Published By
Created On
9 May 2022 17:31:17 UTC
Transaction ID
Cost
Safe for Work
Free
Yes
More from the publisher
LANG_en_chinesehackerscaughtstealinghtmlmp4
Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies
An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.
Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.
Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
"The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said.
"In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data."
Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007.
"The group's intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors," Secureworks notes in a threat profile of the actor.
The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.
It's both complex and intricate, following a "house of cards" approach in that each component of the killchain depends on other modules in order to function, rendering analysis exceedingly difficult.
"This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order," the researchers explained.
The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads.
Also used are four different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.
Crucial to the stealthiness of the campaign is the use of "rarely seen" techniques such as the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.
Interestingly, parts of the attack sequence were previously detailed by Mandiant in September 2021, while pointing out the misuse of CLFS to hide second-stage payloads in an attempt to circumvent detection.
The cybersecurity firm attributed the malware to an unknown actor, but cautioned that it could have been deployed as part of a highly targeted activity.
"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant said at the time.
"This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."
WINNKIT, for its part, has a compilation timestamp of May 2019 and has almost zero detection rate in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to stay undiscovered for years.
The ultimate goal of the intrusions, the researchers assessed, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.
"Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," Cybereason said.
"The threat [actor] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long."
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
LANG_en_avoslockerransomwarevariantusingnewhtmlmp4
AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection
Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.
"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.
"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script."
AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.
A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.
Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.
Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.
The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.
"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands," the researchers explained.
This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.
Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.
The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.
Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.
"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege)," the researchers pointed out.
"This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice."
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
LANG_en_fakecryptogiveawaysstealmillionsreusingelonmuskdorseyvideosmp4
Fake crypto giveaways steal millions reusing Elon Musk, Dorsey videos
Fake cryptocurrency giveaways are stealing millions of dollars simply by replaying old Elon Musk and Jack Dorsey Ark Invest videos on YouTube.
The scheme is the old “double your investment” ruse that promises to pay back twice the cryptocurrency amount the victim sends the scammer.
The fraudsters made more than $1.3 million after re-streaming an edited version of an old live panel discussion on cryptocurrency with Elon Musk, Jack Dorsey, and Cathie Wood at Ark Invest’s “The ₿ Word” conference.
Top Articles
READ MORE
READ MORE Simple operation At a quick search, BleepingComputer found that close to 10 YouTube channels have published the discussion, albeit in a smaller format edited to include additional elements that promoted the scam, including the link to the fraudulent crypto giveaway website.
Our findings are just a glimpse of the entire scheme, which we observed unfold since March.
However, there are reports of it going as far back as January and bringing scammers $400,000 in just seven hours.
Security researchers at cybersecurity firm McAfee were also monitoring the scam and published a report on Thursday in which they identified 11 fraudulent websites.
source: McAfee McAfee updated the post the next day saying that the number of these websites had increased to 26 in just 24 hours.
“The YouTube streams advertised several sites which shared a similar theme.
They claim to send cryptocurrency worth double the value which they’ve received.
For example, if you send 1BTC you will receive 2BTC in return” - McAfee However, these websites appear every day and scammers generate new wallets to receive funds from gullible cryptocurrency users.
Here's some that BleepingComputer and McAfee found: make2x[.
]org arknow[.
]org teslabtc22[.
]com
musk-official[.
]net arkinvest22[.
]net tesla-eth[.
]org
2x-musk[.
]net elontoday[.
]org teslaswell[.
]com
2022ark-invest[.
]net elonnew[.
]org twittergive[.
]net
22ark-invest[.
]org elonnew[.
]com doublecrypto22[.
]com
22invest-ark[.
]com 2xEther[.
]com teslabitcoin[.
]org
tesla-2x[.
]org Some of the sites in the table above are still up and running.
The list is far from being complete as scammers continue to set up new websites promoted in new streams playing a modified version of cryptocurrency talks.
