malware

Crime group hijacks hundreds of US news websites to push malware • ZebethMedia

By zebethcontrolPosted on November 3, 2022Posted in Evil Corp, hackers, malware, Proofpoint, ransomware, SecurityNo Comments

A cybercriminal group has compromised a media content provider to deploy malware on the websites of hundreds of news outlets in the U.S., according to cybersecurity company Proofpoint. The threat actors, tracked by Proofpoint as “TA569,” compromised the media organization to spread SocGholish, a custom malware active since at least 2018. The media company in question is not named, but was notified and is said to be investigating. Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, tells ZebethMedia that the organization provides “both video content and advertising to major news outlets.” DeGrippo added that 250 U.S. national newspaper sites and regional websites are affected, including media organizations serving Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, D.C. It’s unclear how the unnamed media company was compromised, but DeGrippo added that TA569 “has a demonstrated history of compromising content management systems and hosting accounts.” The SocGholish malware is injected into a benign JavaScript file that is loaded by the news outlets’ websites, which prompts the website visitor to download a fake software update. In this campaign, the prompt takes the form of a browser update for Chrome, Firefox, Internet Explorer, Edge, or Opera. “If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload,” said DeGrippo. “This attack chain requires interaction from the end user at two points: accepting the download and executing the payload.” SocGholish serves as an “initial access threat,” which if successfully planted have historically served as a precursor to ransomware, according to Proofpoint. The threat actors’ end goal, the company says, is financial gain. Proofpoint tells ZebethMedia that it “assesses with high confidence” that TA569 is associated with WastedLocker, a variant of ransomware developed by the U.S.-sanctioned Evil Corp group. The company added that it does not believe TA569 is Evil Corp, but rather acts as a broker of already-compromised devices for the hacking group. It was revealed earlier this year that Evil Corp uses a ransomware-as-a-service model in an effort to skirt U.S. sanctions. The gang was sanctioned December 2019 due to its extensive development of Dridex malware, which the gang used to steal more than $100 million from hundreds of banks and financial institutions.

US charges Ukrainian national over alleged role in Raccoon Infostealer malware operation • ZebethMedia

By zebethcontrolPosted on October 26, 2022Posted in cybersecurity, malware, Security, ukraine, us governmentNo Comments

U.S. officials have charged a Ukrainian national over his alleged role in the Raccoon Infostealer malware-as-a-service operation that infected millions of computers worldwide. Mark Sokolovsky — also known online as “raccoonstealer,” according to an indictment unsealed on Tuesday — is currently being held in the Netherlands while waiting to be extradited to the United States. The U.S. Department of Justice accused Sokolovsky of being one of the “key administrators” of the Raccoon Infostealer, a form of Windows malware that steals passwords, credit card numbers, saved username and password combinations, and granular location data. Raccoon Infostealer was leased to individuals for approximately $200 per month, the DOJ said, which was paid to the malware’s operators in cryptocurrency, typically Bitcoin. These individuals employed various tactics, such as COVID-19-themed phishing emails and malicious web pages, to install the malware onto the computers of unsuspecting victims. The malware then stole personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and other personal information, which were used to commit financial crimes or sold to others on cybercrime forums. An example of one of the phishing emails sent by the crime group. Image Credits: U.S. Justice Department. According to U.S. officials, the malware stole more than 50 million unique credentials and forms of identification from victims around the world since February 2019. These victims include a financial technology company based in Texas and an individual who had access to U.S. Army information systems, according to the unsealed indictment. Cybersecurity firm Group-IB said the malware may have been used to steal employee credentials during the recent Uber breach. But the DOJ said it “does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.” The Justice Department said it worked with European law enforcement to dismantle the IT infrastructure powering Raccoon Infostealer in March 2022, when Dutch authorities arrested Sokolovsky. According to one report, the malware operation claimed it was suspending its operations after one of its lead developers was allegedly killed during Russia’s invasion of Ukraine. A new version of Raccoon Infostealer was reportedly launched in June this year. The FBI also announced on Tuesday that it has created a website that allows anyone to check if their data is contained in the U.S. government’s archive of information stolen by Raccoon Infostealer. “This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.” Sokolovsky is charged with computer fraud, wire fraud, money laundering, and identity theft and faces up to 20 years in prison if found guilty. The DOJ said Sokolovsky is appealing a September 2022 decision by the Amsterdam District Court granting his extradition to the United States.