Cyware Weekly Threat Intelligence, November 21-25, 2022

The Good

• The CISA updated its Infrastructure Resilience Planning Framework (IRPF) with new tools and guidance to help state, local, tribal, and territorial (SLTT) entities counter evolving cyber threats. The framework was released last year and can be used by any organization to improve resilience planning.
• INTERPOL announced the seizure of cybercrime assets under Operation HAECHI III, a codename given to an effort to tackle a widespread campaign that caused the loss of $130 million worth of money and virtual assets. The operation was carried out over a span of five months and targeted cybercriminals involved in voice phishing, romance scams, BEC scams, and investment frauds. 
• In another successful investigation, Europol took down an online spoofing service, iSpoof, that was used by crooks to conduct social engineering, phishing, and bank helpdesk scams. The services on the website also allowed threat actors to steal money, banking account credentials, and one-time passcodes. This caused a loss of approximately $120 million in the last 16 months. 
• The U.S. government took down seven domains linked to pig butchering scams. These scams involved fraudsters duping victims into fake relationships before asking them to make investments in cryptocurrency on fake platforms. Around $10 million was lost due to these scams between May and August. 

The Bad

• A data breach at the County of Tehama, California, affected the personal information of employees, service recipients, and other affiliated individuals. The incident was identified on April 9, but the investigation stretched to August 19, when it was determined that PII was compromised. 
• Amidst the rising popularity of Mastodon, security researchers are finding several vulnerabilities and other security issues. One of these issues was associated with the Infosec-exchange instance that could be exploited to steal users’ credentials. The issues arose due to an HTML attribute only allowed by a Mastodon fork named Glitch.
• Over 50 websites impersonating the official MSI Afterburner site were used in the last three months to push XMRig miner and RedLine information-stealer. The primary targets of the campaign were Windows gamers and power users. 
• Group-IB researchers revealed a worldwide password-stealing campaign that resulted in the compromise of over 50 million passwords in the first seven months of the year. Around 34 Telegram groups were used by threat actors to infect over 890,000 devices. Each of these groups had as many as 200 active members and tricked victims by redirecting them to fake websites on the pretext of lucky draws, lotteries, and reviewing popular games on YouTube. 
• HC3 published an advisory to warn healthcare organizations about Lorenz ransomware. The advisory provided technical details, including reconnaissance and lateral movement activities by the ransomware, and urged organizations to stay vigilant.
• The newly found Donut (aka Donut Leaks) extortion group was linked with several double-extortion campaigns targeting multiple organizations. This time, the gang used its own customized ransomware and erected a site to leak stolen data.
• A callback phishing campaign associated with the LunaMoth threat actor is expanding worldwide. The campaign specifically targets organizations in the legal and retail sectors and has already cost victims thousands of dollars. The threat actors have significantly invested in call centers and infrastructure that is unique to each victim.  
• Sports betting company DraftKings suffered a credential stuffing attack that led to a loss of up to $300,000. The firm claims that the hackers accessed their customers’ accounts by using login information that was compromised on other websites. It has urged users to enable 2FA to secure their accounts, while assuring them to make up for the lost funds.
• A crypto-stealing phishing campaign is underway, impersonating different cryptocurrency exchanges and wallets. The campaign has been active since 2021 and abuses the Microsoft Azure Web Apps service to host phishing sites. Victims are targeted via phishing messages that pretend to be from Coinbase, MetaMask, Crypto.com, and KuCoin, informing them about suspicious activity detected in their accounts.  
• An ongoing Ducktail information-stealer campaign that targets Facebook ads and business platforms was disclosed by researchers. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account. The ultimate purpose of this campaign is to run ads on hijacked Facebook accounts for monetary gain. 
• Affiliates of the Black Basta ransomware group were found piggybacking on QBot to target organizations in the U.S. Researchers found that attackers disabled DNS services to lock victims out of their networks. In the last two weeks, more than 10 organizations were impacted by these attacks.
• Security experts are investigating a dataset that appears to contain data from nearly 500 million WhatsApp users from 84 countries. The data is being sold on cybercrime forums for prices ranging from $2000 to $7000. Threat actor claims that there are over 32 million US user records included in the dataset.

New Threats

• Two malicious browser extensions under the name SearchBlox were distributed via the Google Chrome web store to steal Roblox player credentials, as well as assets on Rolimons. These extensions have been downloaded by more than 200,000 users. 
• WannaRen returned as Life ransomware to target Indian organizations. The ransomware variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.
• Newer versions of ViperSoftX were found dropping the VenomSoftX Chrome browser extension in an attempt to steal cryptocurrency. VenomSoftX disguised itself as various popular browser extensions, such as Google Sheets, to avoid user detection and targeted five cryptocurrency exchanges—Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.
• RansomExx2 is a new variant of RansomExx, which is written in Rust. The variant uses AES-256 with RSA algorithms to encrypt specific files on victims’ computers. Each encrypted file is given a new file extension with random characters. 
• Several attack campaigns attributed to the SocGholish malware framework were observed this week. In one campaign, shady domains, fake plugins, and Windows themes were used to distribute the malware. In another campaign, SEO poisoning and malvertising tactics were leveraged as a part of the propagation process. 
• Cybercriminals are increasingly turning to a Golang-based information stealer named Aurora to steal sensitive information from browsers and cryptocurrency apps. At least seven notable cybercriminal gangs have significantly adopted the malware, either exclusively or along with RedLine and Raccoon. 
• Google Cloud Threat Intelligence researchers found 34 cracked versions of Cobalt Strike in the wild. These versions contained 257 unique JAR files and Beacon components, which upon execution could log keystrokes, perform code execution, escalate privileges, and conduct port scanning, among other nefarious activities. Researchers also noticed that each unauthorized version of the Cobalt Strike toolkit had attack template binaries, numbering between 10 and 100. 
• Two new RaaS families called Octocrypt and Alice were observed by the researchers. While Octocrypt is being offered at a price of $400 to target all Windows versions, Alice is being sold at $600, with fast encryption capabilities and compatibility with Asian/Arabic PCs. Additionally, a new ransomware named AXLocker was found stealing Discord tokens from victims’ systems. 
• SharkBot returned in a new attack targeting Android users. The trojan disguised itself as a fake antivirus app on Google Play Store to steal banking information from users. Other capabilities of the trojan include recording keystrokes, intercepting SMSes, and enabling attackers to gain remote access to devices. Most of the affected devices belonged to users in Italy and the U.K. 
• Fake VPN apps are being used to distribute the Bahamut spyware in a campaign that has been active since January. The campaign is conducted by a group of the same name and the main purpose is to extract sensitive user data from devices. So far, eight versions of these malicious apps have been discovered to be distributed via a VPN website.