Cryptocurrency  2024  2023  2022  2021 2020


Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign
28.9.24 
Cryptocurrency  The Hacker News

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.

The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.

"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," the cybersecurity company said in an analysis, adding it's the first time a cryptocurrency drainer has exclusively targeted mobile device users.

Over 150 users are estimated to have fallen victim to the scam, although it's believed that not all users who downloaded the app were impacted by the cryptocurrency drainer.

The campaign involved distributing a deceptive app that went by several names such as "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb).

While the app is no longer available for download from the official app marketplace, data from SensorTower shows that it was popular in Nigeria, Portugal, and Ukraine, and linked to a developer named UNS LIS.

The developer has also been associated with another Android app called "Uniswap DeFI" (com.lis.uniswapconverter) that remained active on the Play Store for about a month between May and June 2023. It's currently not known if the app had any malicious functionality.


However, both apps can be downloaded from third-party app store sources, once again highlighting the risks posed by downloading APK files from other marketplaces.

Once installed, the fake WallConnect app is designed to redirect users to a bogus website based on their IP address and User-Agent string, and if so, redirect them a second time to another site that mimics Web3Inbox.

Users who don't meet the required criteria, including those who visit the URL from a desktop web browser, are taken to a legitimate website to evade detection, effectively allowing the threat actors to bypass the app review process in the Play Store.

Besides taking steps to prevent analysis and debugging, the core component of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallet and sign several transactions to verify their wallet.


The information entered by the victim in each step is transmitted to a command-and-control server (cakeserver[.]online) that, in turn, sends back a response containing instructions to trigger malicious transactions on the device and transfer the funds to a wallet address belonging to the attackers.

"Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet," Check Point researchers said.

"Through this transaction, the victim grants permission for the attacker's address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the 'Address' field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract)."

In the next step, the tokens from the victim's wallet are transferred to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.

This also means that if the victim does not revoke the permission to withdraw tokens from their wallet, the attackers can keep withdrawing the digital assets as soon as they appear without requiring any further action.

Check Point said it also identified another malicious app exhibiting similar features "Walletconnect | Web3Inbox" (co.median.android.kaebpq) that was previously available on Google Play Store in February 2024. It attracted more than 5,000 downloads.

"This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets," the company noted.

"The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app."


U.S. Sanctions Two Crypto Exchanges for Facilitating Cybercrime and Money Laundering
27.9.24 
Cryptocurrency  The Hacker News
The U.S. government on Thursday sanctioned two cryptocurrency exchanges and unsealed an indictment against a Russian national for his alleged involvement in the operation of several money laundering services that were offered to cybercriminals.

The virtual currency exchanges, Cryptex and PM2BTC, have been alleged to facilitate the laundering of cryptocurrencies possibly obtained through cybercrime.

The coordinated action was carried out in collaboration with the Netherlands Police and the Dutch Fiscal Intelligence and Investigation Service (FIOD) as part of an ongoing law enforcement crackdown called Operation Endgame.

Pursuant to the exercise, the websites associated with both the exchanges have been confiscated and replaced with a law enforcement seizure banner. Furthermore, it has led to the seizure of cryptocurrency worth €7 million ($7.8 million).

"The United States and our international partners remain resolute in our commitment to prevent cybercrime facilitators like PM2BTC and Cryptex from operating with impunity," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.

"Treasury, in close coordination with our allies and partners, will continue to use all tools and authorities to disrupt the networks that seek to leverage the virtual assets ecosystem to facilitate their illicit activities."

PM2BTC ("btc2pm[.]me"), the Treasury said, facilitated the laundering of convertible virtual currency (CVC) associated with ransomware and other illicit actors operating in Russia. It has been operational since 2014.

It's also said to have provided direct CVC-to-ruble exchange services, while failing to implement effective anti-money laundering (AML) and Know Your Customer (KYC) programs as required by U.S. federal law.

"PM2BTC facilitates a substantially greater proportion of transactions with apparent links to money laundering activity in connection with Russian illicit finance as compared to 99 percent of other virtual asset service providers," it said. "PM2BTC employs an unusual obfuscation that inhibits attribution of transactions to illicit activity and actors."

Cryptex ("Cryptex[.]net"), in a similar vein, has been accused of advertising virtual currency services directly to cybercriminals, receiving over $51.2 million in illicit proceeds derived from ransomware attacks. It further claimed "complete anonymity" when registering for an account.

It is also estimated to have received no less than $720 million in transactions linked to illegal services used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and the now-sanctioned virtual currency exchange Garantex.

A 44-year-old Russian national, Sergey Sergeevich Ivanov (aka UAPS or TALEON), has been charged for his role as a professional cyber money launderer for nearly two decades, and for providing his services, counting Cryptex and PM2BTC, to other e-crime groups and drug traffickers.

Ivanov's other charges include payment processing support to the carding website Rescator and laundering the illegal funds originating from Joker's Stash, another popular carding forum that voluntarily shut down its operations in February 2021.

Two such payment processing services are PinPays and UAPS ("uaps[.]so"), which stands for Universal Anonymous Payment System and has facilitated payments for several fraud shops like Genesis Market, BriansClub/Brian Dumps, and Faceless, per Chainalysis.

"UAPS and Cryptex have processed over $7.5 billion worth of transactions since their inception in 2013 and 2018, respectively," the blockchain analytics company noted.

Elliptic, another blockchain intelligence firm, said it's aware of "thousands of additional addresses" connected to Cryptex, PM2BTC, PinPays, and Joker's Stash, outside of the four cryptoasset addresses listed by the Treasury as tied to Cryptex.

A second Russian national, Timur Shakhmametov, 38, has also been charged with operating Joker's Stash and laundering its proceeds. The carding marketplace, which offered for sale data from nearly 40 million payment cards annually. It's believed that the service netted the threat actors anywhere between $280 million to more than $1 billion in profits.

Concurrent with the actions, the U.S. Department of State has announced rewards of up to $10 million each for information leading to the arrests and/or convictions of Timur Shakhmametov and Sergey Ivanov.

An additional $1 million is also up for grabs for providing information leading to the identification of other key members linked to UAPS, PM2BTC, PinPays, and Joker's Stash.

"One of the most critical tactics in disrupting illicit actors is to disrupt the infrastructure they abuse to facilitate money laundering and other transnational cybercrime," Chainalysis said.

