Adult sites at a risk of Malsmoked

Shady attracts shady! Lately, cybercriminals have been found manipulating adult website visitors and redirecting victims to malicious websites serving up malware.

What & Why

Researchers discovered an Malsmoke campaign that appears to have begun mid-October.

  • The threat actors, who have been active throughout 2020, are pushing adult site users to download a fake Java update in their malvertising attacks.
  • Sites such as bravoporn[.]com and xhamster[.]com with hundreds of millions of users are, reportedly, at the risk of downloading Zloader, a banking malware.
  • The reason to go after high traffic adult portals can be set straight; the more the visitors higher the number of infected systems.

How does it work?

The new campaign works across all major web browsers, including Google Chrome.

  • When a user clicks to play a video clip, a new browser containing a grainy video pops up. 
  • In the background, however, victims are redirected to malicious pages such as landingmonster[.]online until they land on a “decoy” porn site.
  • The movies play for a few seconds and suddenly an overlay message surfaces saying the Java Plug-in 8.0 was not found.
  • The fake Java update is, in fact, a digitally signed Microsoft installer, loaded with a number of libraries and executables—that final payload is Zloader.

Activity review of malsmoke actors

The name malsmoke campaign came from Smoke Loader malware that the group drops via the Fallout exploit kit.

  • Since the beginning of the year, malsmoke operators have been running successful exploit kit campaigns, until they decided to pick a new trick involving social engineering.
  • The hacker group launched attacks on the systems of porn surfers running older versions of Adobe Flash Player and Internet Explorer, infecting most of the adult networks with malware on the web.

Stay safe

Atmost care at your own risk

Trickbot turns 100 1️⃣0️⃣0️⃣

TrickBot is a malware infection commonly installed via malicious phishing emails or other malware. When installed, TrickBot will quietly run on a victim’s computer while it downloads other modules to perform different tasks. Now a new 100th version has been released.

They perform a wide range of malicious activity, including stealing a domain’s Active Directory Services database, spreading laterally on a network, screen locking, stealing cookies and browser passwords, and stealing OpenSSH keys.

TrickBot is known to finish an attack by giving access to the threat actors behind the Ryuk and Conti ransomware to make matters worse.

New features added to TrickBot v100

TrickBot is now injecting its DLL into the legitimate Windows wermgr.exe (Windows Problem Reporting) executable directly from memory using code from the ‘Memory Module’ project.

“Memory Module is a library that can be used to load a DLL completely from memory – without storing on the disk first,” .

Initially started as an executable, TrickBot will inject itself into wermgr.exe and then terminates the original TrickBot executable. They use dippelganging technique to evade detection

“This technique makes use of transactions, a feature of NTFS that allows to group together a set of actions on the file system, and if any of those actions fails, a complete rollback occurs. The injector process creates a new transaction, inside of which it creates a new file containing the malicious payload. It then maps the file inside the target process and finally rolls back the transaction. In this way it appears as if the file has never existed, even though its content is still inside the process memory

Trickbot gang has not allowed the disruption of their infrastructure to hold them back, and they continue to integrate new features to prevent the malware from being undetected.

TrickBot is here to stay for the foreseeable future, and consumers and the enterprise need to remain diligent and be smart about what email attachments they open.

Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    Strongpity4
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic