Researchers believe that malicious actors associated with Evil Corp. are behind these incidents.

Let me remind you that we also said that Cisco Won’t Fix an RCE Vulnerability in Old RV Routers.

Let me remind you that in August 2022, Cisco representatives confirmed that in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain. Then the company emphasized that the hackers managed to steal only non-confidential data from the Box folder associated with the hacked employee account.

eSentire analysts now say that the attack could have been the work of a criminal known as mx1r. It is believed that he is a member of one of the “branches” of the well-known Russian-speaking group Evil Corp (aka UNC2165).

The researchers write that the victim’s network was initially accessed using stolen VPN credentials, and then the attackers used ready-made tools for lateral movement.

Researchers suspect mx1r’s connection with Evil Corp due to the coincidence of a number of attackers’ tactics, Including due to the organization of a kerberoasting attack on the Active Directory service and the use of RDP for promotion in the company’s network.

At the same time, despite these connections, the HiveStrike infrastructure used to organize the attack generally corresponds to the infrastructure of one of the “partners” of the Conti group, which had previously distributed the Hive and Yanluowang ransomware. These hackers eventually published the data stolen from Cisco on their dark web site.

Cisco representatives themselves wrote that the attack was most likely “carried out by an attacker who was previously an initial access broker and had connections with the UNC2447 cybercrime group, the Lapsus$ group, and the Yanluowang ransomware operators.”

These discrepancies don’t seem to bother eSentire analysts in the least:

The post Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that The Austrian Company DSIRF Was Linked to the Knotweed Hack Group and the Subzero Malware, and also that Experts Find Similarities Between LockBit and BlackMatter.

Let me remind you that last month, researchers discovered the presence of the Raspberry Robin worm in the networks of hundreds of organizations from various industries, some of which worked in the technology and manufacturing sectors. Although Microsoft observed how the malware binds to addresses on the Tor network, the attackers’ targets remained unknown, as they did not yet have access to their victims’ networks.

Raspberry Robin malware was first found by analysts from Red Canary. In the spring of this year, it became known that the malware has the capabilities of a worm, spreads using USB drives, and has been active since at least September 2021. Security company Sekoia even observed how malware used Qnap NAS devices as control servers back in November last year.

While the hackers did nothing, Microsoft labelled the campaign as high-risk, given that attackers could download and deploy additional malware on victims’ networks at any time and elevate their privileges.

Now, researchers have finally seen the first signs of how the hackers intend to exploit the access they have gained to their victims’ networks with the Raspberry Robin.

The aforementioned DEV-0206 is the code name for an access broker that deploys the FakeUpdates malware on victim machines, forcing the victim to download fake browser updates as ZIP archives. This malware essentially works as a conduit for other malicious campaigns and attackers who use access acquired from DEV-0206 to spread their payloads. So, the noticed Cobalt Strike loaders, apparently, are associated with the DEV-0243 group, better known as Evil Corp.

In June 2022, cybersecurity experts noticed that Evil Corp switched to using the LockBit ransomware to avoid sanctions previously imposed by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). It was assumed that the use of other people’s resources and this new tactic would allow hackers to spend the time saved on developing their own malware to expand their operations.

The post Microsoft Links Raspberry Robin Worm to Evil Corp appeared first on Gridinsoft Blog.

Let me remind you that Evil Corp has existed since at least 2007, but at first hackers more often acted as partners for other groups. It was only later that Evil Corp began to focus on its own attacks, creating the well-known banking Trojan Dridex. Over time, when it became a ransomware, attacks became more profitable, and Evil Corp launched its own BitPaymer ransomware, delivering it to victims’ machines via Dridex. The latter gradually evolved from an ordinary banker into a complex and multifunctional tool.

All this led to the fact that in 2019 the US authorities filed charges against two Russians who, according to law enforcement officers, were behind the development of the Dridex malware and other malicious operations. Also, the US authorities imposed sanctions on 24 organizations and individuals associated with Evil Corp and the mentioned suspects. As a result, the negotiating companies, which usually negotiate with extortionists to pay a ransom and decrypt the data, refused to “work” with Evil Corp in order to avoid fines and lawsuits from the US Department of the Treasury. And it became much more difficult for the victims themselves to pay the ransom.