"Today's actions represent [Office of Foreign Assets Control's] continued efforts to work with key international partners to make the internet a safer place by shutting down fraudulent services and the infrastructure that hosts them."


New TeamTNT Cryptojacking Campaign Targets CentOS Servers with Rootkit
19.9.24 
Cryptocurrency  The Hacker News
The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.

"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report.

The malicious script, the Singaporean cybersecurity company noted, is responsible for disabling security features, deleting logs, terminating cryptocurrency mining processes, and inhibiting recovery efforts.

The attack chains ultimately pave the way for the deployment of the Diamorphine rootkit to conceal malicious processes, while also setting up persistent remote access to the compromised host.

The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in the tactics, techniques, and procedures (TTPs) observed.

TeamTNT was first discovered in the wild in 2019, undertaking illicit cryptocurrency mining activities by infiltrating cloud and container environments. While the threat actor bid farewell in November 2021 by announcing a "clean quit," public reporting has uncovered several campaigns undertaken by the hacking crew since September 2022.

The latest activity linked to the group manifests in the form of a shell script that first checks if it was previously infected by other cryptojacking operations, after which it precedes to impair device security by disabling SELinux, AppArmor, and the firewall.


"The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service," the researchers said. "If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service."

Besides killing all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, terminate containerized processes, and remove images deployed in connection with any coin miners.

Furthermore, it establishes persistence by configuring cron jobs that download the shell script every 30 minutes from a remote server (65.108.48[.]150) and modifying the "/root/.ssh/authorized_keys" file to add a backdoor account.

"It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities," the researchers noted. "The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration."


Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users
17.9.24 
Cryptocurrency  The Hacker News
Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud.

Clipper malware, also called ClipBankers, is a type of malware that Microsoft calls cryware, which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including replacing cryptocurrency addresses with those under an attacker's control.

In doing so, digital asset transfers initiated on a compromised system are routed to a rogue wallet instead of the intended destination address.

"In clipping and switching, a cryware monitors the contents of a user's clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address," the tech giant noted way back in 2022. "If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipboard with the attacker's address."

Binance, in an advisory issued on September 13, 2024, said it has been tracking a widespread malware threat that intercepts data stored in the clipboard with an aim to swap out cryptocurrency wallet addresses.

"The issue has seen a notable spike in activity, particularly on August 27, 2024, leading to significant financial losses for affected users," the exchange said. "The malware is often distributed through unofficial apps and plugins, especially on Android and web apps, but iOS users should also remain vigilant."

There is evidence to suggest that these malicious apps are inadvertently installed by users when searching for software in their native languages or through unofficial channels, primarily due to restrictions in their countries.

The company also said it's taking steps to blocklist the attacker addresses to prevent further fraudulent transactions, and that it has notified affected users, advising them to check for signs of suspicious software or plugins.

Besides urging users to refrain from downloading software from unofficial sources, Binance is calling for exercising caution when it comes to installing apps and plugins and ensuring they are authentic.

Blockchain analytics firm Chainalysis revealed last month that aggregate illicit activity on-chain has dropped by nearly 20% year-to-date, although stolen funds inflows nearly doubled from $857 million to $1.58 billion.

"Scammers for the most part continue to pivot away from broad-based ponzi schemes to more targeted campaigns like pig butchering, work from home scams, drainers, or address poisoning," it said, adding it observed a "rise in the use of Chinese language marketplaces and laundering networks."

According to the U.S. Federal Bureau of Investigation (FBI), 2023 was a record year for cryptocurrency fraud, with total losses exceeding $5.6 billion, a 45% increase compared to the previous year.

"The exploitation of cryptocurrency was most pervasive in investment scams, where losses accounted for almost 71% of all losses related to cryptocurrency. Call center frauds, including tech/customer support scams and government impersonation scams, accounted for about 10% of losses associated to cryptocurrency," the FBI Internet Crime Complaint Center (IC3) said.

A vast majority of the losses with a cryptocurrency nexus originated from the U.S., followed by Cayman Islands, Mexico, Canada, the U.K., India, Australia, Israel, Germany, and Nigeria.


New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency
14.9.24 
Cryptocurrency  The Hacker News
Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining and deliver botnet malware.

The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver a malware strain dubbed Hadooken, according to cloud security firm Aqua.

"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said.

The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server ("89.185.85[.]102" or "185.174.136[.]204").

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag said.

"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "


Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.

Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.

Hadooken's defense evasion capabilities are realized through a combination of tactics that involve the use of Base64-encoded payloads, dropping the miner payloads under innocuous names like "bash" and "java" to blend in with legitimate processes, and artifact deletion after execution to hide any signs of malicious activity.

Aqua noted that the IP address 89.185.85[.]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign that abused flaws in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address 185.174.136[.]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.

"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers said in the report.


Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking
13.9.24 
Cryptocurrency  The Hacker News
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.

"Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today.

"However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors."

The abuse of publicly-accessible Selenium Grid instances for deploying crypto miners was previously highlighted by cloud security firm Wiz in late July 2024 as part of an activity cluster dubbed SeleniumGreed.

Cado, which observed two different campaigns against its honeypot server, said the threat actors are exploiting the lack of authentication protections to carry out a diverse set of malicious actions.

The first of them leverages the "goog:chromeOptions" dictionary to inject a Base64-encoded Python script that, in turn, retrieves a script named "y," which is the open-source GSocket reverse shell.


The reverse shell subsequently serves as a medium for introducing the next-stage payload, a bash script named "pl" that retrieves IPRoyal Pawn and EarnFM from a remote server via curl and wget commands.

"IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money," Cado said.

"The user's internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes."

EarnFM is also a proxyware solution that's advertised as a "ground-breaking" way to "generate passive income online by simply sharing your internet connection."

The second attack, like the proxyjacking campaign, follows the same route to deliver a bash script via a Python script that checks if it's running on a 64-bit machine and then proceeds to drop a Golang-based ELF binary.

The ELF file subsequently attempts to escalate to root by leveraging the PwnKit flaw (CVE-2021-4043) and drops an XMRig cryptocurrency miner called perfcc.

"As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors," the researchers said. "Users should ensure authentication is configured, as it is not enabled by default."


Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys
13.8.24 
Cryptocurrency  The Hacker News
Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform but is actually designed to steal victims' secrets.

