uTalk

Between June 2022 and May 2023, more than 101,100 compromised OpenAI ChatGPT account credentials were sold on illegal dark web marketplaces, with 12,632 of those credentials coming from India.

In a report shared with The Hacker News, Group-IB claimed that the credentials were found in information thief logs that had been made available for purchase on the dark web.

The company with its headquarters in Singapore reported that "the number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023.". "Over the past year, the highest concentration of ChatGPT credentials for sale have been seen in the Asia-Pacific region. ".

Pakistan, Brazil, Vietnam, Egypt, and the U.S. are the other nations with the greatest number of compromised ChatGPT credentials. S. France, Morocco, Indonesia, and Bangladesh.

More research has shown that the notorious Raccoon information thief (78,348), Vidar (12,984), and RedLine (6,773) are responsible for the majority of logs containing ChatGPT accounts that have been compromised.

Due to their capacity to steal passwords, cookies, credit card information, and other data from browsers and cryptocurrency wallet extensions, information stealers have grown in popularity among online criminals.

"Logs containing compromised information harvested by info thieves are actively traded on dark web marketplaces," Group-IB claimed.

The lists of domains found in the log and the information regarding the IP address of the compromised host are additional details about logs that are available on such markets. ".

They have not only lowered the bar for cybercrime but also act as a conduit for launching follow-up attacks using the siphoned credentials. They are typically offered based on a subscription-based pricing model.

Dmitry Shestakov, head of threat intelligence at Group-IB, stated that "many enterprises are integrating ChatGPT into their operational flow.".

ChatGPT.

"Workers use the bot to optimize proprietary code or enter classified correspondences. Given that ChatGPT's default configuration saves all conversations, threat actors could unintentionally gain access to a wealth of sensitive information if they manage to get hold of account credentials. ".

Users are advised to follow recommended password hygiene procedures and secure their accounts with two-factor authentication (2FA) to reduce the risk of account takeover attacks.

The development coincides with an ongoing malware campaign that uses adult content lures and phony OnlyFans pages to spread the DCRat (or DarkCrystal RAT), a modified version of AsyncRAT, a remote access trojan, and an information stealer.

According to eSentire researchers, the activity has been occurring since January 2023.
"In observed instances, victims were lured into downloading ZIP files containing a VBScript loader which is executed manually," they said.

The victims may have been drawn in by explicit images or OnlyFans content for different adult film actresses, according to the file naming convention. ".

It also comes in response to the discovery of a brand-new VBScript variant of the malware GuLoader (also known as CloudEyE), which uses decoys with tax-related themes to launch PowerShell scripts capable of retrieving and injecting Remcos RAT into a legitimate Windows process.

The Canadian cybersecurity firm stated in a report released earlier this month that "GuLoader is a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs)".

GuLoader uses user-initiated scripts or shortcut files to run numerous rounds of highly obscured commands and encrypted shellcode. As a result, a legitimate Windows process contains a memory-resident malware payload. ".

Microsoft said on Friday that an unclassified cluster it monitors by the name Storm-1359 was to blame for a series of service outages earlier this month that affected Azure, Outlook, and OneDrive.

The tech giant wrote in a post on Friday that the attacks "likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.".

The Windows manufacturer gives unidentified, emerging, or developing groups whose identity or affiliation haven't been conclusively established yet the temporary moniker Storm.

The company stated the attacks "temporarily impacted availability" of some services, despite the fact that there is no proof that any customer data was accessed or compromised. Redmond claimed to have seen the threat actor launch layer 7 DDoS attacks from various open proxy infrastructures and cloud services.

This includes Slowloris attacks, CDN bypass attacks, and HTTP(S) flood attacks, which overload the origin servers by flooding them with HTTP(S) requests.

"In this attack, the client connects to a web server, requests a resource (such as a file), and then closes the connection.
g.
, an image), and then refuses to acknowledge the download (or accepts it slowly)," according to the Microsoft Security Response Center (MSRC). By doing this, the web server is compelled to maintain the connection open and the requested resource in memory. ".

At the beginning of the month, Microsoft 365 services including Outlook, Teams, SharePoint Online, and OneDrive for Business went down. The company later reported that it had discovered an "anomaly with increased request rates.". ".

"Traffic analysis revealed an anomalous spike in HTTP requests being issued against Azure portal origins, bypassing existing automatic preventive measures," it said. This resulted in the service unavailable response.

The "murky upstart" is primarily focused on disruption and publicity, according to Microsoft's further description. The attacks were carried out, according to the hacktivist collective Anonymous Sudan. Nevertheless, it's important to note that the company hasn't made a clear connection between Storm-1359 and Anonymous Sudan.

Anonym Sudan: Who is He?
Since the beginning of the year, DDoS attacks by Anonymous Sudan against Swedish, Dutch, Australian, and German organizations have caused a stir in the threat landscape.

