The best action against cybercriminals is knowing how they operate and carry out malicious activities. This weekly cybersecurity bulletin brings the top cybersecurity news worldwide, covering ransomware attacks against Ukraine, Black Axe cybercriminals behind bars, the Alchemist malware, crypto stealing Solana update campaign, exposed financial information, and unofficial WhatsApp stealing accounts. Let us see how threat actors are using these attacks so you can stay safe.
Prestige Ransomware Targets Ukraine and Poland
Microsoft identified a new ransomware strain, the “Prestige Ransomware,” that has been observed attacking the transportation and logistics sectors in Ukraine and Poland.
The Prestige ransomware was discovered in October, with threat actors deploying the payloads into enterprise networks. The ransomware attack campaign aligns with Russian state activity, with many victims overlapping with the Hermetic Wiper, also known as the “Fox Blade Malware” that targeted Ukraine before the Russian invasion.
Microsoft revealed that Prestige is a new malware with no connection to over 90 active ransomware activity groups that Microsoft is tracking. Prestige is currently assumed to be the work of DEV-0960, a threat activity cluster. The threat actor deploys Prestige in three ways:
- Copying the payload to the ADMIN$ share of remote systems and using Impacket to invoke Powershell commands for its execution.
- Copying the payload to the ADMIN$ share of remote systems and using Impacket to create Windows Scheduled Tasks to execute the payload.
- Copying the payload to an Active Directory Domain Controller and using the Default Domain Group Policy Object to deploy it.
The Prestige ransomware leaves “README.txt” in the root of all directories and encrypts files using the .enc extension. The ransomware has many IOCs (Indicators of Compromise) that you may check to see if your system is affected.9+*6
Black Axe Syndicate Members Behind Bars
Interpol arrested members of the cybercriminal syndicate, the “Black Axe,” responsible for nearly $1.8 million in financial fraud.
Interpol’s “Operation Jackal” was conducted in South Africa, leading them to over 70 suspected members of the cybercriminal syndicate.
Black Axe, one of the world’s most dangerous crime syndicates, has been around since 1977 and has made headlines worldwide with its romance scams, cyber-enabled financial frauds, and other crimes.
Interpol seized expensive cars, luxury items, and 12,000 sim cards and has taken evidence, arresting 75 individuals, conducting targeted property searches, and freezing the stolen $1.8 million.
Out of the 75 arrests, seven individuals were on Interpol’s purple notices, and six were on red notices, making them international fugitives. IFCACC (INTERPOL’s Financial Crime and Anti-Corruption Center) shared the details of the operation that spanned four continents and 14 countries, being the first roundtable engagement event involving Interpol and the FATF (Financial Action Task Force).
The news has undoubtedly stirred up the cyber world, showing cybercriminals that law enforcement is effective in dealing with online criminals and that the law always catches up to every individual.
Alchemist Framework Attacking All Major OS
Cybersecurity researchers have identified a new C2 (Command and Control) framework that targets Windows, Linux, and Mac systems. The framework, “Alchemist,” uses GoLang and has 64-bit executables, allowing it to become cross-compatible with various operating systems.
Alchemist uses a web interface with Simplified Chinese, similar to Manjusaka, a post-exploitation attack framework popular amongst Chinese cybercriminals. Discovered by Cisco Talos, Alchemist lets threat actors generate and configure payloads and allows them to remotely capture screens, run commands, and perform RCE (Remote Code Executions).
Alchemist drops “Insekt” remote access Trojan that can be configured, with hard-coded C2 addresses and self-signed certificates, pinging ten times each second every hour until the connection is established.
The Alchemist framework is a dangerous one allowing lesser experienced cybercriminals to build components and carry out sophisticated cyberattacks. Alchemist also covers macOS by using Mack-O files exploiting a privilege escalation flaw used on both Mac and Linux.
With a ready-made framework rich in features and excellence at evading detection, Alchemist can also be used by advanced threat actors to minimize operational expenses, making it a significant threat to organizations and individuals worldwide.
Crypto Stealing Security Updates for Solana Phantom
Cybercriminals initiated a new campaign delivering NFTs to Solana cryptocurrency owners. These NFTs contained alerts for Phantom security updates, leading victims to malware that stole credentials and cryptocurrency wallets.
The NFTs were titled “PHANTOMUPDATE.COM” or “UPDATEPHANTOM.COM” and contained warnings from threat actors posing as Phantom developers. Once victims opened the NFTs, they were prompted to download a new security update using the enclosed link or visit the site to install it.
The NFT alerted individuals that failure to download the update could result in losing crypto funds citing hackers exploiting Solana’s network as the cause. The website or links downloaded a Windows batch file, “Phantom_Update_2022-10-08.bat,” that asked victims to grant admin privileges at runtime, launching PowerShell scripts to decrypt commands to download executables from GitHub.
The downloaded file, windll32.exe, is a credential-stealing malware that steals browser information, including cookies, history, and SSH (Secure Shell), to steal crypto funds and compromise all victim accounts.
It is recommended that victims of the Phantom security update crypto-stealing malware scan systems and transfer all assets to new wallets. Furthermore, changing all passwords and implementing MFA (Multi-Factor Authentication) would be best.
1.2 Million Credit Cards Exposed on BidenCash
A dark web market for cards, known as “BidenCash,” released the credit card details of 1,221,551 cards to promote the marketplace, allowing anyone with such information to conduct financial fraud.
The BidenCash marketplace started in June 2022, dumping thousands of credit cards as a promotional move. However, the massive credit card dump has caught the attention of the digital world, with the threat actors announcing the 1.2 million credit card dump on multiple URLs (Uniform Resource Locators). For a broad reach, the threat actors have also distributed the credit card collection via the Clearnet domain and other carding forums.
Carding forums are becoming famous for trafficking, stolen credit card information, information-stealing malware, and point-of-sale malware. The dumped credit card information has cards expiring between 2023 and 2026, with most of the victims being from the United States. The dumps are also accompanied by sensitive information, containing card numbers, expiration dates, CVVs, holder names, bank names, card types and classes, holder’s residential and email address, social security number, and phone number.
From the examined data, half of the cards have been blocked by the banks, but 30% appear to be fresh, meaning roughly 350,000 cards are still valid, and around 10% of cards can be exploited online.
Fake Whatsapp Stealing User Accounts
An unofficial Whatsapp app, “YoWhatsApp,” has been discovered on Android phones. The YoWhatsapp steals access keys for your accounts and uses the same permissions as the official application.
The fake Whatsapp is advertised on Snaptube and Vidmate, offering additional features such as customization of interfaces to attract victims. However, the application snatches WhatsApp keys, allowing the threat actor behind the app to take control of your WhatsApp account. Kaspersky discovered this fake WhatsApp as part of its investigation of Triada Trojan that hid in WhatsApp builds.
The unofficial WhatsApp steals keys and sends them to the developer’s remote server. Kaspersky has not outlined whether the stolen keys have been abused but has highlighted that these can be used in account takeovers, communication disclosure, and impersonation.
Snaptube has been informed of the unofficial Whatsapp ad campaign and identified “WhatsApp Plus,” a clone with similar malicious capabilities. All WhatsApp mods may not be malicious, but it is best to stay safe by avoiding unofficial applications as they may lead to malware and other attacks.