uTalk

The stealer malware NodeStealer has a Python variant that can completely take over Facebook business accounts and siphon cryptocurrency, according to cybersecurity researchers.

As part of a campaign that started in December 2022, Palo Alto Network Unit 42 claimed to have discovered the previously unidentified strain.

NodeStealer was first identified by Meta in May 2023, who described it as a stealer that could compromise Facebook, Gmail, and Outlook accounts by gathering cookies and passwords from web browsers. The most recent samples were created in Python as opposed to the earlier ones, which were created in JavaScript.

According to Unit 42 researcher Lior Rochberger, "NodeStealer poses great risk for both individuals and organizations.". In addition to having a direct financial impact on Facebook business accounts, the malware also steals browser login information that can be used in future attacks. ".

The attacks begin with fake Facebook messages that allegedly offer free "professional" budget tracking Microsoft Excel and Google Sheets templates, tricking victims into downloading a ZIP archive file hosted on Google Drive.

The stealer executable is embedded in the ZIP file and is intended to download additional malware like BitRAT and XWorm as ZIP files, disable Microsoft Defender Antivirus, and steal cryptocurrency using MetaMask credentials from the Google Chrome, Cc Cc, and Brave web browsers, in addition to capturing Facebook business account information.

The downloads are carried out using a User Account Control (UAC) bypass method that makes use of the fodhelper. exe to run PowerShell scripts that download ZIP files from a distant server.

It's important to note that the threat actors behind the Casbaneiro banking malware have also used the FodHelper UAC bypass technique to gain elevated privileges on infected hosts.

The upgraded Python version of NodeStealer, according to Unit 42, goes beyond credential and cryptocurrency theft by implementing anti-analysis features, parsing emails from Microsoft Outlook, and even attempting to hijack the associated Facebook account.

The files are exfiltrated through the Telegram API after the necessary data has been gathered, and then they are removed from the computer to remove the trail.

NodeStealer is another piece of malware that joins the likes of Ducktail in the growing trend of Vietnamese threat actors trying to hack Facebook business accounts in order to commit advertising fraud and spread malware to other users of the social media platform.

NodeStealer.

As part of a multi-stage phishing attack, threat actors have been seen using WebDAV servers to deploy BATLOADER, which is then used to disseminate XWorm.

Rochberger advised Facebook business account owners to enable multi-factor authentication and use strong passwords. "Spend the time to educate your company on phishing techniques, particularly modern, targeted strategies that capitalize on business requirements, current events, and other alluring topics. ".

A Russa-nexus adversary has links to 94 new domains, which suggests that the organization is actively changing its infrastructure in response to information being made public about its operations.

The new infrastructure was linked by the cybersecurity company Recorded Future to a threat actor it monitors under the name BlueCharlie, a hacking group also known as Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. Threat Activity Group 53 (TAG-53), a provisional name for BlueCharlie, was previously assigned.

The company stated in a recent technical report shared with The Hacker News that "these shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers.".

According to assessments, BlueCharlie is connected to Russia's Federal Security Service (FSB). The threat actor has been involved in phishing campaigns that target credential theft by using domains that impersonate the login pages of private sector businesses, nuclear research facilities, and non-governmental organizations (NGOs) working to alleviate the Ukraine crisis. It's reportedly been operational since at least 2017.

Sekoia noted earlier this year that "calisto collection activities probably contribute to Russian efforts to disrupt Kiev's supply-chain for military reinforcements.". Furthermore, Russian intelligence gathering on evidence related to war crimes is probably done to prepare a defense against potential accusations. ".

BlueCharlie.

NISOS released another report in January 2023 that suggested there might be ties between the group's attack infrastructure and a Russian firm that works with the country's government.

Recorded Future stated that "BlueCharlie has carried out persistent phishing and credential theft campaigns that further enable intrusions and data theft," adding that the actor conducts thorough reconnaissance to increase the likelihood of its attacks' success.

The most recent discoveries demonstrate that BlueCharlie has adopted a new naming pattern for its domains that include terms associated with cryptocurrencies and information technology, such as cloudrootstorage[.
DirectExpressGateway, ]com.
]com, storagecryptogate [.
[pdfsecxcloudroute] and [com. ]com.

One source claims that NameCheap was used to register 78 of the 94 new domains. Porkbun and Regway are a few of the additional domain registrars used.

It is advised that organizations implement phishing-resistant multi-factor authentication (MFA), disable macros by default in Microsoft Office, and enforce a frequent password reset policy to reduce threats posed by state-sponsored advanced persistent threat (APT) groups.

"The group uses relatively common attack methods (such as the use of phishing and a historical reliance on open-source offensive security tools), but its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable," the company said.

An Eastern European industrial organization was the target of several attacks last year to steal data from air-gapped systems, all of which are thought to have been carried out by a nation-state actor with ties to China.