"The legitimate Solana Python API project is known as 'solana-py' on GitHub, but simply 'solana' on the Python software registry, PyPI," Sonatype researcher Ax Sharma said in a report published last week. "This slight naming discrepancy has been leveraged by a threat actor who published a 'solana-py' project on PyPI."

The malicious "solana-py" package attracted a total of 1,122 downloads since it was published on August 4, 2024. It's no longer available for download from PyPI.

The most striking aspect of the library is that it carried the version numbers 0.34.3, 0.34.4, and 0.34.5. The latest version of the legitimate "solana" package is 0.34.3. This clearly indicates an attempt on the part of the threat actor to trick users looking for "solana" into inadvertently downloading "solana-py" instead.

What's more, the rogue package borrows the real code from its counterpart, but injects additional code in the "__init__.py" script that's responsible for harvesting Solana blockchain wallet keys from the system.

This information is then exfiltrated to a Hugging Face Spaces domain operated by the threat actor ("treeprime-gen.hf[.]space"), once again underscoring how threat actors are abusing legitimate services for malicious purposes.

The attack campaign poses a supply chain risk in that Sonatype's investigation found that legitimate libraries like "solders" make references to "solana-py" in their PyPI documentation, leading to a scenario where developers could have mistakenly downloaded "solana-py" from PyPI and broadened the attack surface.

"In other words, if a developer using the legitimate 'solders' PyPI package in their application is mislead (by solders' documentation) to fall for the typosquatted 'solana-py' project, they'd inadvertently introduce a crypto stealer into their application," Sharma explained.

"This would not only steal their secrets, but those of any user running the developer's application."

The disclosure comes as Phylum said it identified hundreds of thousands of spam npm packages on the registry containing markers of Tea protocol abuse, a campaign that first came to light in April 2024.

"The Tea protocol project is taking steps to remediate this problem," the supply chain security firm said. "It would be unfair to legitimate participants in the Tea protocol to have their remuneration reduced because others are scamming the system. Also, npm has begun to take down some of these spammers, but the takedown rate does not match the new publication rate."


Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining
27.7.24 
Cryptocurrency  The Hacker News

Cybersecurity researchers are sounding the alarm over an ongoing campaign that's leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining.

Cloud security firm Wiz is tracking the activity under the name SeleniumGreed. The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023.

"Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands," Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska said.

"By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes."

Selenium Grid, part of the Selenium automated testing framework, enables parallel execution of tests across multiple workloads, different browsers, and various browser versions.


"Selenium Grid must be protected from external access using appropriate firewall permissions," the project maintainers warn in a support documentation, stating that failing to do so could allow third-parties to run arbitrary binaries and access internal web applications and files.

Exactly who is behind the attack campaign is currently not known. However, it involves the threat actor targeting publicly exposed instances of Selenium Grid and making use of the WebDriver API to run Python code responsible for downloading and running an XMRig miner.

It starts with the adversary sending a request to the vulnerable Selenium Grid hub with an aim to execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server ("164.90.149[.]104") in order to fetch the final payload, a modified version of the open-source XMRig miner.

"Instead of hardcoding the pool IP in the miner configuration, they dynamically generate it at runtime," the researchers explained. "They also set XMRig's TLS-fingerprint feature within the added code (and within the configuration), ensuring the miner will only communicate with servers controlled by the threat actor."

The IP address in question is said to belong to a legitimate service that has been compromised by the threat actor, as it has also been found to host a publicly exposed Selenium Grid instance.

Wiz said it's possible to execute remote commands on newer versions of Selenium and that it identified more than 30,000 instances exposed to remote command execution, making it imperative that users take steps to close the misconfiguration.

"Selenium Grid is not designed to be exposed to the internet and its default configuration has no authentication enabled, so any user that has network access to the hub can interact with the nodes via API," the researchers said.

"This poses a significant security risk if the service is deployed on a machine with a public IP that has inadequate firewall policy."


WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach
19.7.24 
Cryptocurrency  The Hacker News
Indian cryptocurrency exchange WazirX has confirmed that it was the target of a security breach that led to the theft of $230 million in cryptocurrency assets.

"A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million," the company said in a statement. "This wallet was operated utilizing the services of Liminal's digital asset custody and wallet infrastructure from February 2023."

The Mumbai-based company said the attack stemmed from a mismatch between the information that was displayed on Liminal's interface and what was actually signed. It said the payload was replaced to transfer wallet control to an attacker.

Crypto custody firm Liminal is one of the six signatories on the wallet and is responsible for transaction verifications.

"Our preliminary investigations show that one of the self custody multi-sig smart contract wallets created outside of the Liminal ecosystem has been compromised," Liminal said in a series of posts shared on X.

"It is also pertinent to note that all WazirX wallets created on the Liminal platform continue to remain secure and protected. Meanwhile, all the malicious transactions to the attacker's addresses have occurred from outside of the Liminal platform."

Blockchain analytics firm Elliptic said the attack has all the hallmarks of North Korean threat actors, and that the attackers have taken the step of swapping the crypto assets for Ether using various decentralized services.

This was also reiterated by crypto researcher ZachXBT on X, who said "the WazirX hack has the potential markings of a Lazarus Group attack (yet again)."


Threat actors affiliated with North Korea have a track record of staging cyber attacks targeting the cryptocurrency sector since at least 2017 as a way to get around international sanctions imposed against the country.

Earlier this year, the United Nations said it was probing 58 suspected intrusions carried out by the nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it advance its nuclear weapons program.

The disclosure comes against the backdrop of a coordinated law enforcement operation codenamed Spincaster that shut down scam networks making illicit profits off approval phishing, a popular tactic in which funds are stolen through fake crypto apps and romance scams (aka pig butchering). As much as $2.7 billion is estimated to have been stolen using this method since May 2021.

"With the approval phishing technique, the scammer tricks the user into signing a malicious blockchain transaction that gives the scammer's address approval to spend specific tokens inside the victim's wallet, allowing the scammer to then drain the victim's address of those tokens at will," Chainalysis said.


HuiOne Guarantee: The $11 Billion Cybercrime Hub of Southeast Asia
10.7.24 
Cryptocurrency  The Hacker News
Cryptocurrency analysts have shed light on an online marketplace called HuiOne Guarantee that's widely used by cybercriminals in Southeast Asia, particularly those linked to pig butchering scams.

"Merchants on the platform offer technology, data, and money laundering services, and have engaged in transactions totaling at least $11 billion," Elliptic said in a report shared with The Hacker News.

