Recent investigations conducted by Microsoft, alongside the US government and four other nations, have shed light on the activities of a cybercrime group known as Volt Typhoon. According to the available data, Volt Typhoon has been operating stealthily for a minimum of two years, engaging in extensive espionage and gathering sensitive information on behalf of the People’s Republic of China.

To ensure their actions go unnoticed, these cybercriminals employ pre-existing tools and exploit compromised devices, manually controlling their operations to evade detection by automated security measures. A notable tactic employed by the group involves utilizing home and small office routers as intermediaries, establishing a covert infrastructure that allows them to communicate with infected systems through local internet service providers. By exploiting the compromised Small Office/Home Office (SOHO) networking peripherals, including routers from prominent manufacturers such as ASUS, Cisco, D-Link, NETGEAR, and Zyxel, Volt Typhoon redirects its network traffic to its designated targets. Alarming discoveries have revealed that many of these devices have exposed their HTTP or SSH management interfaces, which further facilitates the illicit activities. Hackers target various industries, including government, manufacturing, communication, transportation, maritime and IT. This diverse array of targets suggests a comprehensive strategy aimed at acquiring valuable data and disrupting critical systems across various sectors.

Researchers and analysts strongly suspect that the primary objective of Volt Typhoon is to undermine communication channels between the United States and the Pacific region. The increasing tensions between the US and China have created an environment where these cybercriminals focus their efforts on Guam, a strategic location that houses a significant US military base. By compromising networks and systems in Guam, they seek to disrupt vital communication links, potentially hampering military operations and causing significant disruption in the region.

The activities of Volt Typhoon underscore the growing importance of robust cybersecurity measures to safeguard sensitive information, critical infrastructure, and international communication channels. The ongoing efforts to counter these cyber threats require enhanced collaboration between governments, organizations, and technology providers to mitigate the risks posed by sophisticated cybercriminals operating on behalf of nation-states.

The post Chinese hackers are attacking critical infrastructure in the US and Guam appeared first on MySpyBot.

Facebook has issued a warning about new malware that disguises itself as a program from OpenAI, specifically the popular artificial intelligence chatbot tool, ChatGPT. The social media giant’s security team has discovered that these new viruses use the interface or functionality of ChatGPT and other AI-related tools to hack user accounts.

According to a new report from Facebook Meta, its parent company, the security team has been tracking new malware threats for the past few months. They have taken action against strains of malware that exploit people’s interest in ChatGPT to deceive them into installing malicious software that pretends to provide AI functionality.

The security team has identified about ten new families of malicious programs that use AI chatbot tools like ChatGPT to compromise user accounts. One prevalent scheme involves distributing malicious browser extensions that claim to deliver ChatGPT features. Users download these extensions for browsers like Chrome or Firefox to use the headline-grabbing AI chatbot functions. While some of these extensions work as advertised, they also contain malicious software that can gain access to the user’s device.

Meta reports that over 1,000 unique URLs offering malware disguised as ChatGPT or other AI-related tools have been detected and blocked from spreading on Facebook, Instagram, and WhatsApp.

Facebook Meta advises users to be cautious when downloading browser extensions or other software that offers AI chatbot features. Users should only download software from reputable sources and regularly update their devices’ antivirus software to detect and block malware. Additionally, if a user notices any suspicious activity on their account, they should immediately change their password and enable two-factor authentication.

The post Facebook warns that hackers are disguising malware as ChatGPT appeared first on MySpyBot.

“Back in 2019, we introduced the Kaspersky Antidrone software and hardware complex to the market. Its main purpose is to protect critical infrastructure, industrial facilities, as well as transport infrastructure and mass events from illegal drone use. Today, the new Kaspersky Antidrone Portable hardware sensor has been released, and this is yet another confirmation that we have long ceased to be just an antivirus company,” said Eugene Kaspersky, CEO of Kaspersky Lab.

