US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot

Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.

Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.

Authorities Published Hackers’ Personal Data

What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.

What is the Conti/TrickBot group?

As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.

QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.

Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.

Are sanctions seriously threatening hackers?

Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.

The post NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers appeared first on Gridinsoft Blog.

TrickBot Members Sanctioned

On February 9, 2023, the US Department of the Treasury reported about sanctions laid upon 7 Russian citizens, allegedly related to the activity TrickBot malware. This advanced trojan consistently targeted numerous companies and government organisations around the world, leading to disruptions and money losses. This honourless gang is known for attacking hospitals and healthcare centres during the first COVID-19 outbreaks back in 2020. Despite Russia utterly ignoring internationally-wanted cybercriminals under her jurisdiction, it is still feasible to strike back.

Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime. — Under Secretary Brian E. Nelson.

List of sanctioned persons:

U.S. law enforcements claimed the confiscation of any property that belongs to the designated individuals and is located under US control. Additionally, these sanctions suppose secondary sanctions to any financial organisation that will knowingly provide services to mentioned persons. Paying money to these threat actors is considered sponsoring the crime, and thus is outlaw. It is both about bank and cryptocurrency transfers, willingly or after the ransomware attack.¹

What is TrickBot malware?

TrickBot is a banking trojan, that carries capabilities of injecting other malware into the system, i.e. acting as a malware dropper. Appearing back in 2016, it started as a banking stealer – a malware type that aims precisely at banking credentials. With time, it evolved into a modular malware that acts mostly as a delivery infrastructure for other malware, particularly Conti and Ryuk ransomware. Nonetheless, it did not lose its original functionality, thus being able to both wreak havoc with ransomware and pickpocket in its own, stealer’s fashion.

Massive attacks scale, together with targeting critical infrastructure and government organisations, expectedly brought an ill-fame halo around this gang. They became wanted by law enforcements in numerous countries around the world, but as we mentioned above, Russia never hastened with giving up their hackers, excepting rare cases. Meanwhile, feeling their impunity, the TrickBot group together with their “partners” turned even more aggressive. Obviously, sanctions will not stop these crooks from doing dirty deeds but will create a lot of problems with money laundering and overall transactions with the dirty money they have.

The post TrickBot Members Sanctioned By U.S. and UK appeared first on Gridinsoft Blog.

So far, Emotet is not delivering additional payloads to the infected devices of victims, so it is not yet possible to say exactly what this malicious campaign will lead to.

Let me remind you that we also wrote that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

One of the first to notice the resumption of Emotet activity was experts from the Cryptolaemus group, which includes more than 20 information security specialists from around the world, who in 2018 united for a common goal – to fight Emotet. According to them, the malware, which had been idle since June 13, 2022, suddenly resumed its work in the early morning of November 2 and began sending spam around the world.

Proofpoint expert and Cryptolaemus contributor Tommy Madjar report that a new spam campaign is using previously stolen email threads to spread malicious Excel attachments. Among the samples already uploaded to VirusTotal, you can find attachments aimed at users from all over the world, written in different languages and with different file names. Malicious documents are disguised as various invoices, scans, electronic forms, etc.

Bleeping Computer journalists list the names of some of the malicious honeypot files:

1. Scan_20220211_77219.xls
2. fattura novembre 2022.xls
3. BFE-011122 XNIZ-021122.xls
4. FH-1612 report.xls
5. 2022-11-02_1739.xls
6. Fattura 2022 – IT 00225.xls
7. RHU-011122 OOON-021122.xls
8. Electronic form.xls
9. Rechnungs-Details.xls
10. Gmail_2022-02-11_1621.xls
11. gescanntes-Document 2022.02.11_1028.xls

The researchers note that this Emotet campaign features a new template for Excel attachments, which contains revised instructions for users to bypass Microsoft Protected View.

A malicious Excel file tells the user how to proceed

The fact is that Microsoft adds a special Mark-of-the-Web (MoTW) flag to files downloaded from the Internet (including email attachments). And when a user opens a Microsoft Office document containing the MoTW flag, it opens in Protected View mode, which prevents the execution of macros that install malware.

Therefore, Emotet operators now instruct users to copy the file to the trusted Templates folders, as this will bypass Protected View restrictions (even for a file marked MoTW).

