CyberSecurity news

FlagThis - #infostealer

Greg Otto@CyberScoop - 72d

Raccoon Stealer Operator Jailed - The operator of Raccoon Infostealer malware was sentenced to 60 months in federal prison, and RiseLoader malware has been identified for downloading second-stage payloads.
Mark Sokolovsky, the operator of the Raccoon Stealer malware-as-a-service (MaaS) operation, has been sentenced to five years in prison. Raccoon Stealer has been a significant malware platform since 2019, enabling cybercriminals to steal sensitive data. The sentencing highlights efforts to combat international cybercrime and bring perpetrators to justice. This should act as a deterrent to others involved in malware creation and distribution. The severity of the sentence is a clear sign that authorities take such operations very seriously.

Recommended read:
References :
  • Cybernews: An operator of the Racoon Infostealer malware, who previously faked his own death, was sentenced to 60 months in federal prison.
  • securityonline.info: Zscaler ThreatLabz has identified a new malware family, RiseLoader, which specializes in downloading and executing second-stage payloads.
  • DataBreaches.Net: Ukrainian National Sentenced to Federal Prison in “Raccoon Infostealer” Cybercrime Case
  • malware.news: Ukrainian National Sentenced to Federal Prison in “Raccoon Infostealer” Cybercrime Case
  • www.bleepingcomputer.com: Ukrainian national Mark Sokolovsky was sentenced today to five years in prison for his involvement in the Raccoon Stealer malware cybercrime operation.
  • Threats | CyberScoop: Ukrainian sentenced to five years in jail for work on Raccoon Stealer
  • BleepingComputer: Ukrainian national Mark Sokolovsky was sentenced today to five years in prison for his involvement in the Raccoon Stealer malware cybercrime operation.
  • malware.news: Raccoon Stealer operator jailed
  • Help Net Security: Ukrainian national Mark Sokolovsky was sentenced to 60 months in federal prison for one count of conspiracy to commit computer intrusion. According to court documents, he conspired to operate the Raccoon Infostealer as a malware-as-a-service (MaaS).
  • www.justice.gov: U.S. Department of Justice : Ukrainian national Mark Sokolovsky was sentenced to 60 months in prison for administering the Raccoon Infostealer malware-as-a-service (MaaS) business.
  • securityaffairs.com: SecurityAffairs.com report on Raccoon Infostealer operator.
Amar Ćemanović@CyberInsider - 2d

HIBP Adds 284 Million Stolen Credentials from Infostealer Logs - Have I Been Pwned (HIBP) has integrated a dataset of 23 billion rows from ALIEN TXTBASE stealer logs, exposing 284 million unique email addresses and 244 million new passwords compromised through malware.
Have I Been Pwned (HIBP) has recently integrated a massive dataset of 23 billion rows of stolen credentials from the ALIEN TXTBASE stealer logs. This integration has exposed 284 million unique email addresses that were compromised through infostealer malware. The data, which includes 244 million previously unseen passwords, was originally shared on the Telegram channel ALIEN TXTBASE. HIBP users who are signed up to be notified when their emails appear in a database dump will receive a notification email. All users can also check manually via the service’s website.

This staggering collection of information is a result of likely millions of people's computers being infected by one or more data-stealing malware strains. This addition of stolen credentials highlights the scale of unstoppable infostealer malware. HIBP has also added 244 million new compromised passwords to Pwned Passwords.

Recommended read:
References :
  • The Register - Security: With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare
  • CyberInsider: HIBP Adds 284 Million Stolen Credentials from Infostealer Logs
  • heise online English: Data leak search website Have I Been Pwned increased by 284 million accounts Mail addresses and passwords captured by Infostealer malware were shared in the Telegram channel ALIEN TXTBASE. This data is now integrated into HIBP.
  • Help Net Security: Is your email or password among the 240+ million compromised by infostealers?
  • gbhackers.com: Have I Been Pwned Reports Huge Data Leak, Adds 284 Million Stolen Accounts
  • Blog: HIBP adds over 284 million leaked credentials to its database
SC Staff@scmagazine.com - 10d

FakeUpdate Campaigns Push FrigidStealer Mac Infostealer - FakeUpdate malware campaigns now involve TA2726 and TA2727 groups pushing FrigidStealer, a new macOS infostealer, via web inject campaigns.
The FakeUpdate malware campaigns are becoming increasingly complex with the emergence of new cybercrime groups, TA2726 and TA2727, now involved in pushing a new macOS infostealer called FrigidStealer. This malware is being distributed through web inject campaigns, where users are tricked into downloading fake browser updates. Proofpoint researchers have identified FrigidStealer as a new threat targeting Mac users.

This campaign also uses Windows and Android payloads, suggesting a broad targeting strategy. The malicious JavaScript used to display the fake browser update messages is being adopted by an increasing number of threat actors, making tracking and analysis more challenging. Proofpoint identified two new cybercriminal threat actors, TA2726 and TA2727, operating components of web inject campaigns.