The Kaspersky Antidrone Portable detector is a hardware device for detecting commercial drones by radio signal. The solution can determine the precise location of the most common drone models within a radius of up to one kilometer, as well as the position of the operator controlling it. The detector comes with a waterproof tablet based on Kaspersky Antidrone software, which receives notifications about detected drones through a graphical interface.

Kaspersky Antidrone Portable is more compact and mobile compared to standard radio frequency detectors. It weighs less than 5 kg and fits in a case the size of a carry-on suitcase. The device can operate autonomously for up to two hours, and the operator can independently expand the search radius while freely moving around the perimeter of the protected area.

Kaspersky Antidrone Portable can be used as a standalone installation or integrated into larger systems, including stationary ones. For example, the detector can work in conjunction with other types of detectors in the Kaspersky Antidrone lineup, including optical and radar systems. The solution can also be used in combination with a mobile drone jammer.

“Drone technologies are developing, and the risks associated with their use are increasing. Detecting drones is one of the most challenging tasks for any automated drone protection system. The smaller the drone, the harder it is to detect. A large drone (e.g. 438x451x301 mm) can be noticed by a person even without special devices. However, if a small drone (around 160x290x55 mm) moves in a crowd of people, dense urban infrastructure, or under complex weather conditions, it is almost impossible to detect it without a special device,” comments Vladimir Turov, head of Kaspersky Antidrone. “We constantly test existing hardware modules for integration into the Kaspersky Antidrone ecosystem. Based on this experience, we decided to create our own range of hardware devices. The first one was the Kaspersky Antidrone Portable for drone detection.”

The post Kaspersky Lab has developed Kaspersky Antidrone Portable appeared first on MySpyBot.

As noted, many elements of this campaign fully or partially echo the activity that Microsoft documented as Nobelium and that Mandiant (a subsidiary of Google) called APT29. Those behind it are likely also associated with the SolarWinds campaign and tools such as Sunburst, EnvyScout, BoomBox, as well as a number of other spy campaigns. However, there are differences – the software used this time was not previously publicly described. This includes modified versions of SNOWYAMBER, HALFRIG, and QUATERRIG. The new tools likely replaced older ones whose effectiveness has decreased.
In all cases identified, typical phishing techniques were used for the campaign: diplomatic institution employees receive emails supposedly from the embassies of another European country, inviting them to a meeting or referring to specific documents.

The body of the email or attached PDF contains a link that redirects to either the ambassador’s calendar or a file that needs to be downloaded. In reality, the link leads to a compromised website with the EnvyScout script, which decodes the malicious file from the page via JavaScript and gets onto the user’s device. Cybersecurity experts have noticed three different versions of EnvyScout used for this campaign. The campaign is ongoing and institutions that may be of interest to attackers should take additional steps to ensure cybersecurity.

It is also noted that the disclosure of this information was made to throw a spanner in the works of the criminal gang.

The post Russia staged a new phishing campaign targeting Western diplomatic institutions appeared first on MySpyBot.

Today we’ll be talking about the HermeticWiper malware that has been used by the Russians against Ukraine. Now, a piece of malware may seem like a relatively trivial matter when we’re talking about a real war with troops on the ground, rockets raining from above, but it’s actually not. Now, I do have a sample of this malware on the desktop and we’re just going to run it while we talk about some of the things it does.

So first of all, this is a wiper malware, meaning its main purpose is to disable or render inactive systems that it’s run on. The way it does that, of course, in traditional ransomware fashion is it’s going to destroy your MBR, your master boot record, and disable services. So if this was a system that was hosting a website, say, of the Ukrainian government, a bank, then it would just go down. And it does take a while to activate. They also kind of tried to hide this by using ransomware as a decoy.

So they had this little ransom note, which was actually fake, of course, to mislead people into thinking they were hit by ransomware when actually they were hit by this Russian wiper malware.

