TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme. The malicious application, called XHelper, is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report. Details about the scam 

New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed VietCredCare at least since August 2022. The malware is “notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

Multiple companies operating in the cryptocurrency sector are the target of an ongoing malware campaign that involves a newly discovered Apple macOS backdoor codenamed RustDoor. RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It's

Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

The Glupteba botnet has been found to incorporate a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature, adding another layer of sophistication and stealth to the malware. "This bootkit can intervene and control the [operating system] boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to

U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said. Alongside the takedown, the

DoJ Charges 19 Worldwide in $68 Million xDedic Dark Web Marketplace Fraud

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace, which is estimated to have facilitated more than $68 million in fraud. In wrapping up its investigation into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium

New JinxLoader Targeting Users with Formbook and XLoader Malware

A new Go-based malware loader called JinxLoader is being used by threat actors to deliver next-stage payloads such as Formbook and its successor XLoader. The disclosure comes from cybersecurity firms Palo Alto Networks Unit 42 and Symantec, both of which highlighted multi-step attack sequences that led to the deployment of JinxLoader through phishing attacks. "The

Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks

Microsoft on Thursday said it’s once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware. “The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence

New Rugmi Malware Loader Surges with Hundreds of Daily Detections

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms. Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi. "This malware is a loader with three types of components: a downloader that downloads an

Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team

Cybersecurity researchers have shed light on the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national who was indicted by the U.S. government earlier this year for his alleged role in launching thousands of attacks across the world. Matveev, who resides in Saint Petersburg and is known by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar,

Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide

The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North

New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. "MrAnon Stealer steals its victims' credentials, system

U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers

The U.S. Treasury Department on Wednesday imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds. "Sinbad has processed millions of dollars' worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists," the department said. "Sinbad is

Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground

Discover stories about threat actors’ latest tactics, techniques, and procedures from Cybersixgill’s threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT

How the Cybercriminal Underground Has Changed in 5 Years

The cybercrime economy is one of the runaway success stories of the 21^st century — at least, for those who participate in it. Estimates claim it could be worth over $1 trillion annually, more than the GDP of many countries. Part of that success is due to its ability to evolve and shift as the threat landscape changes. Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, we’ve seen a major shift to new platforms, communications channels, products and services, as trust on the dark web erodes and new market demands emerge.

We also expect the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities.

Shifts in the underground

Our latest report, Shifts in the Cybercriminal Underground Markets, charts the fascinating progress of cybercrime over the past five years, through detailed analysis of forums, marketplaces and dark web sites around the world. It notes that in many product areas, the cost of items has dropped as they become commoditised: so where in 2015 you expected to pay $1000 per months for crypting services, today they may be as little as $20.

In other areas, such as IoT botnets, cyber-propaganda and stolen gaming account credentials, prices are high as new products spark surging demand. Fortnite logins can sell for around $1,000 on average, for example.

The good news is that law enforcement action appears to be working. Trend Micro has long partnered with Interpol, Europol, national crime agencies and local police to provide assistance in investigations. So it’s good to see that these efforts are having an impact. Many dark web forums and marketplaces have been infiltrated and taken down over the past five years, and our researchers note that current users complain of DDoS-ing and log-in issues.

Cybercriminals have been forced to take extreme measures as trust erodes among the community, for example, by using gaming communications service Discord to arrange trades, and e-commerce platform Shoppy.gg to sell items. A new site called DarkNet Trust was even created to tackle this specific challenge: it aims to verify cybercrime vendors’ reputations by analysing their usernames and PGP fingerprints.

What does the future hold?

However, things rarely stay still on the cybercrime underground. Going forward, we expect to see a range of new tools and techniques flood dark web stores and forums. AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals.

Some emerging trends are less hi-tech but no less damaging. Log-ins for wearable devices could be stolen and used to request replacements under warranty, defrauding the customer and costing the manufacturers dear. In fact, access to devices, systems and accounts is so common today that we’re already seeing it spun out in “as-a-service” cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.

Post-pandemic threats

Then there’s COVID-19. We’re already seeing fraudsters targeted government stimulus money with fake applications, sometimes using phished information from legitimate businesses. And healthcare organisations are being targeted with ransomware as they battle to save lives.

Even as the pandemic recedes, remote working practices are likely to stay in many organisations. What does this mean for cybercrime? It means more targeting of VPN vulnerabilities with malware and DDoS services. And it means more opportunities to compromise corporate networks via connected home devices. Think of it like a kind of Reverse BYOD scenario – instead of bringing devices into work to connect, the corporate network is now merged with home networks.

Tackling such challenges will demand a multi-layered strategy predicated around that familiar trio: people, process and technology. It will require more training, better security for home workers, improved patch management and password security, and much more besides. But most of all it will demand continued insight into global cybercriminals and the platforms they inhabit, to anticipate where the next threats are coming from.

Fortunately, this is where Trend Micro’s expert team of researchers come in. We won’t let them out of our sight.

The post How the Cybercriminal Underground Has Changed in 5 Years appeared first on .