₦airaland Forum

REvil the ransomware gang has been taken down by an active multi-country law enforcement operation. This resulted in a hacking and taking offline for a second time, all its services and ecosystem as a whole.

The Reuters has stated that multiple private-sector cyber experts worked with the U.S. government noting that the May cyber attack on Colonial Pipeline relied on encryption software developed by REvil associates.

Blockchain analytics firm Elliptic has also disclosed that over $7 million in bitcoin held by Revil was moved through a series of new wallets with small fraction of the amount being transferred with each transfer to make the laundered money difficult to track.

It was revealed that REvil’s Tor payment portal and data leak website had been hijacked thus leading to speculations that this could have been as a a result of coordinated law enforcement invlovement.



Profits raked in by ransomware operators has been on the rise as the ransomware economy is now characterized by a complex partnership with ransomware-as-a-service (RaaS) syndicates like REvil and Darkside renting their file-encrypting malware to affiliates recruited through online forums and Telegram channels, who launch the attacks against corporate networks in exchange for a large share of the paid ransom.

Thus allowing ransomware operators imorove the product and affiliates can focus on spreading the ransomware and infecting as many victims as possible. With an assembly line of ransom payouts, profits are split between the developer and themselves. Affiliates have also at times, turned to other cybercriminal enterprises that offer initial access via persistent backdoors to orchestrate the inrusions.

REvil had earlier on shut down in mid-July 2021 but the crew returned in early September under the same brand name, eve as the FBI stealthily planned to dismantle the threat actor’s malicious activities without their knowledge as reported by the Washington Post last month.

However the ransomware gang restored the infrastructure from the backups with an assumption that they had not been compromised. Funny as it sounds, the gangs own favorite tactic of compromising the backups was turned against them.



Source :https://slytech.org/2021/10/24/revil-the-hacker-group-gets-hacked-by-the-feds/

A hacker group is now targeting Afghanistan and India as they exploit a now-patched, 20-year-old flaw affecting Microsoft Office to deploy remote access trojans (RATs) that allow the adversary gain complete control over the compromised endpoints.

This has been attributed to a “lone wolf” threat actor operating a Lahore-based fake IT company called Bunse Technologies as a front to carry out the malicious activities.

The attacks work by taking advantage of political and government-themed lure domains that host the malware payloads, with the infection chains leveraging weaponized RTF documents and PowerShell scripts that distribute malware to victims. Specifically, the laced RTF files were found exploiting CVE-2017-11882 to execute a PowerShell command that’s responsible for deploying additional malware to conduct reconnaissance on the machine.

CVE-2017-11882 has to do with a memory corruption vulnerability capable of being abused to run arbitrary code. This flaw has been in existence since 2000 and was eventually addressed by Microsoft as part of its Patch Tuesday updates for November 2017.

After the recon phase a similar attack whereby the aforementioned vulnerability runs a series of instructions culminating in the installation of commodity malware such as DcRAT and QuasarRat that comes with a variety of functionalities right out of the box including remote shells, keylogging and credential theft thus requiring minimal effort on the part of the attacker.

The cybercrime operation has been observed to possess browser credential stealer for Brave, Mozilla Firefox, Google Chrome and Yandex Browser.

“This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims,” the researchers said. Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These families also act as excellent launch pads for deploying additional malware against their victims.”

Source : https://slytech.org/2021/10/24/afghanistan-and-india-are-the-new-targets-of-hacker-group-with-commodity-rats/

An extensive series of credential phishing campaigns has been discovered and disclosed by Microsoft on Thursday. This campaign is taking advantage of custom phishing kit that stitched together components from at least five different circulated ones with the aim of siphoning user login information.

This discovery was first made in December 2020 and dubbed the copy-and-paste attack infrastructure “TodayZoo”.

Researchers have stated that “availability of numerous phishing kits for sale and for rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits, they put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo.”

The TodayZoo phishing campaign impersonates Microsoft, posing as a password reset or fax and scanner notifications, to redirect victims to credential harvesting pages.

Large part of TodayZoo is believed to have been lifted generously from another kit known as DanceVida, while imitation and obfuscation-related components significantly overlap with the code from at least four other phishing kits such as Botssoft, WikiRed, Office-RD117 and Zenfo.



“This research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit ‘families,'” Microsoft’s analysis read. “While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves.”

TodayZoo however deviates from DanceVida with regards to the credential harvesting component by replacing the original functionality with its own exfiltration logic.


Source : https://slytech.org/2021/10/25/microsoft-cautions-on-todayzoo-phishing-kit-used-in-credential-stealing-attacks/

More than 270 government-backed threat actors from over 50 countries has been put on a watch list by Google’s Threat Analysis Group (TAG). Approximately 50,000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021.

This brings about a 33% rise from 2020 as the spike stems from “blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear.

Google has also stated that it has disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as APT35 (aka Charming Kitten, Phosphorous or Newscaster) as well as a sophisticated social engineering attack dubbed “Operation SpoofedScholars” aimed at journalists and professors with the goal of soliciting sensitive information by masquerading as scholars with the University of London’s School of Oriental and African Studies (SOAS)



Past attacks have also been orchestrated by the use of spyware-infested VPN app uploaded to the Google Play Store that, when installed could be leveraged to siphon sensitive information such as call logs, text messages, contacts and location data from infected devices.

The cyber criminals have also been said to impersonate policy officials by sending “non-malicious first contact email messages” modeled around the Munich Security and Think-20 (T20) Italy conferences as part of a phishing campaign to lure high-profile individuals onto visiting rogue websites.


Source: https://slytech.org/2021/10/17/google-is-currently-tracking-270-state-sponsored-hackers/