uTalk

The threat actors who created the Vidar malware have altered their backend infrastructure, showing efforts to retool and hide their online footprint in response to public revelations about their method of operation.

Cybersecurity firm Team Cymru stated in a recent analysis that "Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.".

A known information thief operating since late 2018 is called Vidar. Additionally, it is a fork of another stealthy malware program called Arkei, and prices range from $130 to $750 depending on the subscription level.

The malware comes with a wide range of capabilities to harvest sensitive information from infected hosts and is frequently distributed through phishing campaigns and websites promoting cracked software. Vidar has also been seen to be spread by malicious Google Ads and the Bumblebee malware loader.

In a report released earlier in January by Team Cymru, it was stated that "Vidar operators have split their infrastructure into two parts; one dedicated to their regular customers and the other for the management team and possibly premium / important users. ".

My-odin[ is a significant domain that the Vidar actors use. ]com, a one-stop shop for controlling the panel, verifying affiliates, and exchanging files.

malicious software called Vidar.

Previously, downloading files from the website was possible without requiring any authentication; however, doing so now directs the user to a login page. Updates to the IP address that hosts the domain itself represent another change.

This includes shifting from 186.2. 166[. [15 to 5.252]. 179[.(201 to 5252).176[.
Threat actors will access the latter using VPN servers around the same time, reaching ]49 by the end of March 2023.

Team Cymru stated: "It is apparent that the Vidar threat actors may be taking steps to anonymize their management activities by hiding in general Internet noise by using VPN infrastructure, which in at least part was also utilized by numerous other benign users.".

The cybersecurity firm reported finding outgoing connections from 5.252 as well. 176[.49 to the website blonk[, a legitimate website. ]co as well as a host based in Russia (185.173.93[.]98:443).

The addition of a new IP address, 185.229, has been discovered to give the Vidar infrastructure yet another facelift beginning on May 3, 2023. 64[. hosting the my-odin on line 137. ]com domain in addition to the use of TOR relays by the operators to get access to their accounts and malware storage locations.

The information "provides further insight into the 'behind-the-scenes' operation of Vidar, demonstrating the evolution of its management infrastructure as well as evidence of steps taken by the threat actors to potentially cover their tracks," the company said.

Following hundreds of attacks against numerous US targets, the threat actors responsible for the LockBit ransomware-as-a-service (RaaS) scheme have demanded $91 million since 2020.
According to a joint bulletin released by the US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the UK.

The agencies claimed that the LockBit ransomware-as-a-service (RaaS) draws affiliates to use LockBit for ransomware attacks, resulting in a vast network of unconnected threat actors carrying out wildly different attacks.

According to statistics released by Malwarebytes last week, LockBit, which first appeared on the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone. At least 1,653 ransomware assaults have been blamed on the cartel with ties to Russia so far.

A wide range of crucial infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation, have been targeted by the cybercrime operation.

LockBit has so far undergone three significant upgrades: LockBit Red (June 2021), LockBit Black (March 2022), and LockBit Green (January 2023), the latter of which is based on leaked source code from the now-disbanded Conti gang.

Since then, the ransomware variant has been modified to attack Linux, VMware ESXi, and Apple macOS systems, making it a constantly evolving threat. The RaaS operation is also notable for starting the first-ever bug bounty program and paying people to get tattoos of its insignia.

The main actors in the business model rent out their warez to affiliates who carry out the actual ransomware distribution and extortion. In a surprising move, the group sends a cut to the main crew before allowing the affiliates to receive ransom payments.

Virus known as LockBit.

Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers, as well as other well-known bugs in Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices, have recently been exposed to security vulnerabilities that attack chains involving LockBit have taken advantage of to gain initial access.

Over 30 freeware and open-source tools that enable network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration are also used by the affiliates. Metasploit and Cobalt Strike, two legitimate red team tools, have been found to be further abused by the intrusions.

"LockBit's inventiveness and ongoing improvement of the organization's administrative panel (i.e), a streamlined point-and-click interface that enables ransomware deployment for users with lower levels of technical skill), affiliate supporting functions, and continuous TTP revision, the agencies said.

The change coincides with CISA's publication of Binding Operational Directive 23-02, which directs federal agencies to secure network devices like firewalls, routers, and switches that are exposed to the public internet within 14 days of their discovery and to take actions to reduce the attack surface.

"Too frequently, threat actors are able to use network devices to gain unrestricted access to organizational networks, which ultimately results in full-scale compromise," said Jen Easterly, director of CISA. "Requiring suitable controls and mitigations [. [] is a critical action in lowering risk to the federal civilian enterprise. ".

Additionally, the developments come in response to a fresh advisory that highlights dangers to Baseboard Management Controller (BMC) implementations that may allow threat actors to set up a "beachhead with pre-boot execution potential.". ".

According to CISA and the US government, "hardened credentials, firmware updates, and network segmentation options are frequently disregarded, resulting in a vulnerable BMC.
S.
In a joint alert, the National Security Agency (NSA) made a note.

A malicious actor could also disable security tools like the trusted platform module (TPM) or UEFI secure boot, alter data on any attached storage media, or spread malicious software or disruptive instructions throughout a network infrastructure. ".

A cutting-edge attack targeting users in Europe and the U.S. has been seen to deliver GreetingGhoul, a cryptocurrency stealer, using a novel multi-stage loader known as DoubleFinger. US, as well as Latin America. According to a report released on Monday by Kaspersky researcher Sergey Lozhkin, "DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages.".

A modified version of espexe serves as the foundation for the attacks. exe, or Microsoft Windows Economical Service Provider application, is designed to run shellcode responsible for obtaining a PNG image file from the image hosting service Imgur.

An encrypted payload that starts a four-stage compromise chain and ultimately causes the execution of the GreetingGhoul stealer on the infected host is hidden by the image's use of steganographic deception.

GreetingGhoul is notable for its use of Microsoft Edge WebView2 to build fake overlays on top of legitimate cryptocurrency wallets in order to steal credentials entered by unwary users.

In addition to dropping GreetingGhoul, DoubleFinger has also been seen delivering Remcos RAT, a commercial trojan that threat actors have frequently used to attack European and Ukrainian targets in recent months.

According to Lozhkin, the analysis "discloses a high level of sophistication and skill in crimeware development, comparable to advanced persistent threats (APTs)".

"The implementation of process doppelgänging for injection into remote processes, the multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and these all point to well-crafted and complex crimeware. ".