APT31, a hacker group also known as Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), was the group responsible for the intrusions, according to cybersecurity firm Kaspersky, who put their confidence in their conclusion with a medium to high level of certainty.

Based on their capacity to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure, the attacks involved the use of more than 15 different implants and their variants. These implants were divided into three major categories.

One of the implant types "appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe," Kaspersky said.

"The other implant type is intended to steal data from a local computer and send it to Dropbox with the aid of the subsequent implant types. ".

One collection of backdoors consists of various iterations of the FourteenHi malware family, which has been in circulation since at least mid-March 2021 and has a wide range of capabilities, including the ability to upload and download arbitrary files, execute commands, launch a reverse shell, and remove its own presence from the compromised hosts.

MeatBall is a second first-stage backdoor used for remote access and initial data collection. It has the ability to list active processes, enumerate connected devices, operate on files, take screenshots, and self-update.

A third type of first-stage implant that uses Yandex Cloud for command-and-control has also been found, echoing findings from Positive Technologies in August 2022 outlining APT31 attacks on Russian media and energy companies.

"The propensity to misuse cloud-based services (e.
g.
as well as Google, Yandex, and Dropbox. (which is not a new problem, but it keeps growing because it is difficult to contain or mitigate when an organization's business operations rely on the use of such services, according to Kaspersky researchers.

Threat actors continue to make it more challenging to identify and analyze threats by concealing payloads in encrypted form in separate binary data files and by putting malicious code into the memory of trusted applications using DLL hijacking and a series of memory injections. ".

Dedicated implants have also been seen being used by APT31 to steal data from air-gapped systems by infecting removable drives and gathering local files.

The latter malware strain consists of at least three modules, each of which performs a different function, such as handling and profiling removable drives, capturing keystrokes and screenshots, and installing subsequent malware on newly connected drives.

According to Kirill Kruglov, senior security researcher at Kaspersky ICS CERT, the threat actor made conscious efforts to obscure their actions using encrypted payloads, memory injections, and DLL hijacking.

While data exfiltration from air-gapped networks is a common tactic used by many APTs and targeted cyberespionage campaigns, the actor this time around has designed and carried out the operation specifically. ".

The aforementioned attack chains were specifically designed for the Windows environment, but there is evidence that APT31 has also targeted Linux systems.

The AhnLab Security Emergency Response Center (ASEC) discovered attacks earlier this month against South Korean businesses with the intention of infecting the machines with a backdoor referred to as Rekoobe.

According to ASEC, Rekoobe is a backdoor that can take instructions from a [command-and-control] server to carry out a number of tasks, including downloading malicious files, stealing internal files from a system, and executing reverse shell.

Although its structure may be straightforward, it uses encryption to avoid network packet detection and is capable of a wide range of malicious actions when given orders by the threat actor. ".

More information has become available about the AVRecon botnet, which has been seen using compromised SOHO routers as part of a multi-year campaign that has been going on since at least May 2021.

The malware known as AVRecon was first made public by Lumen Black Lotus Labs earlier this month. It is capable of running additional commands and stealing victims' bandwidth for what appears to be an illicit proxy service used by other actors. Additionally, it has outperformed QakBot in terms of scope, having compromised over 41,000 nodes spread across 20 different nations.

The malware has been used to build residential proxy services to hide illegal activity like password spraying, web traffic proxies, and ad fraud, according to the researchers' report.

This has been confirmed by recent research from KrebsOnSecurity and Spur . us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to conceal their true location online. ".

Direct similarities between SocksEscort and the command-and-control (C2) servers of AVRecon serve as the foundation for the connection. According to reports, SocksEscort and Server Management LLC, a Moldovan firm, both offer mobile VPN services under the brand name HideIPVPN on the Apple Store.

The new infrastructure Black Lotus Labs discovered in connection with the malware exhibited the same traits as the previous AVrecon C2s, the company told The Hacker News.

Botnet called AVRecon.
The newly relocated SocksEscort nodes (Source: Lumen Black Lotus Labs), which took place during the second week of July.
The threat actors, according to the company's assessment, were attempting to maintain control over the botnet by null-routing their infrastructure in response to the publication. "This suggests the actors want to continue monetizing the botnet by maintaining some access and signing up users for the SocksEscort 'proxy as a service. '".

Due to the fact that routers and other edge appliances are frequently vulnerable to security flaws, they may not support endpoint detection and response (EDR) solutions, and they are built to handle higher bandwidths, they have recently become lucrative attack vectors.

Additionally, AVRecon poses a greater risk because of its capacity to launch a shell on a compromised system, giving threat actors the opportunity to obfuscate their own malicious traffic or collect additional malware for further post-exploitation.

The ability to spawn a remote shell was embedded in the file, the researchers said, even though the SocksEscort proxy service is where the majority of these bots are added.

"This could give the threat actor the ability to deploy additional modules, so we suggest that managed security providers try to look into these devices in their networks, while home users should power-cycle their devices. ".