Given the prevalence of ransomware attacks, I can see how this would be an effective way of cloaking the intentions of the Russian cyberattacks. Now, as the sample is executing, we’re going to look at some of its capabilities. But before that, we also should consider the impact that cyber threats like this can have.

Here’s the thing, when we talk about something as broad as a country’s military, we reduce it down to numbers for simplicity. But it doesn’t mean that the military is a resource. A lot of things determine how the military is going to fare, including things like troops’ morale, the ability to communicate, the military command, different hierarchies being able to talk to each other and organize. And if a cyberattack takes out all of those communication capabilities, or even misleads them, it can quickly lead to the military command breaking down and individuals fleeing or giving up their positions just because there’s no clear mission for them to do. And such a tool can be highly effective.

But we’ll take a look at some of the things that this file does. So we’ve got some bootkit behavior and the ability to impair defenses, disable or modify tools. We can see that some of the registry activity is actually similar to the dark side, not a surprise. Got some file activity as well. We’ve got some drivers being written and there’s quite a lot of modifications happening in the registry. If we go back to the original file and take a deeper look at the capabilities of the wiper itself, it’s got abilities in execution, persistence, privilege escalation, and discovery. It does take a while to activate though.

So our virtual machine is still oblivious to the sample that’s running in the background. If we open the Task Manager, it’s going to be visible.

I like how it’s got this nice gift icon. It’s like it’s a gift from Russia. It’s just sitting in memory and you don’t notice a lot happening. So it’s very easy to ignore. Unlike ransomware, it does not ramp up your CPU activity to 80 or 90% that if you’re monitoring a server, you’d notice it. Now another interesting thing to note while this malware is running is that it’s incredibly hard to detect wiper malware. Some of these have very low detections on VirusTotal. When this came out, I think it had 14 out of 70 detections.

I have noticed in the past as well with wiper malware that a lot of the behavioral defenses that will pick up threats like ransomware will totally be ineffective against wipers. It’s also worth noting that these sorts of attacks are usually also accompanied with distributed denial of service (DDoS). And in combination, it can just render a lot of the services that are critical to a country’s functioning disabled.

Now, the good news is in this specific case, this cyberattack against Ukraine wasn’t particularly successful. I think most of the websites recovered fairly quickly. But it’s not hard to imagine the kind of impact this would have if it totally disrupted communication systems at a crucial point in time. Alright, so the sample has been running in the background for a while and it may seem like the system is normal, nothing has happened, but if we open one of our files, as you will see, the data inside is gone already. This is what the data looks like now. It has all been wiped.

So it’s been several minutes since and we’ve just had a BSOD, and now the system is no longer going to work. This malware is particularly devastating because it doesn’t care about getting some sort of ransom or a bargaining position with the victim. It just seeks to destroy your system outright. And if something like this were to hit major businesses, government organizations, it would be disaster territory very quickly if you don’t have backup systems that are isolated and not hit. It could take down services and cause mass confusion, especially as we begin to rely more and more on digital technologies for things we do in everyday life, for our money, for our food, for our communications.

This could be the future of warfare. So for those of you who are still not convinced about the importance of cybersecurity, I think this is a reminder that that’s the world we live in. It’s only going to get more important from here. Defending yourself from such attacks is increasingly crucial because there might be a spillover of such incidents as there was with the NotPetya attacks. We could see the sample being used against businesses or accidentally hitting businesses. It’s really important to understand the repercussions of cyberattacks in a time like this. And as always, stay informed, stay secure, and stay safe Ukraine.

The post HermeticWiper malware: hands-on details of the Ukraine cyberattack appeared first on MySpyBot.

[February 2019 update]

On October 25, Romanian security software vendor Bitdefender sensationally spread the word about their breakthrough in combatting GandCrab, one of the nastiest and most competently designed blackmail viruses to date. This e-extortion epidemic has been running rampant since early 2018, making hundreds of thousands of victims throughout the world.

