The Pig Butchering scam, a scam operation that specializes in fake investments in allegedly promising cryptocurrency projects, stocks, bonds, futures and options, was found in the Apple and Google app stores.

Such attacks are called “pig slaughter”, and scammers use social engineering against their victims (“pigs”), finding contact with them on social networks and dating applications.

You might also be interested in our article: 12 Instagram Scams to Know and Avoid in 2023.

Pig Butchering is a relatively new phenomenon. For example, the FBI first warned users against such fraud last fall. Then law enforcement officers explained that this is a very profitable scheme used by scammers around the world.

We also wrote that Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Pig Butchering.

Law enforcers reported that scammers use social engineering and get in touch with people (“pigs”) on social networks and dating apps. Over time, perpetrators gain the trust of their victims by feigning friendship or romantic interest, and sometimes even posing as the target’s real friends.

When the “contact” is established, the criminals at some point offer the victim to invest in cryptocurrency, for which the target is directed to a fake site. Alas, it will be impossible to return your funds and receive fake “income” from such a resource.

These scams can go on for months, and the victim sometimes gives the scammers huge sums (thousands to millions of dollars) before realizing they have been scammed. For example, last fall, Forbes reported on a 52-year-old man from San Francisco who lost about a million dollars due to “slaughtering pigs”. In this case, the scammers pretended to be an old colleague of the victim.

According to experts from Sophos, “Pig Butchering” has already penetrated the official app stores. Now scammers are targeting victims on Facebook or Tinder using fake profiles of women with photos stolen from other accounts. At the same time, fake profiles showcase a deliberately luxurious lifestyle with photos from high-end restaurants, expensive shops and exotic places.

After gaining the victim’s trust, the scammers reveal that they have an uncle who works for a financial analysis firm that is currently launching an app on the Play Store or App Store that allows you to trade cryptocurrencies. That is, in the end, the victim is persuaded not to go to a fake site, but to download a special application and “invest” in non-existent assets masquerading as real ones.

The malicious apps that the analysts found were called Ace Pro and MBM_BitScan in the Apple App Store and BitScan in the Google Play Store. All of them have now been removed.

After launching the application, the victim sees a very convincing interface for trading cryptocurrency, however, everything except the user’s deposit here is a fake.

It is noted that at first, in order to decline the vigilance of the target, scammers allow victims to withdraw small amounts in cryptocurrency from their accounts, but then, when there is already a lot of money, they block accounts and take everything.

To bypass App Store security checks, ShaZhuPan operators submit an app to the store that is signed with a valid certificate. Until approval is received, such an application connects to a regular server and pretends to be absolutely harmless. After passing the verification, the developers change the domain, and the application is already connecting to the malicious server.

According to experts, the BitScan apps for Android and iOS were allegedly provided by different vendors, but communicated with the same control server, which was hosted on a domain masquerading as bitFlyer (a real cryptocurrency exchange company from Japan).

Sophos reports that the Chinese group ShaZhuPan is behind one of these campaigns, divided into separate teams, each of which is engaged in one thing: interaction with victims, finance, franchise or money laundering.

The researchers conclude that since such applications are downloaded by a small number of users, manually selected by scammers, there are no massive complaints about them, which makes them difficult to detect and remove from stores. Sophos also notes that with the advent of fintech in our lives, people’s trust in such software tools has increased, and when applications are taken from the official Apple and Google stores, the victims have a false sense of legitimacy.

The media also wrote that Two Cryptocurrency Scammers from Estonia Made $575 Million from a “Ponzi scheme”.

The post Cryptocurrency Scam “Pig Butchering” Penetrated the Apple App Store and Google Play Store appeared first on Gridinsoft Blog.

In the past 12 months hackers have scammed more than $2.5 million from other cybercriminals on three separate hack forums alone (Exploit, XSS and BreachForums), according to Sophos researchers.

You might also be interested in reading All About Hacker Motivation: Why Do Hackers Hack?

Experts spoke about the results of studying darknet forums during a report at the Black Hat Europe conference, and then the study was published on the company’s blog.

Fraud on the three hack forums that were studied turned out to be so widespread that there are special “arbitrage rooms” on all resources.