If a malicious attachment is launched from the Templates folder, it immediately executes macros that download the Emotet malware to the victim’s system. The malware is loaded as a DLL into several folders with random names in %UserProfile%\AppData\Local, and then the macros run the DLL using regsvr32.exe.

The malware will then run in the background, connecting to the attackers’ control server to receive further instructions or install additional payloads. Let me remind you that earlier Emotet distributed the TrickBot Trojan, and was also caught installing Cobalt Strike beacons.

History of Emotet:

Emotet appeared in 2014, but only in the 2020s did it become one of the most active threats among malware.

The malware was distributed mainly through email spam, malicious Word, and Excel documents, etc. Such emails could be disguised as invoices, waybills, account security warnings, invitations to a party, or information about the spread of the coronavirus. In a word, hackers will carefully follow global trends and constantly improve their bait emails.

Although Emotet once started as a classic banking Trojan, the threat has since evolved into a powerful downloader with many modules. Its operators have begun to cooperate with other criminal groups actively.

Having penetrated the victim’s system, Emotet used the infected machine to send spam further and installed various additional malware on the device. Often these were bankers such as TrickBot, miners, infostealers, as well as cryptographers like Ryuk, Conti, ProLock.

Europol called Emotet “the most dangerous malware in the world” and also “one of the most prominent botnets of the last decade.”

An attempt to eliminate the botnet, undertaken by law enforcement officers in 2021, was unsuccessful. At the end of the year, the malware returned to service, teaming up with Trickbot to “get back on its feet.”

However, experts warned about the active growth of Emotet, and last summer, it was noticed that the malware acquired its own module for stealing bank cards.

The post Emotet Botnet Resumed Activity after Five Months of Inactivity appeared first on Gridinsoft Blog.

It is believed that from mid-April to June 2022, hackers have already organized at least six such phishing campaigns.

Let me remind you that the TrickBot hack group (aka ITG23, Gold Blackburn and Wizard Spider) is considered a financially motivated group, which is known mainly due to the development of the TrickBot banking Trojan of the same name. Over the years, TrickBot has evolved from a classic banker designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers).

Let me also remind you that we wrote that TrickBot causes crashes on the machines when cybersecurity experts studying it.

The report notes that, according to researchers, the group recently came under the control of Conti, and Conti operators expressed full agreement with the policy of the Russian authorities at the beginning of Russia’s aggression against Ukraine.

According to IBM Security X-Force, TrickBot has recently turned its attention to Ukraine, and tools such as IcedID, CobaltStrike, AnchorMail and Meterpreter have been used in targeted attacks. It is emphasized that earlier Ukraine was not of interest to hackers, and most of the group’s malware is now configured in such a way that it does not run on systems where the Ukrainian language is not detected.

The company report states that the group often used the threat of a nuclear conflict as bait, distributing the malicious Nuclear.xls file, through which the new AnchorMail malware was already spreading.

The researchers also note the use by hackers of the new Forest cryptor, which is used to avoid detection and protect the CobaltStrike and IcedID payloads. It is assumed that its developer, distributor or operator may be part of the group itself, or have a partnership with TrickBot.

The post TrickBot Hack Group Systematically Attacks Ukraine appeared first on Gridinsoft Blog.

TrickBot is one of the most famous and “successful” malware to date. The malware was first noticed back in 2015, shortly after a series of high-profile arrests that significantly changed the composition of the Dyre hack group.

Over the years, TrickBot has evolved from a classic banking trojan designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers).

In the fall of 2020, a large-scale operation was carried out aimed at eliminating TrickBot. It was attended by law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.

At that time, many experts wrote that although Microsoft managed to disable the TrickBot infrastructure, most likely the botnet would “survive”, and eventually its operators would put new control servers into operation, continuing their activity. Unfortunately, that is exactly what happened. Recently, TrickBot has been linked to the resurgence of the Emotet botnet, Diavol ransomware operations, and Conti ransomware.

IBM Trusteer analysts report that TrickBot now has several new layers of protection designed to bypass antivirus products and protect against scrutiny.

The researchers write that TrickBot developers use several levels of obfuscation and base64 for scripts, including minification, string extraction and replacement, dead code injection, and so-called monkey patching. Currently, TrickBot even has too many levels of obfuscation, which makes its analysis slow and often gives unreliable results.