The antivirus lab’s researchers were able to come up with a decryption tool that restores files encrypted by versions 1, 4 and 5 of said ransomware. This way, not only can the numerous infected users heave a sigh of relief over returning the most valuable data, but they can also do it for free. Compared to ransoms demanded by the GandCrab crew, which range from about $600 to $6,000 worth of Bitcoin or Dash cryptocurrency, this initiative is certainly a godsend.

Zooming in, the tool called Bitdefender GandCrab Decryptor supports 3 editions of the ransomware in question, namely the ones that append victims’ personal files with the following extensions: GDCB (version 1), KRAB (version 4), or random character string, such as “yhtsfctld” (version 5). Note that the recovery works for all sub-variants of the above-mentioned iterations, so those hit by, say, GandCrab v5.0.3 are among the lucky ones as well.

According to the AV company’s press release, the decryptor was masterminded in close collaboration with the Romanian Police, Europol, the FBI and other law enforcement agencies from the UK, the Netherlands, France, Poland, Bulgaria, Italy, and Hungary.

For the record, iterations 4 and 5 of the malicious program reportedly account for the majority of the infection cases. Regarding those contaminated with GandCrab versions 2 and 4, the analysts recommend them to refrain from redeeming their files via the ransom at this point. Although the decryptor in its current state doesn’t crack these mods, the white hats working on the vendor’s research team have instilled some hope by saying, “We’re still on it”. So the victims should stay tuned for good news, which is hopefully a matter of near future. Overall, the security firm’s telemetry states that about 500,000 users across the globe have fallen victim to GandCrab this year.

There are currently no official details if the decryptor is an outcome of seizing the malicious command & control (C&C) servers, or whether it takes advantage of a crypto implementation flaw in the offending code. The latter is more likely, though. Anyway, let’s move on to the decryption routine proper.

How to decrypt GandCrab v1, v2, v5.0-5.0.3

The main prerequisite to successful data recovery in this scenario is the availability of a ransom note dropped by the infection. That’s because it contains a unique user-specific key that will be used by the decryptor to restore your files. This key is a long string of hexadecimal characters that identifies each victim.

So, as soon as you ascertain that the ransom note is on your computer, go head and download the decryptor. Run the app and accept the End-User License Agreement. When done, you will see the main GUI. Before you proceed, be sure to insert a specific scanning path or enable the “Scan entire system” option. Also, consider putting a checkmark for the self-explanatory “Backup files” feature. Then, click “Scan”.

The tool will start traversing your computer for the crypto key data and decrypt all files locked by a supported GandCrab edition.

Be advised the utility first tries to recover 5 files in the defined scanning path and will not continue if the decryption fails for some reason. Otherwise, it will decrypt the hostage files and then display the scan status notification. If something went wrong and some data couldn’t be restored, the app will let you know by saying “Some files could not be decrypted!”

In order to find out which files haven’t been reinstated, you can peruse the tool’s logs generated inside the BDRansomDecryptor folder under the %Temp% directory. However, if the decryptor succeeds in locating all the bits and pieces of the required cryptographic information in the system, the chances that something goes wrong are quite low and it should be able to get all your files out of captivity.

February 2019 update: support added for GandCrab variants up to v5.1

Almost 4 months after the above-mentioned version of the revolutionary decryptor was out, the same security firm cooked up a new mod that’s capable of restoring files mutilated by more editions of the ransomware. Its recovery power now additionally spans GandCrab iterations up to version 5.1 inclusive. This tool is particularly game-changing in the context of the GandCrab 5.0.4 sub-campaign, which has made the most victims over the past few months.

Not only has the most recent build of rescue app gotten an enhanced cipher cracking functionality, but it also underwent an overhaul on the outside. It’s now called Bitdefender Decryption Utility for GandCrab V1, V4, V5.