The British blockchain analytics firm said that the marketplace is part of HuiOne Group, a Cambodian conglomerate with links to Cambodia's ruling Hun family and that another HuiOne business, HuiOne International Payments, is actively involved in laundering scam proceeds globally.
According to its website, HuiOne's financial services arm is said to have 500,000 registered users. It also touts Alipay, Huawei, PayGo Wallet, UnionPay, and Yes Seatel as its customers.

Southeast Asian countries like Burma, Cambodia, Laos, Malaysia, Myanmar, and the Philippines have become a breeding ground for pig butchering scams in recent years.


In these schemes, unwitting people from Asia and Africa are enticed with high-paying jobs in the region, only for them to be trapped inside "scam compounds" run by transnational organized crime groups originating from China and coerced into participating in fraudulent activities.

These entail creating fake accounts on social media and dating platforms, and using them to develop romantic relationships with victims and eventually persuade them to invest in non-existent crypto businesses with an aim to siphon their funds.

HuiOne Guarantee, established in 2021, comprises a network of thousands of instant messaging app channels on Telegram that are run by different merchants. While it claims to serve as a marketplace for real estate and cars, Elliptic said that a majority of the goods and services offered are aimed at cyber scam operators.

"The largest category of merchants operating on HuiOne Guarantee are those offering to move and exchange money," the company explained.
"Many of the merchants explicitly offer money laundering services, including accepting payments from victims around the world, transferring it across borders and converting it to other assets including cash, stablecoins, and to Chinese payment apps."

Merchants have also been found advertising software and web development services that facilitate the creation of scam crypto investment websites used in pig butchering scams, as well as marketing tear gas, electric batons and electronic shackles for use by scam compound operators to imprison and torture their workers.

According to data shared by SlowMist earlier this January, merchants associated with HuiOne Guarantee – which is also referred to as Huiwang Guarantee – are said to have further engaged in cryptocurrency transactions with a wallet that received more than 4.6 million USDT from another wallet linked to the Myanmar Alliance Army.

"The value of cryptocurrency received by HuiOne Guarantee and its merchants, and the type of goods and services offered, suggest that it is a key enabler of cyber scam operators in Southeast Asia," Elliptic said.


Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks
9.7.24 
Cryptocurrency  The Hacker News

Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining.

"Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up published last week. "This can lead to remote code execution (RCE) and misuse by malicious actors."

Jenkins, a popular continuous integration and continuous delivery (CI/CD) platform, features a Groovy script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime.

The project maintainers, in the official documentation, explicitly note that the web-based Groovy shell can be used to read files containing sensitive data (e.g., "/etc/passwd"), decrypt credentials configured within Jenkins, and even reconfigure security settings.

The console "offers no administrative controls to stop a user (or admin) once they are able to execute the Script Console from affecting all parts of the Jenkins infrastructure," reads the documentation. "Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins."

While access to Script Console is typically limited only to authenticated users with administrative permissions, misconfigured Jenkins instances could inadvertently make the "/script" (or "/scriptText") endpoint accessible over the internet, making it ripe for exploitation by attackers looking to run dangerous commands.

Trend Micro said it found instances of threat actors exploiting the Jenkins Groovy plugin misconfiguration to execute a Base64-encoded string containing a malicious script that's designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and setting up persistence.

"The script ensures it has enough system resources to perform the mining effectively," the researchers said. "To do this, the script checks for processes that consume more than 90% of the CPU's resources, then proceeds to kill these processes. Furthermore, it will terminate all stopped processes."

To safeguard against such exploitation attempts, it's advised to ensure proper configuration, implement robust authentication and authorization, conduct regular audits, and restrict Jenkins servers from being publicly exposed on the internet.

The development comes as cryptocurrency thefts arising from hacks and exploits have surged in the first half of 2024, allowing threat actors to plunder $1.38 billion, up from $657 million year-over-year.

"The top five hacks and exploits accounted for 70% of the total amount stolen so far this year," blockchain intelligence platform TRM Labs said. "Private key and seed phrase compromises remain a top attack vector in 2024, alongside smart contract exploits and flash loan attacks."


DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal Transactions
27.4.24  Cryptocurrency  The Hacker News
The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds.

To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business from 2015 through February 2024. Rodriguez and Hill face a maximum sentence of 25 years in prison each.

Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai to help "criminals to engage in large-scale money laundering and sanctions evasion," while ostensibly marketing as a privacy-oriented service, the DoJ said.

Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra, as well as spear-phishing schemes and scams aimed at defrauding multiple decentralized finance protocols.

The operation, which also involved law enforcement agencies from Iceland and Portugal, along with Europol, saw its digital infrastructure confiscated and its Android app pulled from the Google Play Store in the U.S. Hill, who was apprehended in Portugal, is awaiting his extradition to the U.S. Rodriguez was taken into custody in Pennsylvania.

Samourai offered a cryptocurrency mixing service known as Whirlpool to help users conceal the cryptocurrency transaction trail, in addition to incorporating an "exclusive transaction type" called Ricochet Send that made it possible to add intermediate hops when sending cryptocurrency from one address to another.

Whirlpool was advertised as a way to "mathematically disassociate the ownership of inputs to outputs in a given bitcoin transaction," which they claimed increases the privacy of the users involved, protects against financial surveillance, and improves the fungibility of the Bitcoin network.

"Ricochet defends against bitcoin blacklists by adding additional decoy transactions between the initial send and eventual recipient," according to the official documentation. "You should consider using Ricochet when sending to Bitcoin Exchanges, and companies that are known to close accounts for flimsy reasons."

The feature is engineered to prevent law enforcement and/or cryptocurrency exchanges from recognizing that a particular batch of cryptocurrency originated from criminal activity, the DoJ alleged.

Besides openly courting users (e.g., Russian oligarchs) to circumvent sanctions and launder criminal proceeds through Samourai on their X (formerly Twitter) account, the defendants have also been found transmitting to investors marketing materials that described how its user base was intended to include online gamblers and criminals who need the anonymity to conduct their illegal activities.

"Rodriguez and Hill acknowledge that its revenues will be derived from 'Dark/Grey Market participants' seeking to 'swap their bitcoins with multiple parties' to avoid detection," the DoJ said.

The arrests come weeks after a former security engineer named Shakeeb Ahmed was sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million, which were then laundered using Samourai Whirlpool.