After that, in June 2020, Evil Corp switched to using the WastedLocker malware, in 2021 the Hades ransomware appeared (a 64-bit version of WastedLocker, updated with additional code obfuscation and a number of functions), and then the group has already carried out several “rebrands” and impersonated for the PayloadBin grouping and used other ransomware: Macaw and Phoenix.

Now, Mandiant analysts noticed that criminals have made a new attempt to distance themselves from hacking tools known to experts so that their victims can pay ransoms without violating OFAC rules.

The activity cluster, which Mandiant tracks as UNC2165, previously deploying the Hades ransomware and associated with Evil Corp, is now “partnering” with the developers of the LockBit ransomware.

It is assumed that the new tactics will allow hackers to spend the time saved on developing their own malware to expand operations.

Experts also offer another theory: it is likely that the transition to other people’s malicious tools will help Evil Corp free up enough of its own resources to develop a new ransomware from scratch, which can subsequently seriously complicate tracking the new operations of the hack group.

The post Evil Corp Switched to Using LockBit Malware to Avoid Sanctions appeared first on Gridinsoft Blog.

Members of Evil Corp (also known as Indrik Spider and Dridex) started out as partners with the ZeuS botnet operators. Over time, Evil Corp formed its own group that focused on distributing a banking Trojan called Dridex via phishing emails.

When the gangs began to move towards high-yield ransomware attacks, Evil Corp used BitPaymer ransomware, which was spread by the Dridex malware to compromised corporate networks.

Following sanctions by the U.S. government in 2019, firms negotiating with ransomware operators refused to pay ransoms for Evil Corp’s attacks to avoid fines or lawsuits from the U.S. Treasury Department. Evil Corp has begun renaming its ransomware campaigns to Hades and Phoenix in an effort to bypass these sanctions.

Recall that at the end of April this year, Babuk operators announced the termination of their activities. However, two weeks later, the hackers reminded about themselves, presenting a new project, Payload Bin.

BleepingComputer discovered a new sample of ransomware called PayloadBIN on VirusTotal and initially suggested that the malware was related to the Babuk Locker rebranding. Once installed, the ransomware adds the .PAYLOADBIN extension to the encrypted files. In addition, the ransom note is called PAYLOADBIN-README.txt and informs the victim that “the networks have been BLOCKED using the PAYLOADBIN ransomware.”

Babuk allegedly lied about its intentions to refuse from the ransomware. However, after analyzing the new ransomware, experts Fabian Wosar from Emsisoft and Michael Gillespie from ID Ransomware confirmed that the program actually belongs to Evil Corp.

Let me remind you that I also wrote that Evil Corp returns to criminal activity with WastedLocker ransomware.

The post Evil Corp Ransomware Posing As PayloadBin Group To Avoid US Sanctions appeared first on Gridinsoft Blog.

At the same time, the incident affected not only wearable gadgets and related services, but also flyGarmin and Garmin Pilot – solutions that support the company’s line of aviation navigation equipment.

The outage also affected call centers, making the company unable to answer calls, emails, and online chats.

“We are currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience”, — said official Garmin statement.

From the very beginning, cybersecurity specialists believed that Garmin suffered from the WastedLocker ransomware attack, and as a result, the manufacturer issued an official statement confirming that the incident linked with a ransomware attack. However, the company representatives have not yet revealed what kind of malware was used for this attack.

Now Bleeping Computer journalists have confirmed that Garmin, which started restoring its services last week, received a key to decrypt files, affected by WastedLocker malware.

Representatives of the publication checked the work of the decryptor using the example of the WastedLocker sample, which previously had at their disposal and which was clearly used to attack the company.

“The decryptor worked as expected and decrypted the files”, – reported Bleeping Computer journalists.

The journalists are sure that for this the company paid a ransom to the attackers. Exact amount is unknown, but earlier it was reported that the attackers demanded $10 million from Garmin.