Download GandCrab v1-v5.1 ransomware decryptor

The new light-colored GUI supersedes the dark user console of the previous variant. Other than that, the features are the same. The user is offered to select a specific encrypted folder or opt for a scan of the entire system. The “Backup files” option is still there, and it’s worthwhile just to make sure data stays in its current form if something goes wrong along the way.

Predictably enough, heaving a sigh of relief is a premature reaction when it comes to ransomware families as potent as this one. Mere days elapsed after the vendor announced the revamped decryptor – and the cybercriminals came up with GandCrab 5.2 variant that cannot be cracked. The bad guys must have “patched” the crypto flaw discovered by the security analysts, so the undecryptable menace is back and it’s out there looking for new victims. While the researchers’ efforts are more than commendable, the crooks continue to be one step ahead.

The bottom line

GandCrab ransomware devs have architected a smooth extortion model where they get a 30% cut from all the ransoms while outsourcing the distribution job to unscrupulous affiliates. This tactic is known as RaaS (Ransomware-as-a-Service), and it’s the basis for long-lasting worldwide propagation of the culprit. This strain boasts frequent updates featuring code improvements and permanently refined AV evasion mechanisms.

Again, the build currently in rotation is GandCrab v5.2, and it’s uncrackable thus far. The malware operators have made a few tweaks of their infection to get around the free decryption trap. In the meantime, if you have been attacked by this virtual predator and the stars align in terms of the ransomware variant, don’t fail to give the free recovery tool a shot right away.

The post GandCrab ransomware free decryption tool (up to version 5.1) appeared first on MySpyBot.

Darknet, dark web, deep web – all of these concepts have come to designate the enigmatic and elusive cybercriminal underground. The aura of secrecy, heated up by the numerous science fiction movie plots, instills fear when people encounter one of these terms in real life. The crooks out there couldn’t possibly walk by this apprehension, coining and firing up email scams that revolve around the hacker theme and thus pressure users into following their demands. The latest large-scale fraud wave from this category involves email messages that start with the spooky phrase “Hello! My nickname in darknet is des53”. The subject of such a spoof email will state that the recipient’s account is hacked, just to scare the person further.

The most unsettling part about the whole scheme is that the sender appears to know the victim’s real email password, a currently used one or – more likely – valid old credentials that have already been changed. This stems from the fact that the “From” field in the message header matches the receiving address. In some variations of this scam, the message body will actually include the victim’s password. One way or another, the fact of someone knowing your sensitive credentials is an element of persuasiveness, and the felons try to take advantage of it to the fullest. Below is the full text of this hoax – note that the wording may vary slightly in different sub-campaigns, but the core idea is basically the same.

Hello!

My nickname in darknet is des53.
I hacked this mailbox more than six months ago. Through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer
and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the adult sites that you occasionally visit.
You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.
Oh my god! You were so funny and excited!

I think that you do not want all your contacts to get these files, right?
If you are of the same opinion, then I think that $880 is quite a fair price to destroy the dirt I created.

Send the above amount to my Bitcoin wallet: [Redacted]

As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I’ll send to everyone your contact access to your email and access logs, which I have carefully saved.

Since reading this letter you have 48 hours!
After your reading this message, I’ll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson.
Visit safe websites only, and don’t enter your passwords anywhere!

Good luck!

Let’s now dissect the tactic of blackmail proper. The self-proclaimed “hacker” says he has dropped a virus (trojan) onto the target computer, and it has allegedly intercepted all caching data and saved the user’s contacts, personal files, photos and videos. Furthermore, the malicious code has presumably taken a picture of the user as they were watching adult content online, and the attacker claims to have synchronized this image with the screenshot of what exactly they were watching. Then, the swindler threatens to send these “incriminating” materials to all of the user’s contacts. In order to avoid the embarrassment, the recipient is coerced to pay a ransom in Bitcoin. Its size is $800-$900 worth of cryptocurrency, which des53 – whoever he may be – thinks is a “fair price to destroy the dirt” he has compiled.