In addition, during the injection of malicious scripts into web pages (to steal credentials), the injections do not use local resources on the victim’s machine, but rely solely on the servers of the attackers themselves. As a result, analysts cannot extract malware samples from the memory of infected machines. At the same time, TrickBot interacts with its control servers via HTTPS, which also makes it difficult to learn.

In addition, injection requests contain parameters that mark unknown sources, i.e. researchers cannot simply get malware samples from the attackers’ control server from any endpoint.

If earlier TrickBot tried to determine if it was being investigated by checking the host’s screen resolution, it now looks for signs of code beautify. This term usually refers to the transformation of obfuscated and other code into content that is easier to read by the human eye and, therefore, it is easier to find what you need in it. So, in the latest versions of TrickBot, regular expressions are used, which allow you to notice if one of the scripts has been “embellished”, because it usually indicates that the information security researcher is analyzing malware. To prevent disclosure TrickBot provokes a crash in the browser.

Let me remind you that we also reported that Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware.

The post TrickBot causes crashes on the machines when cybersecurity experts studying it appeared first on Gridinsoft Blog.

Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.

Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.

One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.

Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.

Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:

• CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
• CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
• CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
• CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
• CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

The post Microsoft patches Windows AppX Installer vulnerability that spreads Emotet malware appeared first on Gridinsoft Blog.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this version of the protocol is almost 30 years old and does not contain the security improvements that were added in later versions.

Security enhancements include encryption, integrity checks before authentication to prevent man-in-the-middle (MiTM) attacks, blocking insecure guest authentication, and more.

Now the Exchange Team has once again reminded administrators of the insecurity of using SMBv1 because various malware still actively abuses them. Some vulnerabilities in SMB are exploited by EternalBlue and EternalRomance, as well as by TrickBot, Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, and so on. In addition, known SMB problems can be used to spread the infection to other machines, perform destructive operations, and steal credentials.

In this regard, Microsoft experts strongly recommend disabling the obsolete version of SMB on Exchange 2013/2016/2019 servers.

The company says they did not check if the Exchange 2010 server was working correctly with SMBv1 disabled. And they are advised to upgrade from Exchange 2010 to Office 365 or a newer version of Exchange Server.

On this week, as part of the “Tuesday of updates” Microsoft fixed 99 bugs in its relatively products, including the sensational 0-day in Internet Explorer, but at the same time, the discontinuation of support for old products causes a very mixed reaction from users.

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

For already three months, the Emotet Trojan has occupied one of the leading positions among malware: in December, Emotet affected 13% of organizations worldwide, comparing with 9% in November.

Basically, the trojan is distributed through spam mailings, which exploit the most relevant topics in the headings today. In December, for example, among them were: “Support Greta Thunberg – Time Person of the Year 2019” and “Christmas Party!”.

“The emails in both campaigns contained a malicious Microsoft Word document. When it is opened, it tried to download Emotet on the victim’s computer. Ransomware and other malware can spread through Emotet”, – reported Check Point specialists.

In December also significantly increased use of remote command injection via HTTP: 33% of organizations worldwide suffered this. If the criminals managed to exploit the vulnerability, the DDoS botnet payload entered the victims’ machines. The malicious file used in the attacks also contained a number of links to payloads, exploiting vulnerabilities in different IoT devices.

Devices of manufacturers such as D-Link, Huawei and RealTek were potentially vulnerable to these attacks.

“Over the past three months, the main threats have been universal multipurpose malware, such as Emotet and xHelper. They give cybercriminals many opportunities to monetize attacks, as they can be used to distribute ransomware or spread new spam campaigns. The goal of criminals is to penetrate and gain a foothold in the largest possible number of organizations and devices, so that subsequent attacks are more profitable and destructive. Therefore, it is very important that organizations inform their employees about the risks of opening and downloading email attachments or clicking on links that do not come from a reliable source”, – say experts at Check Point Software Technologies.

The most active threats of December 2019:

• Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
• XMRig – XMRig is an open-source CPU mining software used for mining Monero cryptocurrency, first seen in-the-wild on May 2017.
• Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

The most active mobile threats in December 2019:

• xHelper – active since March 2019, and was used to download other malicious applications and display ads. The application is able to hide from the user and antivirus programs, and reinstall itself if the user uninstalls it.
• Guerilla – a clicker that can interact with the management server, download additional malicious plugins and aggressively boost clicks on ads without the consent or knowledge of the user.
• Hiddad is a modular backdoor for Android, which provides superuser rights to various malware, and also helps to introduce it into system processes. It can access key security mechanisms built into the OS, which allows it to receive confidential user data.

