FIN 11 , Email Campaign on the go

FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.

Hybrid extortion attacks

Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.

  • FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
  • The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.

FIN11 & TA505 Collaboration

The researchers given a variation between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.

Attack strategy

The FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.

Recent FIN11 lightson

The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.

  • FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
  • The threat actor continued to modify its delivery tactics during Q3 2020; the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.

Concluding notes

The tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial

Ransom Gangs with Network Sellers collaboration. Deadly combođź‘ą

Accenture Cyber Threat Intelligence team outlined a trend of collaboration between network access sellers and ransomware gangs. Several cybercriminals are increasingly offering initial network access to already-compromised companies used by Ransomware gangs

Deadly deals

Researchers have warned that hackers are seen selling credentials for RDP connections, Citrix, and Pulse Secure VPN clients to ransomware groups such as Avaddon, Exorcist, Lockbit, Maze, NetWalker, and Sodinokibi.

  • Ransomware operators get direct access to corporate and government networks. Thus, they can concentrate on establishing persistence and moving laterally.
  • The network-access sellers have been observed using attack vectors such as remote working tools, zero-day exploits, or malware such as Cerberus Trojan to attempt corporate network access in the future.
  • The network access credentials are usually offered between $300 and $10,000, depending on the size and revenue of the victim.

The destructive relationship

Accenture has tracked more than 25 persistent network access sellers, as well as the occasional one-off seller, with more entering every week.

  • In August, four actors were seen utilizing the source code of Cerberus Trojan to gain corporate and government network access credentials, which they sold to other cybercrime groups for a handsome profit.
  • In July, the threat actor Frankknox aborted a sale of a self-developed Zero-day targeting a well-known brand of a mail server and began exploiting the vulnerability to gain corporate network access to multiple victims. Until September, Frankknox has advertised access to 36 corporations for between $2,000 and $20,000, of which at least 11 they claim to have sold.

Silent Librarian APT in to lime light

The Silent Librarian campaign has actively targeting students and faculty at universities via spear-phishing campaigns.

The threat group (also known as TA407 and Cobalt Dickens), which operates out of Iran, has been on the prowl since the start of the 2019 school year, launching low-volume, highly-targeted, socially engineered emails that eventually trick victims into handing over their login credentials.

The emails typically masquerade as messages from university library systems or other on-campus divisions.

This APT group is going back to school with a fresh campaign that seems to be targeting institutions globally, Targets stretch across a dozen countries and so far have included: The University of Adelaide in Australia; Glasgow Caledonian, University of Kent, University of York, King’s College London, Cambridge and others in the U.K.; the University of Toronto and McGill in Canada; and Stony Brook University, University of North Texas notably.

The mode of operation remains in place, with Silent Librarian hosting a series of phishing sites that are built to mimic legitimate university domains. For instance, emails purporting to be from the University of Adelaide Library directed victims to a “library.adelaide.crev[dot]me” URL, which is very close to the legitimate “library.adelaide.edu.au” domain of the school.

Many of these have been identified and taken down,though the threat actor has sophisticated and built enough of them to continue with a successful campaign against staff and students

The APT is using the Cloudflare content delivery network to host most of the phishing hostnames, in order to hide the real hosting origin.

Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology . It’s absolute nightmare for IT Admins in schools & University to keep things tight and hold.

Mac ,Linux Malwares are like Sweet Pancakes

Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. A surge in malware targeting particular device groups reveals much about the shifting paradigm.

TeamTNT reinforces Black-T

TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR). 

  • Unit 42 researchers came with a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
  • The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.

IPStorm prepares for thunders

The IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.

  • IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
  • Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
  • However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

FinSpy’s malware spin

A new surveillance campaign was reported targeting Egyptian civil society organizations.

  • FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
  • Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.

Concluding phrase

Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.