Google Sues App Developers Over Fake Crypto Investment App Scam
8.4.24  Cryptocurrency  The Hacker News
Google has filed a lawsuit against two app developers for engaging in an "international online consumer investment fraud scheme" that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns.

The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively.

The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.

"The gains conveyed by the apps were illusory," the tech giant said in its complaint. "And the scheme did not end there."

"Instead, when individual victims attempted to withdraw their balances, defendants and their confederates would double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains."

While this kind of scam is typically referred to as pig butchering (aka shā zhū pán), Google said it "neither adopts nor endorses the use of this term." It's derived from the idea that victims are fattened up like hogs with the promise of lucrative returns before "slaughtering" them for their assets.

In September 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) said these scams are perpetrated by criminal enterprises based in Southeast Asia that employ hundreds of thousands of people who are trafficked to the region by promising them high-paying jobs.

The fraudulent scheme entails the scammers using elaborate fictitious personas to target unsuspecting individuals via social media or dating platforms, enticing them with the prospect of a romantic relationship to build trust and convince them to invest in cryptocurrency portfolios that purport to offer high profits within a short span of time with an aim to steal their funds.

To create the appearance of legitimacy, the financially motivated actors are known to fabricate websites and mobile apps to display a bogus investment portfolio with large returns.

Sun and Cheung, said Google, lured victim investors to download their fraudulent apps through text messages using Google Voice to target victims in the U.S. and Canada. Other distribution methods include affiliate marketing campaigns that offer commissions for "signing up additional users" and YouTube videos promoting the fake investment platforms.

The company described the malicious activity as persistent and continuing, with the defendants "using varying computer network infrastructure and accounts to obfuscate their identities, and making material misrepresentations to Google in the process."

It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube's Community Guidelines, as well as the Google Voice Acceptable Use Policy.

"Google Play can continue to be an app-distribution platform that users want to use only if users feel confident in the integrity of the apps," Google added. "By using Google Play to conduct their fraud scheme, defendants have threatened the integrity of Google Play and the user experience."

It's worth noting that the problem is not limited to the Android ecosystem alone, as prior reports show that such bogus apps have also repeatedly made their way to the Apple App Store.

The development is the latest in a series of legal actions that Google has taken to avoid the misuse of its products. In November 2023, the company sued multiple individuals in India and Vietnam for distributing fake versions of its Bard AI chatbot (now rebranded as Gemini) to propagate malware via Facebook.


Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining
28.3.24  Cryptocurrency  The Hacker News
Cybersecurity researchers are warning that threat actors are actively exploiting a "disputed" and unpatched vulnerability in an open-source artificial intelligence (AI) platform called Anyscale Ray to hijack computing power for illicit cryptocurrency mining.

"This vulnerability allows attackers to take over the companies' computing power and leak sensitive data," Oligo Security researchers Avi Lumelsky, Guy Kaplan, and Gal Elbaz said in a Tuesday disclosure.

"This flaw has been under active exploitation for the last seven months, affecting sectors like education, cryptocurrency, biopharma, and more."

The campaign, ongoing since September 2023, has been codenamed ShadowRay by the Israeli application security firm. It also marks the first time AI workloads have been targeted in the wild through shortcomings underpinning the AI infrastructure.

Ray is an open-source, fully-managed compute framework that allows organizations to build, train, and scale AI and Python workloads. It consists of a core distributed runtime and a set of AI libraries for simplifying the ML platform.

It's used by some of the biggest companies, including OpenAI, Uber, Spotify, Netflix, LinkedIn, Niantic, and Pinterest, among others.

The security vulnerability in question is CVE-2023-48022 (CVSS score: 9.8), a critical missing authentication bug that allows remote attackers to execute arbitrary code via the job submission API. It was reported by Bishop Fox alongside two other flaws in August 2023.

The cybersecurity company said the lack of authentication controls in two Ray components, Dashboard, and Client, could be exploited by "unauthorized actors to freely submit jobs, delete existing jobs, retrieve sensitive information, and achieve remote command execution."

This makes it possible to obtain operating system access to all nodes in the Ray cluster or attempt to retrieve Ray EC2 instance credentials. Anyscale, in an advisory published in November 2023, said it does not plan to fix the issue at this point in time.

"That Ray does not have authentication built in – is a long-standing design decision based on how Ray's security boundaries are drawn and consistent with Ray deployment best practices, though we intend to offer authentication in a future version as part of a defense-in-depth strategy," the company noted.

It also cautions in its documentation that it's the platform provider's responsibility to ensure that Ray runs in "sufficiently controlled network environments" and that developers can access Ray Dashboard in a secure fashion.

Oligo said it observed the shadow vulnerability being exploited to breach hundreds of Ray GPU clusters, potentially enabling the threat actors to get hold of a trove of sensitive credentials and other information from compromised servers.

This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure.

In many of the instances, the infected instances have been found to be hacked with cryptocurrency miners (e.g., XMRig, NBMiner, and Zephyr) and reverse shells for persistent remote access.

The unknown attackers behind ShadowRay have also utilized an open-source tool named Interactsh to fly under the radar.

"When attackers get their hands on a Ray production cluster, it is a jackpot," the researchers said. "Valuable company data plus remote code execution makes it easy to monetize attacks — all while remaining in the shadows, totally undetected (and, with static security tools, undetectable)."


U.S. Sanctions 3 Cryptocurrency Exchanges for Helping Russia Evade Sanctions
27.3.24  Cryptocurrency  The Hacker News
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned three cryptocurrency exchanges for offering services used to evade economic restrictions imposed on Russia following its invasion of Ukraine in early 2022.

This includes Bitpapa IC FZC LLC, Crypto Explorer DMCC (AWEX), and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP).

In all, the designations cover thirteen entities and two individuals operating in the Russian financial services and technology sectors.

"Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions," the Treasury said, adding the action seeks to "target companies servicing Russia's core financial infrastructure and curtail Russia's use of the international financial system to further its war against Ukraine."

Bitpapa, which offers virtual currency exchange to Russian nationals, has been accused of facilitating transactions worth millions of dollars with sanctioned Russian entities Hydra Market and Garantex.

Crypto Explorer, the Treasury said, offers currency conversion services between virtual currencies, rubles, and UAE dirhams.

"AWEX offers cash services at its offices in Moscow and Dubai and also loads funds onto credit cards associated with OFAC-designated Russian banks such as Sberbank and Alfa-Bank," it added.