Decryptor work:

Let me remind you that WastedLocker activity began in May 2020, and the authorship of this malware is attributed to the Evil Corp group, which is often associated with the Russian special services.

Previously, the ransomware was used exclusively against American companies, and the ransom amounts that Evil Corp demanded from the victims are estimated at millions of dollars. For example, cybersecurity researchers know of a case when hackers asked a company for $10,000,000. In June 2020, analysts wrote that at least 31 American organizations and companies were affected by WastedLocker attacks.

The post Media Reports that Garmin Paid Ransom to WastedLocker Malware Operators appeared first on Gridinsoft Blog.

Let me remind you that the Evil Corp group is called one of the most active and arrogant among cybercriminals. For information about its members, the US government has established a reward of $5 million, and the media often discuss rumors about their luxurious lifestyle and possible connections with Russian special services.

Evil Corp, also known as Dridex, has been active since about 2007, when several hackers previously associated with the ZeuS banking trojan decided to try their luck at spreading malware.

“At first, the group focused on distributing the Cridex banking trojan, which later turned into the Dridex banker, and even later into the multi-purpose malicious Dridex toolkit”, – said Fox-IT experts.

Thanks to Dridex, one of the largest botnets for distributing malware and spam was at the disposal of the group. This way Evil Corp distributed both its own malware and malware for other criminal groups, as well as custom spam messages.

In 2016, the group also began distributing ransomware, starting with Locky. However, as the ransomware’s focus began to shift from home consumers to corporate goals, Evil Corp also turned to situation and created a new extortionist BitPaymer ransomware.

“Evil Corp used its gigantic botnet from Dridex-infected devices to search for corporate networks, and then deployed BitPaymer to the networks of the largest enterprises that they could find”, — Fox-IT researchers tell the story of Evil Corp.

BitPaymer was actively used between 2017 and 2019, but then the attacks gradually began to stop. The reasons for this decline are still unclear, but it could be due to the fact that the Dridex botnet also “slowed down” between 2017 and 2019.

Fox-IT writes that this decline in group activity ended after U.S. Department of Justice allegations in absentia against Evil Corp members in December 2019. After that, the hackers were silent for almost a month, until January 2020, but then they resumed activity and conducted several malicious campaigns, mainly for other scammers.

In the spring of 2020, Evil Corp again “came back to life” and this time with new tools. According to researchers, the group developed a new WastedLocker ransomware to replace the obsolete BitPaymer, which has been used since the beginning of 2017.

According to the researchers, this malware was written from scratch, and the analysis of the new ransomware showed almost no signs of code reuse and other similarities between BitPaymer and WastedLocker. Some parallels can be seen only in the text of the ransom note.

Fox-IT experts track the use of WastedLocker since May 2020. According to them, so far the ransomware has been used exclusively against American companies, and the amount of ransoms that Evil Corp requires from the victims now amounts to millions of dollars. For example, researchers know a case where hackers requested $10,000,000 from a company. Based on data from VirusTotal, analysts say that WastedLocker has been used as intended at least five times.

“Evil Corp’s operators are very aggressive in deploying the new WastedLocker ransomware: they typically attack file servers, database services, virtual machines, and cloud environments. The group also seeks to disrupt the operation of backup applications and related infrastructure, that is, in every way makes it difficult to recover information for affected companies”, – said Fox-IT experts.

At the same time, Evil Corp is not doing what is now in trend among other extortion groups: WastedLocker is not able to steal data before encrypting it. Let me remind you that currently 10 of 15 hacker groups infect company networks, steal confidential data, and only after that encrypt files, and also threaten to publish stolen data in the public domain (on their own sites or file sharing sites).

Similar tactics, for example, use the Sodinokibi group (REvil).

So far, Evil Corp has not done anything like this, and Fox-IT experts believe this is a well-informed decision. The fact is that the “damp” of stolen data usually attracts a lot of media attention, which Evil Corp members would probably like to avoid, because some members of the group are already on the list of the most wanted FBI criminals.

The post Evil Corp returns to criminal activity with WastedLocker ransomware appeared first on Gridinsoft Blog.