uTalk

The Portuguese Judiciary Police (Policia Judiciária Portuguesa) conducted a number of operations against a large-scale criminal network on July 17 with the assistance of Europol on the ground. By using forged documents, this criminal organization assisted Asian irregular migrants in obtaining Portuguese residence permits illegally from other parts of Europe.

Following an operation involving 110 officers from the Judiciary Police (Policia Judiciária) and 12 officers from the Portuguese Immigration and Borders Service (Serviço de Estrangeiros e Fronteiras), six suspects have been detained in total, and searches have been carried out at twelve homes and six hostels. This action is the end result of a joint investigation that France and Portugal launched one and a half years ago with the assistance of Spain and Germany, as well as Europol and Eurojust.

Rental car from France to Portugal.
The smugglers employed a distinctive method of operation to carry out their illegal activity: they would take advantage of a Portuguese residence permit's online application process by helping migrants submit false applications. By disclosing false permanent addresses and immigrant workers' jobs in Portugal, they were able to accomplish this.

With the exception of an in-person interview, most of this process would be conducted online. In this instance, the criminal organization would rent various vehicles in Portugal to pick up the migrants, who were residing in various EU countries, from a prearranged meeting point in France. In order to avoid being discovered by law enforcement, the criminals then transferred the migrants back to France via narrow mountain passes after bringing them to Portugal for the interview. With their recently obtained documentation, the migrants would then proceed on their journey within the EU.

As of this writing, France has reported the arrest of 18 of this network's smugglers as they attempted to enter Spain from France with a total of 150 undocumented immigrants. However, the joint investigation revealed that the network rented at least 337 vehicles over the previous 1.5 years, enabling the transportation of up to 6000 unauthorized migrants. The organizers requested up to EUR 10,000 per immigrant for carrying out the irregular application process, and they assessed EUR 200 to EUR 400 for the cost of transportation from France to Portugal.

European collaboration that is successful.
The information exchange between the participating nations was facilitated by Europol, which also organized 7 operational meetings and provided more than 10 analytical products. Additionally, Eurojust sponsored the formation of a Joint Operational Team between France and Portugal and coordinated three meetings for coordination.

Europol assisted in the deployment of officers from France, Spain, and Germany on the action day by sending European Migrant Smuggling Centre (EMSC) experts to Lisbon, Portugal, to facilitate real-time communication exchanges. The European Multidisciplinary Platform Against Criminal Threats (EMPACT) was the framework in which this investigation was conducted.

The BlackCat ransomware has been seen being delivered by the financially motivated threat actor known as FIN8 using a "revamped" variation of a backdoor known as Sardonic.

The development, according to the Symantec Threat Hunter Team, a division of Broadcom, is an effort on the part of the e-crime organization to diversify its focus and maximize profits from infected entities. Dec.
20, 2022 saw the attempted intrusion.

The cybersecurity firm is monitoring FIN8 using Syssphinx. Initially linked to attacks on point-of-sale (PoS) systems using malware like PUNCHTRACK and BADHATCH, the adversary has been active at least since 2016.

The group reappeared in March 2021 with an updated version of BADHATCH, and in August 2021, Bitdefender revealed that the group had developed a brand-new custom implant called Sardonic.

Symantec stated in a report shared with The Hacker News that the C++-based Sardonic backdoor "has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs.".

The most recent iteration contains significant changes compared to the previous one, which was created in C++. The majority of the source code was written in C and modified to purposefully avoid similarity.

In the incident that Symantec investigated, Sardonic was incorporated into a PowerShell script that was then executed on the targeted system after initial access was granted. The script's goal is to start a .NET loader, which will then decrypt and run an injector module to run the implant.

Injecting the backdoor into a freshly created WmiPrvSE is what the injector is used for.
exe process," explained Symantec.
"When constructing the WmiPrvSE.
using a token obtained from the lsass, the injector makes a best effort to start the exe process in session-0.
The exe process.
".

Sardonic supports three different plugin formats to run additional DLL and shellcode in addition to supporting up to 10 interactive sessions on the infected host for the threat actor to execute malicious commands.

Other capabilities of the backdoor include the capacity to exfiltrate the contents of files from the compromised machine to an infrastructure under the control of an actor and to drop arbitrary files.

This is not the first instance that FIN8 has been linked to a ransomware attack using Sardonic. Lodestone and Trend Micro discovered FIN8's use of the White Rabbit ransomware, which is based on Sardonic, in January 2022.

Symantec stated that Syssphinx "continues to develop and improve its capabilities and malware delivery infrastructure, periodically modifying its tools and tactics to avoid detection.".

"The group's decision to switch from point-of-sale attacks to the distribution of ransomware shows the threat actors' commitment to maximizing profits from victim organizations. ".

Threat actors are using Android's WebAPK technology to deceive gullible users into installing malicious web apps on their phones that are intended to collect sensitive personal data.

Researchers from CSIRT KNF wrote in a report published last week that "the attack began with victims receiving SMS messages suggesting the need to update a mobile banking application.". The message's link took the recipient to a page where a malicious app was installed on their device using WebAPK technology. ".

The program poses as PKO Bank Polski, a global provider of banking and financial services with its headquarters in Warsaw. Polish cybersecurity company RIFFSEC was the first to disclose information about the campaign.

Android users can install Progressive Web Apps (PWAs) directly to their home screen using WebAPK, bypassing the Google Play Store.

According to Google's documentation, "when a user installs a PWA from Google Chrome and a WebAPK is used, the minting server "mints" (packages) and signs an APK for the PWA.".

Although it takes some time, the browser silently installs the APK on the user's device once it is complete. The phone installs the APK without disabling security, just like with any app downloaded from the store, because trusted providers (Play Services or Samsung) signed it. No sideloading of the app is required. ".

malicious applications.

When installed, the phony banking application ("org .
chromium.
webapk.
Users are prompted to enter their login information and two-factor authentication (2FA) tokens by the URL ("a798467883c056fed_v2"), which effectively makes them vulnerable to theft.

According to CSIRT KNF, "one of the challenges in countering such attacks is that WebAPK applications generate different package names and checksums on each device.". They are dynamically constructed by the Chrome engine, which makes it challenging to use this data as Indicators of Compromise (IoC). ".

Blocking websites that use the WebAPK mechanism to conduct phishing attacks is advised to counter such threats.

The development follows Resecurity's disclosure that cybercriminals are increasingly using specialized Android device spoofing tools that are sold on the dark web in an effort to pass off as compromised account holders and avoid anti-fraud measures.

Threat actors can take advantage of lax fraud controls to carry out unauthorized transactions via smartphones using banking malware like TimpDoor and Clientor by using antidetect tools like Enclave Service and MacFly, which are able to spoof mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems.

The cybersecurity firm claimed that "cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, faking hyper-granular device identifiers, and utilizing fraud victims' unique network settings.".