To lure victims into downloading the spyware implants, adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed graphic materials, setting up an effective trap for adherents of this belief. Most of these social media accounts contain a link to a Telegram channel also created by the attacker. In this channel, the actor behind SandStrike distributed a seemingly harmless VPN application to access sites banned in certain regions, for example, religious-related materials. To make this application fully functional, adversaries also set up their own VPN infrastructure. However, the VPN client contains fully-functioning spyware with capabilities allowing threat actors to collect and steal sensitive data, including call logs, contact lists, and also track any further activities of persecuted individuals.
The Emotet malware operation is again spamming malicious emails after almost a five-month “vacation” that saw little activity from the notorious cybercrime operation. Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of many push notifications, enabling the attacker to log into the account and get access to Uber’s corporate network, systems, and data. The app maker became the latest high-profile victim of multi-factor authentication (MFA) fatigue, an ever growing cybersecurity problem in which attackers are able to work their way around a cornerstone of modern defenses at a time when threat groups are shifting their focus away from infecting endpoints and instead are targeting identity.
A French-speaking criminal group codenamed OPERA1ER has pulled off more than 30 cyber-heists against telecom organizations and banks across Africa, Asia, and Latin America, stealing upwards of $30 million over four years, according to security researchers. The robberies start with targeted emails that trick staff at these businesses into running backdoor malware, keyloggers, and password stealers, according to Group-IB’s threat intel team, working with French telecom company Orange’s CERT Coordination Center. Crooks use the stolen credentials from these software nasties to gain admin-level credentials to Windows domain controllers on the network and banks’ back-end applications such as their SWIFT messaging clients, which financial institutions use to send and receive details of transactions from one another.