For example, the Exploit forum has 2,500 scam messages and has a separate section for filing complaints, as well as a blacklist where cases of confirmed fraudulent activities are recorded.

In turn, 760 cases of fraud are reported on XSS, and the forum maintains a “list of rippers” with fraudulent sites.

Thus, Exploit’s “arbitration room” contains 211 complaints totaling $1,021,998, while the blacklist includes 236 incidents that cost other criminals $863,324. For example, in one case, an Exploit user filed a complaint trying to negotiate with the operators of the Conti ransomware to decrypt company data. However, forum administrators have closed this statement as ransomware is not allowed on Exploit.

The media also wrote that Neutrino Botnet Seizes Web Shells of Other Hackers.

Meanwhile, XSS, by comparison, has 120 complaints totaling $509,901, while BreachForums, which has only been in existence since April this year, already has 21 complaints worth $143,722.

Read also: 6 Popular Types of Hackers: Protection Tips in 2022.

While most of the scams that criminals complain about involve five- and six-figure amounts, some victims open claims for much smaller losses (there are cases where the amount of damage is as low as $2).

The report notes that such proceedings on hack forums often end in mutual insults and complete chaos, when the accuser accuses the defendant of fraud. In some cases, the intended victims themselves are blocked altogether.

While a ban is the most common punishment for cheating, BreachForums also practices doxing, posting the banned users’ email address, registration details, and the last IP address from which they accessed the forum.

Despite this, Sophos lists several cases “involving serial scammers” who were blocked from hack forums, but then simply created new profiles, paid a registration fee and continued to deceive their “colleagues”.

The post Hackers Stole over $2.5 million from Hackers appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers, and also that Hackers Launched LockBit 3.0 and Bug Bounty Ransomware.

Hackers from the LockBit, Hive and ALPHV (BlackCat) groups gained access to the victim’s network on April 20, May 1 and May 15 this year.

The researchers write that it all started back in December 2021, when the company’s network was compromised by a hacker, apparently an initial access broker. An attacker used a misconfigured firewall to hack into a domain controller server using RDP.

Apparently, after that, the hacker sold access to the victim’s network to other attackers, since three attacks in a row hit the company in the spring.

On May 1, 2022, LockBit and Hive ransomware payloads almost simultaneously spread across the victim’s network using legitimate PsExec and PDQ Deploy tools, and more than a dozen systems were encrypted as a result of each of the attacks. Previously, back in April, LockBit operators managed to steal the company’s data and uploaded it to the Mega cloud storage.

Just two weeks later, on May 15, 2022, while the IT team of the affected company was restoring encrypted systems, hackers from the BlackCat (aka ALPHV) group also connected to the server, previously compromised by their “colleagues” from LockBit and Hive.

Using a legitimate remote access tool (Atera Agent), they gained a foothold in the network and stole data from the company. Half an hour later, BlackCat operators delivered a ransomware payload to the victim’s network using PsExec and encrypted six machines after traversing the network sideways using compromised credentials.

In addition, in the end, BlackCat attackers deleted all shadow copies and cleared event logs on compromised systems, which significantly complicated recovery attempts and incident investigations conducted by Sophos experts.

And although the latest hackers destroyed a lot of evidence, Sophos specialists eventually found files on the affected systems that were encrypted three times with Lockbit, Hive and BlackCat, as well as three different ransom notes.

The post Auto Parts Manufacturer Attacked by Three Different Ransomware in Two weeks appeared first on Gridinsoft Blog.

Experts write that the malware is based on many different scripts, and Epsilon Red operators use a commercial remote access utility in attacks.

Epsilon Red was discovered last week while investigating an attack on an unnamed US hospitality company. Attackers entered the corporate network using vulnerabilities in the local Microsoft Exchange server. The talk is about, of course, about the sensational ProxyLogon problems discovered in early 2021.

It is reported that Epsilon Red is written in the Golang (Go) language, and the launch of the malware itself precedes the work of a whole set of PowerShell scripts that set the stage for encryption. Most of the scripts are numbered from 1 to 12, but there are several that are named with the same letter. One of them, c.ps1, appears to be a clone of the Copy-VSS pentester tool.

Scripts have specific purposes:

• eliminate the processes and services of security mechanisms, databases, backup programs, Office applications, mail clients;
• remove shadow copies;
• steal the Security Account Manager (SAM) file containing password hashes;
• delete Windows event logs;
• disable Windows Defender;
• suspend processes;
• remove security products (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot);
  extend privileges in the system.

Once on the network, hackers reach other machines using RDP and Windows Management Instrumentation (WMI), and then install software and PowerShell scripts on them, which ultimately leads to the launch of the Epsilon Red executable.

Analysts point out that attackers are installing a copy of Remote Utilities, a commercial remote desktop tool, and the Tor browser on compromised machines. This is done to maintain a stable presence in the system.

The Epsilon Red attack can provoke real chaos in the company, since the ransomware has no restrictions on encrypting certain types of files and folders. The malware encrypts any files by adding the .epsilonred extension to them, and makes no exceptions even for executable files and DLLs, which can disrupt the operation of important programs and the OS itself.

The malware generally uses the godirwalk open source library to browse the directory tree.

In this way, Epsilon Red scans the hard drive and adds directory paths to the list of destinations for child processes that encrypt subfolders individually. As a result, many copies of the ransomware process are launched on the infected machines.

The ransom note is an updated version of the ransom note used by the ransomware REvil. However, the authors of Epsilon Red have tried to correct grammatical and spelling errors in the text.

According to Sophos, at least one victim of the ransomware has already paid the attackers a ransom of 4.28 BTC (about $210,000).

Although experts have not yet written anything about the attribution of malware, it is worth noting that Epsilon Red is a character in the Marvel Universe, a Russian super-soldier with tentacles who can breathe in space.

Let me remind you that I also wrote that Prometei botnet attacks vulnerable Microsoft Exchange servers.

The post Epsilon Red ransomware threatens Microsoft Exchange servers appeared first on Gridinsoft Blog.

HawkEye is a credential theft program that is usually distributed through fraudulent emails and malicious Microsoft Word, Excel, PowerPoint, and RTF files.

“After installing on the victim’s computer, the malware attempts to steal the email and browser credentials, including those used by Internet Explorer, Google Chrome, Apple Safari, and Mozilla Firefox”, – report IBM X-Force experts.

While in previous campaigns, HawkEye was distributed via phishing messages on airline tickets and banking operations, now cybercriminals have exploited the panic around the coronavirus pandemic.

Emails contain an archive with the file “Coronavirus Disease (Covid-19) CURE.exe“. Inside it is a .NET executable that acts as a HawkEye loader, hidden using the ConfuserEx and Cassandra Protector tools. After execution, the loader launches the Interfaces2.dll library and loads the bitmap with the built-in assembly code.

The program ReZer0V2.exe, designed to disable Windows Defender, is extracted from the image file. The sample, which also contains sandbox and virtual machine (VM) protection features, then embeds HawkEye in certain running processes.

And also, according to a report by Chester Wisniewski from Sophos, the criminals impersonate the World Health Organization (WHO) to steal cryptocurrency donations to fight the COVID-19 pandemic.

“Fraudsters are tricking and stealing funds intended for the COVID-19 Solidarity Response Fund”, – said Chester Wisniewski.

WHO created this fund in collaboration with the UN Foundation after the agency officially classified coronavirus as a pandemic on March 11. Its main goal is to prepare the countries of the world for the fight against the virus, and especially those states in which the healthcare system is poorly developed.

Criminals ask users to make a donation by sending bitcoins directly to the address indicated in the email. Copycats also use the fake address donate@who[.]Int for greater credibility.

Although WHO provides detailed information about its Solidarity and Response Fund to Combat COVID-19, it remains unclear whether it accepts cryptocurrency donations.

Cybercriminals, of course, use the global news agenda to enrich themselves: it’s interesting that at the beginning of the year the most popular character in phishing attacks was Greta Tunberg, and now the coronavirus has practically fulfilled the activist’s wishes: less transport, less production and CO emissions. Are you satisfied, Greta?

However, according to How to Fix, some malware operators decided to show nobility, for example, Maze and DoppelPaymer ransomware suspended attacks on medical organizations.

The post Cybercriminals fake letters from WHO to distribute HawkEye and trick money into fight with COVID-19 appeared first on Gridinsoft Blog.