Also sanctioned is another virtual currency exchange run by TOEP that's alleged to have enabled digital payments in rubles and virtual currencies to sanctioned entities such as Sberbank, Alfa-Bank, and Hydra Market.

The penalty list also features Moscow-based fintech companies such as B-Crypto, Masterchain and Laitkhaus, which have partnered with sanctioned Russian banks to issue, exchange, and transfer cryptocurrency assets.

Pursuant to the sanctions, all properties and interests in the U.S. connected to designated individuals and entities will be frozen. Furthermore, entities at least 50% owned directly or indirectly by one or more blocked persons will also be subject to the blockade.

"Russia is increasingly turning to alternative payment mechanisms to circumvent U.S. sanctions and continue to fund its war against Ukraine," said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

"As the Kremlin seeks to leverage entities in the financial technology space, Treasury will continue to expose and disrupt the companies that seek to help sanctioned Russian financial institutions reconnect to the global financial system."


Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets
12.3.24  Cryptocurrency  The Hacker News
Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet.

The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows -

jsBIP39-decrypt (126 downloads)
bip39-mnemonic-decrypt (689 downloads)
mnemonic_to_address (771 downloads)
erc20-scanner (343 downloads)
public-address-generator (1,005 downloads)
hashdecrypt (4,292 downloads)
hashdecrypts (225 downloads)
BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry.

"This is just the latest software supply chain campaign to target crypto assets," security researcher Karlo Zanki said in a report shared with The Hacker News. "It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors."

In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question -- mnemonic_to_address -- was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.

"Even if they did opt to look at the package's dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations," Zanki explained.

The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.

Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.

On the other hand, hashdecrypts functions a little differently in that it's not conceived to work as a pair and contains within itself near-identical code to harvest the data.

The package, per the software supply chain security firm, includes references to a GitHub profile named "HashSnake," which features a repository called hCrypto that's advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.

A closer examination of the repository's commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the "s") package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.

It's worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.

"The content of each of the discovered packages was carefully crafted to make them look less suspicious," Zanki said.

"They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations."

The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.

Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.


"Abandoned digital assets are not relics of the past; they are ticking time bombs and attackers have been increasingly taking advantage of them, transforming them into trojan horses within the open-source ecosystems," Checkmarx noted last month.

"MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent."


New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users
2.3.24  Cryptocurrency  The Hacker News
A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster codenamed CryptoChameleon that's designed to primarily target mobile devices.

"This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States," Lookout said in a report.

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.

The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.

In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company's customer support team under the pretext of securing their account after a purported hack.

Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to "wait" while it claims to verify the provided information.

"The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access," Lookout said.

The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real-time by providing the last two digits of the victim's actual phone number and selecting whether the victim should be asked for a six or seven digit token.

The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker's choosing, including the legitimate Okta login page or a page that displays customized messages.

Lookout said CryptoChameleon's modus operandi resembles techniques used by Scattered Spider, specifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.


"Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit," the company said. "This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success."

It's currently also not clear if this is the work of a single threat actor or a common tool being used by different groups.

"The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data," Lookout noted.

The development comes as Fortra revealed that financial institutions in Canada have come under the target of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.

LabHost's phishing attacks are pulled off by means of a real-time campaign management tool named LabRat that makes it possible to stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.

Also developed by the threat actor is an SMS spamming tool dubbed LabSend that provides an automated method for sending links to LabHost phishing pages, thereby allowing its customers to mount smishing campaigns at scale.

"LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures," the company said.


New Migo Malware Targeting Redis Servers for Cryptocurrency Mining
21.2.24  Cryptocurrency  The Hacker News
A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts.

"This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir said in a technical report.

The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines.

The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options -

protected-mode
replica-read-only
aof-rewrite-incremental-fsync, and
rdb-save-incremental-fsync
It's suspected that these options are turned off in order to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.

This step is then followed by threat actors setting up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh, a technique previously spotted in early 2023.

The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that's, in turn, obtained using a curl or wget command.

Redis Servers for Cryptocurrency Mining

The Go-based ELF binary, besides incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It's also responsible for performing a series of steps to establish persistence, terminate competing miners, and launch the miner.

On top of that, Migo disables Security-Enhanced Linux (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud. It further deploys a modified version ("libsystemd.so") of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts.

It's worth pointing out that these actions overlap with tactics adopted by known cryptojacking groups like TeamTNT, WatchDog, Rocke, and threat actors associated with the SkidMap malware.

"Interestingly, Migo appears to recursively iterate through files and directories under /etc," Muir noted. "The malware will simply read files in these locations and not do anything with the contents."

"One theory is this could be a (weak) attempt to confuse sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification."

Another hypothesis is that the malware is looking for an artifact that's specific to a target environment, although Cado said it found no evidence to support this line of reasoning.

"Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services," Muir said.

"Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artifacts in addition to the malicious processes themselves."


RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers
17.2.24  Cryptocurrency  The Hacker News
Multiple companies operating in the cryptocurrency sector are the target of an ongoing malware campaign that involves a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It's distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

"Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement," Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files ("Jobinfo.app.zip" or "Jobinfo.zip") – contains a basic shell script that's responsible for fetching the implant from a website named turkishfurniture[.]blog. It's also engineered to preview a harmless decoy PDF file ("job.pdf") hosted on the same site as a distraction.


Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain ("sarkerrentacars[.]com"), whose purpose is to "collect information about the victim's machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via "diskutil list" as well as retrieving a wide list of kernel parameters and configuration values using the "sysctl -a" command.

A closer investigation of the command-and-control (C2) infrastructure has also revealed a leaky endpoint ("/client/bots") that makes it possible to glean details about the currently infected victims, including the timestamps when the infected host was registered and the last activity was observed.

"We know there are at least three victim companies until now," Botezatu said. "The attackers seem to target senior engineering staff – and this explains why the malware is disguised as a Visual Studio update. We don't know if there are any other companies compromised at this point, but we are still investigating this."

"It looks that the victims are indeed geographically linked – two of the victims are in Hong Kong, while the other one is in Lagos, Nigeria."

The development comes as South Korea's National Intelligence Service (NIS) revealed that an IT organization affiliated with the Workers' Party of North Korea's Office No. 39 is generating illicit revenue by selling thousands of malware-laced gambling websites to other cybercriminals for stealing sensitive data from unsuspecting gamblers.

