uTalk

132 members of one of the most powerful criminal networks in the world were apprehended during an action day carried out by ten nations. Authorities from Belgium, Germany, Italy, France, Portugal, Slovenia, Spain, Romania, Brazil, and Panama conducted raids at various locations and seized a number of businesses early on May 3. On the ground, during the action day, over 2,770 officers were involved.

This global operation against the 'Ndrangheta, which is now the biggest hit against the Italian poly-criminal syndicate to date, was supported by Eurojust and Europol. Along with routine money laundering, bribery, and violence, the mafia-style organization is in charge of a large portion of the cocaine trade in Europe.
The criminal network under investigation was led by several powerful ‘Ndrangheta families based mainly in the town of San Luca, which is in the Italian province of Reggio Calabria. Some of these families have been involved in decades-long clan violence known as the San Luca feud, culminating in massive shootings in Italy and abroad, such as the Duisburg massacre in Germany in 2007.

Members of the criminal network were engaged in a criminal conspiracy not only by being part of a mafia-style organization, but also by being responsible for drug trafficking, firearms trafficking, illegal firearms possession, money laundering, fraudulent asset registration, tax fraud, and tax evasion, as well as the aiding and abetting of fugitives (who have since been arrested). Two of these fugitives had been on the EU Most Wanted list. 

The staggering list of criminal activities
The Italian criminal network was mainly devoted to international drug trafficking from South America to Europe, as well as Australia. Authorities uncovered that the network was working in partnership with the Colombian organized crime group ‘Gulf Clan’ and an Albanian-speaking crime group operating in Ecuador and multiple European Countries. Furthermore, the ‘Ndrangheta clans were involved in international firearms trafficking from Pakistan to South America, providing weapons to the notorious criminal group PCC (Primeiro Comando da Capital) in exchange for cocaine shipments. Investigators tracked the flow of money in an extensive global money laundering system, with massive investments in Belgium, Germany, Italy, Portugal, Argentina, Uruguay, and Brazil. The criminal group was investing its profits in real estate, restaurants, hotels, car wash companies, supermarkets, and other commercial activities. In order to pay for cocaine or to transfer illicit assets, the criminals often relied on facilitators using the hawala system.

A threat actor has been seen using the method to distribute a new Windows-based financial trojan and information thief called LOBSHOT, in yet another example of how threat actors are abusing Google Ads to serve malware.

Daniel Stepanic, an analyst with Elastic Security Labs, wrote in a report published last week, "LOBSHOT continues to gather victims while remaining undetected.".

"Hidden Virtual Network Computing, or hVNC, is one of LOBSHOT's key capabilities. Direct and covert access to the machine is made possible by these types of modules. ".

Based on infrastructure that had previously been linked to the group, the American-Dutch company identified TA505 as the threat actor responsible for the malware strain. TA505 is a group of cybercriminals with a financial incentive that coexists with the Evil Corp, FIN11, and Indrik Spider activity clusters.

The most recent development is significant because it shows that TA505, which is linked to the Dridex banking trojan, is once again increasing the amount of malware it uses to commit financial fraud and data theft.

LOBSHOT, with early samples dating back to July 2022, is disseminated through fraudulent Google advertisements for trustworthy products like AnyDesk that are hosted on a network of fake landing pages kept up by the operators.

The malware includes dynamic import resolution (i. e. , resolving the names of necessary Windows APIs at runtime), anti-emulation checks, and string obfuscation to avoid detection by security software.

Once installed, it steals information from more than 50 cryptocurrency wallet extensions found in web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox, changes the Windows Registry to enable persistence, and siphons data from those extensions.

advertisements on Google.
Other noteworthy characteristics of LOBSHOT include its capacity to remotely access the compromised host via an hVNC module and perform operations on it covertly without drawing the victim's attention.

According to Stepanic, "threat groups continue to use malvertising techniques to disguise legitimate software with backdoors like LOBSHOT.".

These malware types might appear to be small, but they end up having a lot of functionality, which enables threat actors to move quickly during the initial access stages by providing fully interactive remote control capabilities. ".

The results also highlight how more adversaries are using malvertising and search engine optimization (SEO) poisoning to trick users into visiting bogus websites and downloading trojanized versions of popular software.

Data from eSentire indicates that a number of attacks in the U.S. that targeted law offices and corporate legal departments were carried out by the threat actors behind GootLoader. S. Canada and the U.S. K. Australia and also.

As an initial access-as-a-service operation for ransomware attacks, GootLoader, which has been active since 2018, uses SEO poisoning to lure victims looking for contracts and agreements to infected WordPress blogs that point to links containing the malware.

The attack chain is created so that the malware can only be downloaded from the hijacked sites once per day in order to avoid detection by incident responders, in addition to implementing geofencing to target victims in specific regions.

According to eSentire, GootLoader's use of the IP address method to screen already-hacked victims could be used against it to block the IP addresses of end users in advance and shield organizations from potential infections.

Police seized the illegal "Monopoly Market" dark web marketplace and detained 288 suspects involved in buying or selling drugs on the dark web as part of an operation coordinated by Europol and involving nine countries. 850 kg of drugs, 53 point 4 million dollars worth of virtual currency, more than 50 point 8 million euros, 117 weapons, and more were all seized. Along with more than 258 kg of amphetamines, 43 kg of cocaine, 43 kg of MDMA, and more than 10 kg of ecstasy and LSD pills were also seized.
This operation, known by the code name SpecTor, was made up of a number of independent complementary operations in Austria, France, Germany, the Netherlands, Poland, Brazil, the United Kingdom, the United States, and Switzerland.

investigations using intelligence packages as a foundation.
German law enforcement, who were successful in seizing the criminal infrastructure of the market in December 2021, provided Europol with mountains of evidence on which to base its intelligence packages. These target packages, which were developed by cross-matching and analyzing the data and evidence gathered, provided the framework for numerous national investigations. The vendors who were detained as a result of the police action against the Monopoly Market were also involved in other illegal markets, which made it harder for people to buy and sell drugs and other illegal items on the dark web. As a result, 288 sellers and purchasers involved in tens of thousands of sales of illegal goods were detained throughout Europe, the US, and Brazil. Some of these suspects were regarded by Europol as high-value targets.

United States (153), United Kingdom (55), Germany (52), Netherlands (10), Austria (9), France (5), Switzerland (2), Poland (1), and Brazil (1) all saw arrests. Numerous inquiries are still being conducted to determine who else is operating dark web accounts. Numerous customers around the world now face the possibility of prosecution as a result of law enforcement officials access to the vendors' extensive buyer lists.