Recommended read:
References :
  • cyberinsider.com: New macOS Malware FrigidStealer Spreads via Fake Updates
  • www.scworld.com: Novel FrigidStealer macOS malware spread via bogus browser updates
  • Virus Bulletin: Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns.
  • www.bleepingcomputer.com: FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
  • www.proofpoint.com: Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns.
  • bsky.app: The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
  • BleepingComputer: The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
  • Anonymous ???????? :af:: FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.
Swagta Nath@The420.in - 9h

EncryptHub Breaches 618 Organizations Deploying Infostealers Ransomware - EncryptHub (Larva-208) has compromised at least 618 organizations globally since June 2024 through spear-phishing and social engineering campaigns, employing SMS, voice, and email phishing to steal credentials and deploy ransomware.
Cybersecurity firm Prodaft reports that a cyber threat actor known as EncryptHub, also called Larva-208, has compromised at least 618 organizations globally since June 2024. The group conducts widespread spear-phishing and social engineering campaigns to infiltrate corporate networks, employing tactics like SMS phishing (smishing), voice phishing (vishing), and email phishing. These campaigns aim to steal credentials and ultimately deploy ransomware on victim systems.

EncryptHub uses sophisticated techniques, including impersonating IT personnel to trick employees into divulging VPN credentials or installing Remote Monitoring and Management (RMM) software. The group has also registered over 70 domain names mimicking VPN services to enhance the credibility of their phishing attacks. Once inside a network, EncryptHub deploys info-stealing malware and ransomware, like their proprietary Locker.ps1 which uses AES encryption to lock files and demands cryptocurrency payments.

Recommended read:
References :
  • gbhackers.com: GBHackers article about LARVA-208 Hackers Compromise 618 Organizations Stealing Logins and Deploying Ransomware
  • Talkback Resources: TalkBack describes EncryptHub Exposed: 600+ Targets Hit by LARVA-208
  • The420.in: The420 article about EncryptHubTargets 618 Organizations with Phishing and Ransomware Attacks
  • bsky.app: A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
@securityonline.info - 10d

Lumma Stealer Targets Education via Weaponized PDFs - Malware campaign distributes Lumma Stealer via weaponized PDF documents, targeting educational institutions by exploiting compromised infrastructure to steal sensitive data, including passwords and cryptocurrency wallet details.
A new malware campaign is underway, distributing the Lumma Stealer information stealer via weaponized PDF documents. This campaign specifically targets educational institutions, exploiting compromised infrastructure to deliver malicious LNK files disguised as legitimate PDFs. These files, when executed, initiate a multi-stage infection process designed to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.

The attackers lure users into downloading these malicious files by disguising them as innocuous documents, such as school fee structures. Once executed, the LNK files trigger PowerShell commands that download and run obfuscated JavaScript code, ultimately deploying the Lumma Stealer payload. The malware employs advanced evasion techniques, including obfuscated JavaScript and encrypted payloads, to avoid detection.

This campaign highlights the urgent need for robust cybersecurity measures within educational institutions and other sectors. Lumma Stealer targets various industries beyond education, including finance, healthcare, technology, and media. The use of compromised educational infrastructure as a distribution channel underscores the vulnerabilities in organizational cybersecurity frameworks.

Recommended read:
References :
  • gbhackers.com: Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions
  • securityonline.info: Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
  • www.cloudsek.com: Lumma Stealer Chronicles: PDF-Themed Campaign Using Compromised Educational Institutions’ Infrastructure
  • gbhackers.com: Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions
  • Talkback Resources: Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures [mal]
  • www.silentpush.com: Silent Push recently expanded our research on the “Lumma Stealerâ€� infostealer malware.
@www.malwarebytes.com - 62d

Lumma Stealer Dominates Info Stealer Market - Lumma, a sophisticated information stealer, is available as MaaS on Russian forums, targeting Windows systems for credentials, crypto wallets, and browser data.
Lumma, an advanced information stealer, has become a dominant force in the cybercrime landscape throughout 2024. Marketed as Malware-as-a-Service (MaaS), it is readily available on Russian-speaking forums and Telegram channels. This malware targets Windows systems, aiming to exfiltrate credentials, cryptocurrency wallet data, browser information, and two-factor authentication details. Lumma employs sophisticated methods such as binary morphing and server-side data decryption to avoid detection. It operates on a subscription basis, with tiered plans offering features such as customizable log management, data filtering, and advanced stealth capabilities, making it accessible to both novice and experienced cybercriminals.

Lumma’s capabilities are extensive and include data exfiltration, regular updates, and the ability to collect detailed data logs, as well as the capability to download additional malware to compromised systems. It has been observed in multiple campaigns that use techniques like phishing, malvertising, and fake software updates. These campaigns have targeted a diverse range of sectors including manufacturing, transportation, and individuals such as gamers, users of cracked software, and cryptocurrency enthusiasts. The developers of Lumma have implemented policies to avoid targeting Russia, further demonstrating the malware's reach beyond Russian-speaking regions.

Recommended read:
References :
  • malware.news: Lumma 2024: Dominating the Info-Stealer Market
  • www.infostealers.com: Lumma 2024: Dominating the Info-Stealer Market
  • www.esentire.com: The malware is managed via an easy-to-use interface, making it accessible even to less technically skilled users

Blogs

Research Tools