The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that has allegedly received $5,000 from an unidentified South Korean criminal organization in exchange for creating a single website and $3,000 per month for maintaining the website, Yonhap News Agency reported.


Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion Crypto Money Laundering
6.2.24  Cryptocurrency  The Hacker News
A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business.

Aliaksandr Klimenka, who was arrested in Latvia on December 21, 2023, was extradited to the U.S. and is currently being held in custody. If convicted, he faces a maximum penalty of 25 years in prison.

BTC-e, which had been operating since 2011, was seized by law enforcement authorities in late July 2017 following the arrest of another key member Alexander Vinnik, in Greece.

The exchange is alleged to have received deposits valued at over $4 billion, with Vinnik laundering funds received from the hack of another digital exchange, Mt. Gox, through various online exchanges, including BTC-e.

Court documents allege that the exchange was a "significant cybercrime and online money laundering entity," allowing its users to trade in bitcoin with high levels of anonymity, thereby building a customer base that engaged in criminal activity.

This included hacking incidents, ransomware scams, identity theft schemes, and narcotics distribution rings.

"BTC-e's servers, maintained in the United States, were allegedly one of the primary ways in which BTC-e and its operators effectuated their scheme," the U.S. Department of Justice (DoJ) said.

These servers were leased to and maintained by Klimenka and Soft-FX, a technology services company controlled by the defendant.

BTC-e has also been accused of failing to establish an anti-money laundering process or know-your-customer (KYC) verification in accordance with U.S. federal laws.

In June 2023, two Russian nationals – Alexey Bilyuchenko and Aleksandr Verner – were charged for their roles in masterminding the 2014 digital heist of Mt. Gox.

News of Klimenka's indictment comes as the DoJ charged Noah Michael Urban, 19, of Palm Coast, Florida, with wire fraud and aggravated identity theft for offenses that led to the theft of $800,000 from at least five different victims between August 2022 and March 2023.

Urban, who went by the aliases Sosa, Elijah, King Bob, Anthony Ramirez, and Gustavo Fring, is said to be a key member of the cybercrime group known as Scattered Spider, according to KrebsOnSecurity, as well as a "top member" of a broader cybercrime ecosystem that calls itself The Com.

It also follows the Justice Department's announcement of charges against three individuals, Robert Powell, Carter Rohn, and Emily Hernandez, in relation to a SIM swapping attack aimed at crypto exchange FTX to steal more than $400 million at the time of its collapse in 2022.

Powell (aka R, R$, and ElSwapo1), Rohn (aka Carti and Punslayer), and Hernandez (aka Em) are accused of running a massive cybercriminal theft ring dubbed the Powell SIM Swapping Crew that orchestrated SIM swapping attacks between March 2021 and April 2023 and stole hundreds of millions of dollars from victims' accounts.

Blockchain analytics firm Elliptic, in October 2023, said the plunder assets had been laundered through cross-chain crime in collaboration with Russia-nexus intermediaries in an attempt to obscure the trail.


Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign
2.2.24  Cryptocurrency  The Hacker News
Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat.

"The campaign deploys a benign container generated using the Commando project," Cado security researchers Nate Bill and Matt Muir said in a new report published today. "The attacker escapes this container and runs multiple payloads on the Docker host."

The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on another activity cluster that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software.

Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider (CSP) credentials, and launching the miner.

The foothold obtained by breaching susceptible Docker instances is subsequently abused to deploy a harmless container using the Commando open-source tool and execute a malicious command that allows it to escape the confines of the container via the chroot command.

It also runs a series of checks to determine if services named "sys-kernel-debugger," "gsc," "c3pool_miner," and "dockercache" are active on the compromised system, and proceeds to the next stage only if this step passes.

"The purpose of the check for sys-kernel-debugger is unclear – this service is not used anywhere in the malware, nor is it part of Linux," the researchers said. "It is possible that the service is part of another campaign that the attacker does not want to compete with."

The succeeding phase entails dropping additional payloads from the command-and-control (C2) server, including a shell script backdoor (user.sh) that's capable of adding an SSH key to the ~/.ssh/authorized_keys file and creating a rogue user named "games" with an attacker-known password and including it in the /etc/sudoers file.


Also delivered in a similar manner are three more shell scripts – tshd.sh, gsc.sh, aws.sh – which are designed to drop Tiny SHell and an improvised version of netcat called gs-netcat, and exfiltrate credentials

The threat actors "run a command on the cmd.cat/chattr container that retrieves the payload from their own C2 infrastructure," Muir told The Hacker News, noting this is achieved by using curl or wget and piping the resulting payload directly into the bash command shell.

"Instead of using /tmp, [gsc.sh] also uses /dev/shm instead, which acts as a temporary file store but memory backed instead," the researchers said. "It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp."

"This also results in the artifacts not touching the disk, making forensics somewhat harder. This technique has been used before in BPFdoor – a high profile Linux campaign."

The attack culminates in the deployment of another payload that's delivered directly as a Base64-encoded script as opposed to being retrieved from the C2 server, which, in turn, drops the XMRig cryptocurrency miner but not before eliminating competing miner processes from the infected machine.

The exact origins of the threat actor behind Commando Cat are currently unclear, although the shell scripts and the C2 IP address have been observed to overlap with those linked to cryptojacking groups like TeamTNT in the past, raising the possibility that it may be a copycat group.

"The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one," the researchers said. "This makes it versatile and able to extract as much value from infected machines as possible."


Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware
1.2.24  Cryptocurrency  The Hacker News
A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.

"UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader," the company said in a Tuesday report.

"During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain."

UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.

It's currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat actor is also not clear, although in one instance an open-source cryptocurrency miner is said to have been deployed after months of beaconing activity.

Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023, with the former tracking the adversary under the name Nebula Broker.

The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that's responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script hosted on Vimeo.


Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.

A notable aspect of this phase is the use of popular sites like Ars Technica, GitHub, GitLab, and Vimeo for hosting the malicious payload.

"The content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign," Mandiant researchers said. "Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised."

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.

Additionally, the backdoor is capable of modular expansion and running independent Python modules like coin miners as well as dynamically fetching and executing Python code from the C2 server.

"The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset," Mandiant said.

"The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors' side."


Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims
16.1.24  Cryptocurrency  The Hacker News

The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023.

The scheme “leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.

