE at the beginning of March 2024 for AI-generated quick summaries and better recommendations. However, an SEO consultant, Lily Ray, found out that it also promotes malicious websites and spam, making you more susceptible to these.

Most of these websites use the .online top-level domain and take you through multiple redirects, ending in a scam site with fake captchas or YouTube websites that ask you to subscribe to browser notifications. With this, the threat actors push unwanted ads, the most common ones being McAfee licenses. It is still not clear why these spam sites are getting promoted by the new AI-powered platform, but you should keep an eye out for such pop-ups and scams.

All of these incidents highlight the necessity for top-notch phishing protection solutions and phishing awareness training. Additionally, it’s crucial to stay informed about new phishing scams to ensure ongoing security.