Malware service providers arrested

The malware encryption service run by a Romanian based in Craiova and Bucharest duo helped hackers embed malicious code in legit software to bypass antivirus tools.

The pair ran online malware encryption services, aka crypting services dubbed CyberSeal and Dataprotector. These services were offered to cybercriminals to encrypt the computer code in malware, including information stealers, Remote Access Trojans, and ransomware, to help cyber criminals launch attacks successfully.

The pair also offered the Cyberscan service through which their cybercriminal clients could test their malware against antivirus (AV) programs. Malware authors used these services to wrap their payloads in encryption shells to bypass most of the AV tools.

Over 1560 cyber criminals purchased this and improved 3000 malware strains for sophisticated attacks. Testing samples against AV scanners, the operators demanded $7 to $40, and for the actual crypting services, they asked for $40 to $300. Varies on the requirements

Cybercriminals could embed and hide their malware in legitimate software by purchasing these services and circulated them to unsuspecting users. Cyberscan allowed attackers to test their malware strains against AV tools.

The duo had been offering crypting services since 2010. They launched the CyberSeal service in 2014 and Dataprotector in 2015. The Cyberscan service was comparatively new, as it was launched in 2019.

Romanian police obtained search warrants for locating the suspects. The police raided four homes, including the suspects’ houses in Craiova and Bucharest, and discovered back-end servers in Romania, the USA, and Norway. Finally the CyberSeal (cyber-seal.org) and Cyberscan (cyberscan.org) websites are now offline.

Jupyter..More than a planet . An infostealer

Researchers have discovered a new info stealer written in .NET called Jupyter which targets notable web browsers such as Mozilla Firefox and Google Chrome in addition to the Chromium code in itself.

This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers.

This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection.

The features of the malware include the ability to download and run malware plus Powershell scripts and commands while also injecting shellcode into different applications that relate to Windows Configuration.

The downloaded file that is run appears to be a Zip file with an installer that shows itself as another legitimate piece of software while in actuality is not. The alarming thing here is that this file according to the researchers has maintained a 0% detection rate in VirusTotal for over 6 months making us wonder how many systems it may have had infected by now.

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.

The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module.

Origin belived it to be Russia , since C2C server pointing over there. Also admin panel image has been reverse searched and has the Russian match .

To conclude, this trend is nothing new in itself because researchers have constantly observed new variants of existing malware types being developed and even going unnoticed. Such research reports are a relief in the face of such calamities helping the cybersecurity community mend their blind spots.

Trouble grabber (_)⚙️

A new credential stealer dubbed TroubleGrabber that spreads via Discord attachments and uses Discord webhooks to transfer stolen data to its operators , has a characteristic of Anarchy Grabber

This malware is distributed via drive-by download, it is able to steal web browser tokens, Discord webhook tokens, web browser passwords, and system information. The malware sends information back to the attacker via webhook as a chat message to his Discord server.

The malware was distributed via Discord in 97.8% of detected infections, “with small numbers distributed via anonfiles.com and anonymousfiles.io, services that allow users to upload files anonymously and free for generating a public download link.”

The TroubleGrabber attack kill chain leverages both Discord and Github as repository for next stage payloads that is downloaded to the C:/temp folder once a victim is infected with the malware.

TroubleGrabber payloads steal victims’ credentials, including system information, IP address, web browser passwords, and tokens

This malware originator currently runs a Discord server with 573 members, and hosts next stage payloads and the malware generator’s on their public GitHub account.

Caution must !

Buer ☠️ Malware as a service

A new malware-as-a-service offering has been discovered by cybersecurity firm Sophos, providing an alternative to other well-known malware loaders like Emotet and BazarLoader. Buer, as the new malware has been dubbed, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.

“Buer was first advertised in August 2019 under the title “Modular Buer Loader”, described by its developers as ‘a new modular bot…written in pure C’ with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers).

Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bit, the country where the exploit is taking place and what specific tasks are required.

Sophos discovered Buer as the root cause of a Ryuk ransomware attack, with the malware delivered via Google Docs and requiring the victim to enable scripted content in order to work. In this respect, Buer mimics Emotet and other loader malware variants.

Buer uses a stolen certificate issued by a Polish software developer in order to evade detection and checks for the presence of a debugger to ensure forensic analysis can be avoided.

Nevertheless, there are ways for individuals to protect themselves. Remaining cautious against phishing attacks is essential, as is ensuring that the latest av soln is present and up-to-date.