By the way, there are other nicknames that can also be mentioned in these deceptive emails. The frequently reported ones include: artie71, josephus63, brion40, hort17, saunderson53, nickola53, demetre97, hansiain16, bartlet56, fransisco73, fitzgerald59, alexandr88, gray24, fred26, rockwell79, zacherie99, rafaelle76, weston87, and gordie49.

To top it off, the malefactor sets a deadline for payment. Unless the victim coughs up the money in 48 hours, the sensitive stuff will supposedly go to their family, friends and colleagues. All in all, this form of hoax is commonly referred to as sextortion (sex + extortion), but in this particular scenario the term is only partially relevant because the crook doesn’t actually have any ignominious information at their disposal. This is nothing but bluff – keep it in mind. The fraud in question bears a close resemblance to other recent blackmail waves, including the “Hacker who cracked your email” and “I’m a programmer who cracked your email” scams currently in rotation.

Now, at this point, it makes sense to dot the i’s and cross the t’s. The allegation about the wannabe hacker having your password is controversial. He may have actually obtained it from one of the past compromises of major Internet services. In this case, the credentials are probably old and have already been changed. Sometimes, though, the culprits employ a technique called email spoofing, which allows them to mimic one’s real email address so that it looks as if the message had been sent from the victim’s account. You can differentiate between these two scenarios by scrutinizing the message body. If it includes a password, then you’re dealing with someone who has access to a credentials dump stemming from a service breach. Otherwise, you are being manipulated by means of email spoofing. What both of these variants have in common is that the fraudster doesn’t actually have any embarrassing photos of you or screenshots of sites you have visited. This is simply a method to get you on the hook and add some intimidation to the mix.

So, what’s the verdict? If you have received the “Hello! My nickname in darknet is des53” email (again, the nickname may vary), refrain from submitting any funds to the sender’s BTC wallet. You can safely delete this message. However, just to make sure you’re on the safe side, consider changing your email password and have your system scanned for spyware with a trustworthy security solution.

The post “Hello! My nickname in darknet is des53” – dissecting the extortion appeared first on MySpyBot.

A newsmaking hack incident as of late April 2017 involving Netflix and a related media company became a serious wakeup call for proprietors of popular streaming video services. A threat actor identifying himself as The Dark Overlord (TDO) ended up carrying out copyrighted materials leakage threats after the compromised organization refused to submit a ransom in exchange for not releasing the content. The worst part of the whole story is that the unsanctioned release occurred more than a month before the show was scheduled for official airing.

By the way, this particular cybercrook had gained notoriety last year for hacking healthcare institutions, most of which are U.S. based, and holding their software source code and patients’ records for ransom. Following a fairly lengthy hiatus, said ill-minded individual, or group of criminals, made quite a reappearance with the latest Netflix breach story.

Before dwelling on the details, it makes sense to first address some significant misperceptions, though. The incident in question isn’t about ransomware proper in the sense that no crypto-backed malicious code was ever involved. Instead, it’s a classic doxing attack, where felons get hold of sensitive content and blackmail the owner by threatening to make it public unless a ransom is paid up. Another important fact is that it’s not Netflix that was actually breached. The original target was a partnering post-production company called Larson Studios, Inc.

The timeline of this defiant blackmail dates back to January 2017. The attackers most likely spotted a security flaw in the systems of the above-mentioned Larson Studios. By breaching its IT infrastructure, The Dark Overlord accessed and pilfered unreleased episodes of “Orange Is the New Black” series, possibly along with several dozens of other shows. According to information TDO provided to DataBreaches.net, the post-production company first opted for the ransom route to sort things out by the end of January. The amount was 50 Bitcoin, which is worth about $80,000 at the time of this writing. However, the target never submitted the cryptocurrency requested by the crooks, neither till the deadline nor afterwards. This turn of events made the attackers switch to negotiating with Netflix.