The adversary is most likely an offshoot of the pro-Russian threat actor group KillNet, which first gained notoriety during the Russian-Ukrainian conflict last year, according to an analysis from Trustwave SpiderLabs in late March 2023.

"It has publicly allied itself with the Russian group KillNet, but for reasons only its operators know, prefers to use the story of defending Islam as the reason behind its attacks," Trustwave said.

In addition, KillNet has come under fire for its DDoS attacks on healthcare organizations running on Microsoft Azure, which increased from 10 to 20 attacks per day in November 2022 to 40 to 60 attacks per day in February 2023.

The Kremlin-connected group, which first surfaced in October 2021, has also founded a "private military hacking company" called Black Skills in an effort to give its cyber mercenary activities a professional air.

Given its cooperation with KillNet and REvil to create a "DARKNET parliament" and plan cyberattacks against European and U.S. targets, Anonymous Sudan's connections to Russia have also come to light.
S.
institutions of finance. A message published on June 14, 2023 stated that "Task Number One is to Paralyze the Work of SWIFT.".

Despite its nationalistic agenda, KillNet has been primarily motivated by financial goals, using the eager support of the Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services, according to a profile of the adversary published by Flashpoint last week.

In order to target darknet markets that specialize in selling drugs, KillNet has also teamed up with a number of botnet providers and the Deanon Club, a partner threat group with which KillNet co-created Infinity Forum. ".

Over 70 web browser extensions and 40 different web browsers have been found to be targets of the new data-stealing malware known as Mystic Stealer.

The malware, which was initially advertised on April 25, 2023, for $150 a month, targets Steam, Telegram, cryptocurrency wallets, and other services.
It also has a number of sophisticated defense mechanisms.

In an analysis released last week, researchers from InQuest and Zscaler noted that the code was heavily obfuscated using polymorphic string obfuscation, hash-based import resolution, and runtime constant calculation.

Mystic Stealer, like many other crimeware products for sale, focuses on data theft and is created using the C programming language. Python was used in the creation of the control panel.

The malware will receive updates in May 2023 that include a loader component that enables it to fetch and execute next-stage payloads from a command-and-control (C2) server, making it a more dangerous threat.

An individual binary protocol over TCP is utilized for C2 communications. The number of C2 servers that are currently in operation may reach 50. Customers of the stealer can access data logs and other configurations through the control panel, which acts as an interface.

Cybersecurity company Cyfirma, which published a concurrent analysis of Mystic, stated that "the author of the product openly invites suggestions for additional improvements in the stealer" through a dedicated Telegram channel, indicating active efforts to court the cybercriminal community.

The developers of Mystic Stealer "seem to be looking to produce a stealer on par with the current trends of the malware space while trying to focus on anti-analysis and defense evasion," according to the researchers.

The findings come as infostealers have become a sought-after item in the black market, frequently acting as the precursor by making it easier to gather credentials to grant initial access into target environments.

To put it another way, thieves serve as a base for other cybercriminals to launch financially driven campaigns that include ransomware and data extortion components.

Despite their increased popularity, commercially available stealer malware is becoming more lethal and incorporates cutting-edge tactics to evade detection in addition to being marketed at low prices to appeal to a wider audience.

mystical thief.

The steady introduction of new strains like Album Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys in recent months best exemplifies the stealer world's dynamic and ever-evolving nature.

Information thieves and remote access trojans have been seen concealed inside crypters like AceCryptor, ScrubCrypt (also known as BatCloak), and Snip3, which is another indication of threat actors' efforts to avoid detection.

The development also comes after HP Wolf Security revealed a March 2023 ChromeLoader campaign code-named Shampoo that is designed to install a malicious extension in Google Chrome and steal sensitive data, redirect searches, and inject ads into a victim's browser session.

Users primarily came into contact with the malware through the download of illegal media, such as Cocaine Bear movies. video game software (vbs), or something else," security expert Jack Royer said. These websites con people into running malicious VBScripts on their computers, which starts the infection chain. ".

The PowerShell code that the VBScript launches next uses the "--load-extension" command line argument to open a new Chrome session with the unpacked malicious extension while also closing any open Chrome windows that were previously running.

Additionally, it comes after the identification of the Pikabot malware trojan, a new type of modular malware that can inject payloads from C2 servers like Cobalt Strike and execute arbitrary commands.

Although there is no concrete evidence linking the two families, the implant, which has been active since the beginning of 2023, has been found to resemble QBot in terms of distribution strategies, marketing efforts, and malware behaviors.

According to Zscaler, "Pikabot is a new malware family that employs a broad range of anti-analysis techniques and offers common backdoor capabilities to load shellcode and execute arbitrary second-stage binaries.".