The researchers said that the sites promoted in the videos tricked the visitors into thinking that others were sending cryptocurrency and had received double their “investment,” showing a table with recent transactions as proof.
To create the fake table, the scammers used JavaScript code that generated a list of random cryptocurrency wallets and paid amounts.
source: McAfee The money Below is a list of Ethereum and Bitcoin wallet addresses that scammers used for their Ark Invest cryptocurrency fraud: BTC Wallet address Value ETH Wallet address Received
bc1qz50pclcp7a7wl0au2m4rkleaxl7wryktmsy9sk 0 0xb8e257c18bbec93a596438171e7e1e77d18671e5 $25,209
1HBt1KrtWMSkjgGzuvTEPsePk24ChoQ33t $4,632 0x7007fa3e7db99686d337c87982a07baf165a3c1d $9.16
1A4GEKCKrRhjgsNCQfRaGmbZVPW8qsxfwW $29,706 0x436f1f89c00f546bfef42f8c8d964f1206140c64 $13,377
bc1qcawgs6gpmqyx35c0a0yldhak7ggagwxdpget7e $16,933 0x9b857c44c500eaf7fafe9ed1af31523d84cb5bb0 $70,602
bc1qc66cl4eap9d0r3fmydwxufa0yk6natdv72qe87 $19,439 0xbd73d147970bcbccdde3dd9340827b679e70d9d4 $57,573
bc1quu3ltey8vndcx6ma9zukazyffsw50hz8s4zhrw $20,983 0xac9275b867dab0650432429c73509a9d156922dd 0
1DU2H3dWXbUA9mKWuZjbqqHuGfed7JyqXu 0 0x12357a8e2e6b36dd6d98a2aed874d39c960ec174 0
1Q3r1TzwCwQbd1dZzVM9mdFKPALFNmt2WE $41,219 0x2605df183743587594a3dbc5d99f12bb4f19ac74 $11,468
17XfgcHCfpyYMFdtAWYX2QcksA77GnbHN9 $49,311 0x18e860308309f2ab23b5ab861087cbd0b65d250a $14,766
1GLRZZHK2fRrywVUEF83UkqafNV3GnBLha $5,787 0x5081d1ec9a1624711061c75db9438f207823e694 $4,029
1NKajgogVrRYQjJEQY2BcvZmGn4bXyEqdY 0 0x820a78d8e0518fce090a9d16297924db7941fd4f $63,301
1DU2H3dWXbUA9mKWuZjbqqHuGfed7JyqXu 0 0xcaaa38911bfe60933e39acbb59f0ba8dda491331 $18,929
bc1qas66cgckep3lrkdrav7gy8xvn7cg4fh4d7gmw5 $11,846 0xdbb8c934650bd1a88b4ba12f4acb042d9a8a0cbe $43,604
18wJeJiu4MxDT2Ts8XJS665vsstiSv6CNK $119,147 0x2d18a797b68a4f0bf15f21b55e76e2367a716942 $64,585
1CHRtrHVB74y8Za39X16qxPGZQ12JHG6TW $4,790 0x24310fb34afccbe29f80c46b4b5e17601bf11c56 $16,778
bc1qdjma5kjqlf7l6fcug097s9mgukelmtdf6nm20v 0 0x7a619530988a266fd39a4acccc5315d90c9544aa $36,449
1EX3dG9GUNVxoz6yiPqqoYMQw6SwQUpa4T $95,974 0xa15ebabdda7b5401d642893b843cf94be2293172 $16,311
0xac9275b867dab0650432429c73509a9d156922dd 0 The amounts received may not look like much but it's good money considering that the entire operation requires little effort and technical skills.
Once the video is edited and the site up and running, the fraudster just needs to wait for victims to transfer the digital coins.
McAfee says that the wallets listed on the malicious sites they found recorded a high number of transactions that amounted on May 5th to $280,000 worth of c
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English