Later on, having realized that the extortion attempts were futile, The Dark Overlord decided to act. On April 28, he wrote the following on his Twitter page @tdohack3r: “Let’s try to be a bit more direct, Netflix,” also posting links to Pastebin and ThePirateBay pages hosting 10 downloadable episodes from season 5 of the ransomed “Orange Is the New Black” show. Although the episodes are in 720p and have quality issues, the leak is still a big problem for the streaming service.

In another tweet the same day, TDO wrote: “Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have. We’re not playing any games anymore.” A particularly disconcerting thing is the hacker reportedly also stole unaired content for 36 more TV series and films. Incidents like this one should provide food for thought to these types of services. One of the nontrivial nuances is that even though the company’s networks were never breached, the bad guys were still able to find a weak link along the production chain. So partnering organizations should, obviously, do a better job hardening their security.

Perhaps Netflix did the right thing ignoring the hackers’ demands and refusing to fuel the darknet business with thousands of dollars. But, again, the moral of the story for such companies is to safeguard all facets of their activity rather than focus on their own security posture only.

The post Netflix hack: attacker unleashes his rage over failed extortion appeared first on MySpyBot.

In a move that hardly anyone in the security community could possibly anticipate, a questionably judicious individual going by Twitter nickname Tvple Eraser has made quite an appearance on the e-extortion arena. He ventured into cooking up a malicious program dubbed Rensenware, which encrypts data and then instructs the victim to score more than 0.2 billion in TH12 ~ Undefined Fantastic Object game. While some of those infected might heave a sigh of relief after learning that the attacker’s demands are not about money, that’s a premature impression. Scoring that much in Lunatic level of the aforementioned anime shooter game, which is also referred to as Touhou Seirensen, is an extremely tough objective.

Rensenware author, possibly a Korean resident judging from some of his posts on Twitter, has already apologized to everyone affected and made a statement that this project was intended to be nothing but a joke. He has since also released a tool called Enhanced Forcer for Rensenware, which meddles with the memory of TH12 ~ Undefined Fantastic Object so that the decryption can be approved and started without the user having to actually play the game. These efforts to correct such a defiant mistake are probably commendable, but the infection is still causing tangible problems for plagued users who are at their wit’s end trying to restore their valuable data. Finding and using the above fix takes time, moreover, the efficiency of the tool has not been officially vetted as of now.

The Rensenware program itself is pretty crude in terms of the compromise workflow. It is configured to encrypt information stored both on fixed drives and ones that aren’t fixed. Consequently, it may crash multiple times while trying to scramble data on CD drive even though there is no optical disk in it. This nuance set aside, the malware scans an infected machine for about 30 file types, including Microsoft Office documents, images, audio files and archives. Then, it encrypts every matching item with AES-256 algorithm. A predictable byproduct of this activity is concatenation of the .RENSEWARE extension to locked files. As opposed to almost all in-the-wild ransomware samples, this one does not erase Shadow Copies of one’s data entries, so it’s technically possible to restore the information via forensic mechanisms. As soon as the crypto part of the breach has been completed, Rensenware displays a warning window explaining the prerequisites for decryption.

Despite the fact that the wannabe hacker behind this story has admitted he was wrong and it was all just for fun, victims do suffer real-world consequences and have to waste their time and efforts to sort things out. This incident is kind of reminiscent of the open-source Hidden Tear and EDA2 projects, where crooks weaponized the originally benign educational code to create real threats. No matter how talented malware researchers are, they should definitely think twice before blowing their own trumpet just for show.

The post Eccentric “Rensenware” infection demands Touhou game score instead of Bitcoin appeared first on MySpyBot.