Inferno Drainer, which was active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims.

The malware is part of a broader set of similar offerings that are available to affiliates under the scam-as-a-service (or drainer-as-a-service) model in exchange for a 20% cut of their earnings.

What’s more, customers of Inferno Drainer could either upload the malware to their own phishing sites, or make use of the developer’s service for creating and hosting phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases.

According to Group-IB, the activity spoofed upwards of 100 cryptocurrency brands via specially crafted pages that were hosted on over 16,000 unique domains.

Further analysis of 500 of these domains has revealed that the JavaScript-based drainer was hosted initially on a GitHub repository (kuzdaz.github[.]io/seaport/seaport.js) before incorporating them directly on the websites. The user “kuzdaz” currently does not exist.

In a similar fashion, another set of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” on a different GitHub repository, “kasrlorcian.github[.]io.”

These sites were then propagated on sites like Discord and X (formerly Twitter), enticing potential victims into clicking them under the guise of offering free tokens (aka airdrops) and connecting their wallets, at which point their assets are drained once the transactions are approved.

In using the names seaport.js, coinbase.js and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete the unauthorized transactions. The earliest website containing one of these scripts dates back to May 15, 2023.

“Another typical feature of phishing websites belonging to Inferno Drainer was that users cannot open website source code by using hotkeys or right-clicking on the mouse,” Group-IB analyst Viacheslav Shevchenko said. “This means that the criminals attempted to hide their scripts and illegal activity from their victims.”

It’s worth noting that Google-owned Mandiant’s X account was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.

“Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further,” Andrey Kolmakov, head of Group-IB’s High-Tech Crime Investigation Department, said.


Hackers Weaponize Windows Flaw to Deploy Crypto-Siphoning Phemedrone Stealer
16.1.24  Cryptocurrency  The Hacker News
Threat actors have been observed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-source information stealer called Phemedrone Stealer.

"Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said.

"It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server."

The attacks leverage CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a user into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file.

The actively-exploited shortcoming was addressed by Microsoft as part of its November 2023 Patch Tuesday updates.

The infection process involves the threat actor hosting malicious Internet Shortcut files on Discord or cloud services like FileTransfer.io, with the links also masked using URL shorteners such as Short URL.

The execution of the booby-trapped .URL file allows it to connect to an actor-controlled server and execute a control panel (.CPL) file in a manner that circumvents Windows Defender SmartScreen by taking advantage of CVE-2023-36025.

"When the malicious .CPL file is executed through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL," the researchers said. "This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub."

The follow-on payload is a PowerShell loader ("DATA3.txt") that acts as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer.

Written in C#, Phemedrone Stealer is actively maintained by its developers on GitHub and Telegram, facilitating the theft of sensitive information from compromised systems.

The development is once again a sign that threat actors are getting increasingly flexible and quickly adapting their attack chains to capitalize on newly disclosed exploits and inflict maximum damage.

"Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer," the researchers said.


29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services
13.1.24  Cryptocurrency  The Hacker News

A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits.

The person was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration."

"A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol said, adding it shared the intelligence with the Ukrainian authorities.

As part of the probe, three properties were searched to unearth evidence against the suspect.

Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person's or organization's computing resources to mine cryptocurrencies.

On the cloud, such attacks are typically carried out by infiltrating the infrastructure via compromised credentials obtained through other means and installing miners that use the infected host's processing power to mine crypto without their knowledge or consent.

"If the credentials do not have the threat actors' desired permissions, privilege escalation techniques are used to obtain additional permissions," Microsoft noted in July 2023. "In some cases, threat actors hijack existing subscriptions to further obfuscate their operations."

The core idea is to avoid paying for necessary infrastructure required to mine cryptocurrencies, either by taking advantage of free trials or compromising legitimate tenants to conduct cryptojacking attacks.

In October 2023, Palo Alto Networks Unit 42 detailed a cryptojacking campaign in which threat actors were found stealing Amazon Web Services (AWS) credentials from GitHub repositories within five minutes of their public disclosure to mine Monero.


Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks
12.1.24  Cryptocurrency  The Hacker News
Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.

"This attack is particularly intriguing due to the attacker's use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. "The malware deletes contents of specific directories and modifies system configurations to evade detection."

The infection chain targeting Hadoop leverages a misconfiguration in the YARN's (Yet Another Resource Negotiator) ResourceManager, which is responsible for tracking resources in a cluster and scheduling applications.

Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed.

The attacks aimed at Apache Flink, likewise, take aim at a misconfiguration that permits a remote attacker to achieve code execution sans any authentication.

These misconfigurations are not novel and have been exploited in the past by financially motivated groups like TeamTNT, which is known for its history of targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities.

But what makes the latest set of attacks noteworthy is the use of rootkits to hide crypto mining processes after obtaining an initial foothold into Hadoop and Flink applications.

"The attacker sends an unauthenticated request to deploy a new application," the researchers explained. "The attacker is able to run a remote code by sending a POST request to the YARN, requesting to launch the new application with the attacker's command."

The command is purpose-built to clear the /tmp directory of all existing content, fetch a file called "dca" from a remote server, and execute it, followed by deleting all files in the /tmp directory once again.

The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It's worth pointing out that various adversaries, including Kinsing, have resorted to employing rootkits to conceal the presence of the mining process.

To achieve persistence, a cron job is created to download and execute a shell script that deploys the 'dca' binary. Further analysis of the threat actor's infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.

As mitigations, it's recommended that organizations deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.


Mandiant's Twitter Account Restored After Six-Hour Crypto Scam Hack
4.1.24  Cryptocurrency  The Hacker News

American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam.

As of writing, the account has been restored on the social media platform.

It's currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to "@phantomsolw" to impersonate the Phantom crypto wallet service, according to MalwareHunterTeam and vx-underground.

Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to "change password please" and "check bookmarks when you get account back."

Mandiant, a leading threat intelligence firm, was acquired by Google in March 2022 for $5.4 billion. It is now part of Google Cloud.

"The Mandiant Twitter account takeover could have happened [in] a number of ways," Rachel Tobac, CEO of SocialProof Security, said on X.

"Some folks are giving the advice to turn on MFA to prevent ATO and of course that is a good idea always *but it's also possible that someone in Support at Twitter was bribed or compromised which allowed the attacker access to Mandiant's account*."

The Hacker News has reached out to Mandiant for further comments, and we will update the story once we hear back.