In the report by Any.Run, an interactive service for automated malware analysis, Emotet was named the main threat for the entire 2019.

The post Greta Thunberg became the most popular character in phishing campaigns appeared first on Gridinsoft Blog.

Experts said that for the first time in three years, a mobile Trojan entered the general list of malware, and it has become the most widespread mobile threat in the last month.

The XHelper Mobile Trojan has been active since March 2019. A multi-purpose trojan designed for Android users is able to download other malicious applications and display malicious ads.

“The application is able to hide itself from user and mobile anti-virus programs and reinstall itself if the user uninstalls it. Over the past six months, the malware code has been constantly updated, which helped him bypass mobile anti-virus solutions and continue to infect new devices”, – say the researchers.

As a result, he took 8th place in the top 10 malware.

XHelper is a versatile, multi-purpose malware that can be adapted to the needs of criminals, such as ransomware, spam campaigns, or malicious ads.

Researchers also note the activity of the Formbook infostiller – it affected almost 12% of organizations. The main danger of Formbook and other similar programs is that for a long time they can go unnoticed in order to collect as much information as possible from the victim’s device. Info-dealers can steal information about bank account, credit card number, phone number and more.

“Now criminals are trying to use several different tactics to monetize their operations, instead of following a single trend, such as crypto mining, which dominated in 2018. Therefore, it is important that organizations implement the latest generation of anti-virus solutions not only in their networks, but also on employees’ mobile devices, in order to protect all enterprise endpoints. It is necessary regularly remind employees of the dangers of opening attachments from emails or clicking on links that come from unknown sources”, – tell representatives of Check Point Software Technologies.

The most active malware in November 2019 in the world was:

Emotet maintained its position in the top of the list of malware, affecting 9% of organizations in the world. XMRig (7%) and Trickbot (6%) are in the second and third place respectively.

1. Emotet is an advanced self-propagating modular trojan. Emotet was once an ordinary banking trojan, and has recently been used to further spread malware and campaigns. The new functionality allows sending phishing emails containing malicious attachments or links.
2. XMRig is open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
3. Trickbot – one of the dominant banking trojans, which is constantly updated with new features, functions and distribution vectors. Trickbot is a flexible and customizable malware that can spread through multi-purpose campaigns.

The most active mobile threats in November 2019:

xHelper, the new program on the list, has become the most common malware for mobile devices. It is followed by Guerilla and Lotoor.

1. xHelper is a malicious Android application, active since March 2019, it was used to download other malicious applications and display ads. The application is able to hide itself from user and mobile anti-virus programs and reinstall itself if the user uninstalls it.
2. Guerilla – clicker for Android, which can interact with the remote control server, download additional malicious plugins and aggressively clicks on ads without the consent of the user.
3. Lotoor – a program that uses vulnerabilities in the Android operating system to obtain privileged root access on hacked mobile devices.

The most common vulnerabilities in November 2019:

1. SQL injection – inserting SQL code into the input from the client to the page using a vulnerability in the application software.
2. HeartBleed error in OpenSSL TLS DTLS software (CVE-2014-0160; CVE-2014-0346) – a vulnerability exists in OpenSSL that could reveal the contents of memory on a server or on a connected client. The vulnerability related to an error when processing Heartbeat TLS/DTLS packets.
3. Remote code execution MVPower DVR. An MVPower DVR device has a remote code execution vulnerability. An attacker could use this vulnerability to execute arbitrary code on a vulnerable router using a specially crafted request.

A complete list of the top 10 malware families for November can be found on the Check Point blog.

Do not forget about the dangers of various ransomware programs, as, for example, the international software company Altran, the Norwegian aluminum producer Norsk Hydro, as well as the American chemical companies Hexion and Momentive suffered from LockerGoga during the outgoing year. Now LockerGoga creators and distributorS, at the request of the French authorities, are looked for in Ukraine.

The post Check Point named the most dangerous malware of November 2019 appeared first on Gridinsoft Blog.