The Fancy Bear group has also operated under such aliases as Sofacy, Strontium, Sednit, and APT28. As per investigative reports, the cybercrime ring in question is the one that pulled off a series of attacks against the U.S. Democratic National Committee in June 2016. The breaches were carried out through the use of a cross-platform remote access toolkit called X-Agent. Originally, the X-Agent RAT could be deployed on different editions of the Windows operating system, as well as Mac OS X and iOS. However, details of the recent evidence of its engagement in the war conflict in Eastern Ukraine proves that the use cases have expanded to Android. The source code of X-Agent hasn’t been circulating beyond the campaigns of Fancy Bear, which proves the attribution of these attacks exclusively to the Russian intelligence and the associated cybercrime group.

The legitimate prototype of the malware was originally developed in 2014 by Yaroslav Sherstuk, an officer of the 55th Artillery Brigade of the Ukrainian Armed Forces. Called “Попр-Д30.apk”, this Android application was intended to facilitate the process of calibrating the 122 mm D-30 towed howitzer. According to Mr. Sherstuk, the app reduced the howitzer targeting time from minutes to less than 15 seconds. This, obviously, gave Ukrainian artillerists a significant advantage over the adversary. The application was never distributed in the open – instead, it was exchanged between officers or could be downloaded from Ukrainian military forums. The user base reached about 9,000 over the 2014-2016 time span.

In a stealthy move, Fancy Bear crooks were able to get a copy of Попр-Д30 and rebuild it. They injected the Android variant of X-Agent into the app and posted the booby-trapped installer on dedicated Ukrainian military forums. As some unsuspecting Ukrainian officers ended up installing the rogue application on their Android devices, Russian threat actors could obtain their geolocation data and intercept communications. It’s within the realms of possibility that this cyber espionage caused the Ukrainian Army to lose 80% of its D-30 howitzers since 2014, which significantly exceeds the number of other artillery units destroyed over the last two years of conflict.

These disconcerting statistics, however, appear to be far-fetched. Crowdstike’s Adam Meyers, the author of the report under consideration, may have used a questionably trustworthy resource to obtain information on the whopping 80% losses of the Ukrainian artillery units over Fancy Bear’s interference. The website being referenced is run by a pro-Russian investigative reporter who goes by the handle “Colonel Cassad”.

The quantitative facet of the research is based on data provided in The Military Balance annual reports for 2013 and 2016 released by the International Institute for Strategic Studies (IISS). Although the figures on Ukrainian 122 mm D-30 towed howitzers for 2013 and 2016 are accurate (369 and 75, respectively), the decrease by 80% can be attributed to an inventory as of 2014 that discovered out-of-order artillery units.

Furthermore, we at MySpybot were unable to spot any Ukrainian military forums distributing the malicious .apk of the Попр-Д30 app. We sent an official inquiry to Mr. Meyers for commentary on this discrepancy. In particular, we asked him to provide the specific online resource hosting the rogue .apk file. Unfortunately, we never received anything in response. So it makes sense to conclude that the above-mentioned stats are ungrounded and blown out of proportion.

This reconnaissance operation by the Fancy Bear group demonstrates how digital code can have real-life consequences. Obviously, the tactics of hybrid war have no limits, covering the military, political and cyber facets of warfare. Crypto ransomware poses another noteworthy aspect of Russian misdemeanor on the international cyber threats arena. For instance, one of the recent ransomware strains appends victims’ encrypted files with the “.VOZMEZD IE_ZA_DNR” suffix. This string is a transliterated Russian phrase meaning “Revenge for DPR”, where DPR stands for the self-proclaimed Donetsk People’s Republic, a butcherly terrorist organization operating in East Ukraine. This indicator of compromise suggests that the threat actors behind these attacks are either Russians or tech-savvy Russia-backed terrorists. This online extortion campaign certainly doesn’t affect people’s lives as badly as Fancy Bear’s felonies. But it explicitly demonstrates the hostility of one particular country toward the rest of the world.

The post Fancy Bear tracking Ukrainian artillery units appeared first on MySpyBot.