uTalk

Following a two-month hiatus, the threat actors behind the Monti ransomware have returned to attack targets in the legal and government sectors using a new Linux version of the encryptor.

In June 2022, weeks after the Conti ransomware group stopped operating, Monti appeared and purposefully imitated the strategies, tools, and leaked source code used by the latter. no longer.

Compared to its other Linux-based predecessors, the new version, according to Trend Micro, represents something of a departure.

According to Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio, "unlike the earlier variant, which is mainly based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors.".

A BinDiff analysis has shown that while earlier iterations had a 99 percent similarity rate with Conti, the most recent version only has a 29 percent similarity rate, indicating a redesign.

The removal of the command-line arguments --size, --log, and --vmlist, as well as the addition of the "--whitelist" parameter, which instructs the locker to skip a list of virtual machines, are some of the most significant changes.

The Linux variant uses AES-256-CTR encryption rather than Salsa20 and solely relies on the file size for its encryption process. It is also designed to modify the motd (also known as message of the day) file to display the ransom note.

Malware called Monti.

The first 100,000 (0xFFFFF) bytes of files larger than 1.048 MB but smaller than 4.19 MB will only be encrypted, whereas files larger than 4.19 MB may have some of their content locked depending on the results of a Shift Right operation.

The entire content of files with a size less than 1.048 MB will be encrypted.

As evidenced by some similar functions, the threat actors who created Monti "likely employed portions of the Conti source code as a base for the new variant, but implemented significant changes to the code, especially to the encryption algorithm," the researchers wrote.

Additionally, by changing the code, Monti's operators are making it more difficult to detect and stop their malicious activities. ".

An ongoing campaign that has been going on since at least January 2023 is aimed at e-commerce websites that use Adobe's Magento 2 platform.

The attacks, code-named "Xurum" by Akamai, take advantage of a critical security hole that has since been patched (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source, which, if exploited, could result in arbitrary code execution.

Researchers from Akamai said in an analysis released last week that the campaign was carried out by actors with Russian ancestry.
"The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," they wrote.

Simple JavaScript-based skimmers that are intended to gather credit card information and send it to a distant server have also been found to be infected on some of the websites. Uncertainty exists regarding the campaign's precise scope.

In the attack chains that the company has seen, CVE-2022-24086 is weaponized for initial access, and after exploiting the foothold, malicious PHP code that gathers host information and drops a web shell named wso-ng that poses as a Google Shopping Ads component is executed.

In addition to running in memory, the web shell backdoor is only activated when an attacker sends the cookie "magemojo000" in an HTTP request. At that point, data regarding sales order payment methods from the previous 10 days is accessed and exfiltrated.

The attacks culminate with the creation of a rogue admin user named "mageworx" (or "mageplaza") in what appears to be an intentional effort to conceal their actions as benign, as the two names refer to well-known Magento 2 extension stores.

The WSO web shell is said to have evolved into wso-ng, which includes a new covert login page that allows hackers to steal victims' credentials. To learn more about other domains hosted on the same server and to gather information about the IP reputation of the infected machine, it further integrates with trustworthy tools like VirusTotal and SecurityTrails.

A class of attacks known as Magecart have been targeting online shopping sites for years with the aim of collecting payment information from victims by inserting skimmer code into checkout pages.

Instead of randomly dispersing their exploits across the internet, the attackers "have shown a meticulous approach, targeting specific Magento 2 instances," the researchers said.

They exhibit a high level of Magento expertise and devote a lot of time to learning about its internal workings, putting together an attack infrastructure, and testing their exploits on actual targets. ".

Versioning is a tactic used by threat actors to target Android users and avoid being detected as malware by the Google Play Store.

The Google Cybersecurity Action Team (GCAT) stated in its August 2023 Threat Horizons Report, which was shared with The Hacker News, that "campaigns using versioning commonly target users' credentials, data, and finances.".

Although versioning is not a recent occurrence, it can be subtle and challenging to identify. By using this technique, an app developer publishes an initial version of the app on the Play Store, which later gets updated with malware and passes Google's pre-publication checks.

This is done by using a technique known as dynamic code loading (DCL) to push an update from an attacker-controlled server that serves malicious code on the end user device, essentially converting the app into a backdoor.

An application called "iRecorder - Screen Recorder" was found by ESET earlier this May. It was safe to use for almost a year after it was first added to the Play Store before malicious modifications were surreptitiously added to spy on its users.

SharkBot, which has displayed up on the Play Store several times under the guise of security and utility apps, is another instance of malware that uses the DCL technique.

Utilizing the Automated Transfer Service (ATS) protocol, SharkBot is a financial trojan that starts unapproved money transfers from infected devices.

Shop Google Play.

In an attempt to draw less attention, dropper applications that show up on the storefront have limited functionality and, once installed by the victims, download the full version of the malware.

"Defense-in-depth principles, such as restricting application installation sources to reliable sources like Google Play or using a mobile device management (MDM) platform to manage corporate devices, are necessary in an enterprise setting, as versioning demonstrates," the enterprise said.

The findings coincide with ThreatFabric's disclosure, as KrebsOnSecurity reports, that malware distributors have been using an Android bug to disguise malicious apps as benign by "corrupting components of an app," leaving the app intact.

"Perpetrators may simultaneously have multiple apps published in the store under distinct developer accounts; only one of these apps is malicious; the other serves as a backup to be utilized following removal," the June report from the Dutch cybersecurity firm stated.

"This strategy reduces the amount of time required for actors to launch another dropper and carry on the distribution campaign, enabling them to sustain extremely lengthy campaigns. ".

It is advised that Android users download apps only from reliable sources and turn on Google Play Protect to get alerts whenever a potentially harmful app (PHA) is discovered on the device in order to reduce any potential risks.