???? Beware of Knight Ransomware Disguised as TripAdvisor Complaints! ????

Aug 16 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s everything you need and more.

Today’s hottest cybersecurity news stories:

  • ????️ Knight ransomware distributed in fake Tripadvisor complaint emails ????

  • ???? Introducing QwixxRAT, new Telegram, Discord app Remote Access Trojan ????

  • ❌ Xurum attacks on e-commerce sites utilising Magenta 2 continue ????

Great, another white knight ????

???? Beware of Knight Ransomware Disguised as TripAdvisor Complaints! ????

Stay vigilant, as an ongoing spam campaign is circulating, using fake TripAdvisor complaints to distribute the dangerous Knight ransomware ????. This ransomware is a rebrand of Cyclop Ransomware-as-a-Service, which underwent a name change in late July 2023.

???? Who Are They?

Cyclops, now known as Knight ransomware, emerged in May 2023, recruiting hackers on the RAMP forum for their ransomware-as-a-service venture. Unique to this operation is its cross-platform compatibility, targeting Windows, macOS, Linux, and ESXi. They even offer data-stealing malware for Windows and Linux.

????️ Spreading Tactics

In a recent twist, the Knight ransomware team launched a spam campaign mimicking TripAdvisor complaints. Sophos researcher Felix discovered emails containing ZIP file attachments with names like ‘TripAdvisorComplaint.zip,’ harbouring a treacherous executable ‘TripAdvisor Complaint – Possible Suspension.exe.’ A more recent variant uses an HTML attachment, ‘TripAdvisor-Complaint-[random].PDF.htm,’ to deceive victims.

???? Don’t Fall for It!

The malicious HTML file triggers Mr.D0x’s Browser-in-the-Browser phishing technique, displaying a phoney TripAdvisor complaint. When users click ‘Read Complaint,’ they unwittingly download the ransomware disguised as an Excel XLL file named ‘TripAdvisor_Complaint-Possible-Suspension.xll.’

????️Top Tips:

  • Think Before You Click: Be cautious of unexpected emails, especially with attachments.

  • Verify Sources: Confirm the legitimacy of attachments before opening them.

  • Keep Software Updated: Regular updates can help patch vulnerabilities.

  • Backup Data: Store important files securely to prevent ransomware loss.

  • Stay informed and spread the word to safeguard your digital world! ????????️????

Remember, caution is key in the ever-evolving landscape of cybersecurity! ????????????


Join Discord


I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

Come Qwixx you can! ????

???? New QwixxRAT: A Stealthy Threat Emerges ????

A fresh threat is on the horizon as a remote access trojan (RAT) named QwixxRAT is up for sale on Telegram and Discord platforms ????. This alarming discovery comes from cybersecurity firm Uptycs, shedding light on the trojan’s sinister capabilities.

???? Infiltration and Data Theft

QwixxRAT is designed to silently infiltrate Windows devices, covertly gathering sensitive data. This pilfered information is then dispatched to the attacker’s Telegram bot, granting unauthorised access to victim data. This malicious tool meticulously extracts web browser data, credit card info, screenshots, keystrokes, and more from apps like Steam and Telegram.

???? Pricing and Features

Available for 150 rubles weekly or 500 rubles for a lifetime, QwixxRAT boasts a free version too. Crafted in C#, it’s armed with anti-analysis mechanisms like delayed execution and evasion from sandbox environments. It can monitor processes and halt its actions if detection occurs.

???? Advanced Functions

Notably, QwixxRAT features a clipper that surreptitiously accesses clipboard data for illicit crypto wallet transfers. A Telegram bot facilitates command-and-control, enabling additional actions like audio recordings, webcam capture, and remote host control.

???? In a Larger Context

This revelation follows recent disclosures of other RAT strains like RevolutionRAT and Venom Control RAT on Telegram. A related campaign leverages compromised sites to deceive victims into installing malicious software, showcasing the persistence of these cyber threats.

????️ Staying Protected

Remember, staying vigilant is crucial. Avoid suspicious links, keep software updated, and use strong security practices to protect against evolving threats.

In the ever-evolving landscape of cybersecurity, knowledge is your best defence! ????️????????

????️ Extra, Extra! Read all about it! ????️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

???? Daily Dough: Bite-sized investing ideas, wisdom, news, and trends you need to grow your dough!

???? ProductivityGlide: A bite-sized email for your most productive day yet!

???? AI Marketing School: The latest AI Marketing tools, techniques, and news delivered biweekly.

Let us know what you think!

The beat goes Xurum, dadadumdedum ????

��️ E-commerce Alert: Xurum Targets Magento 2 Sites ????️

Attention online shoppers and e-commerce owners! ???? A persistent threat named Xurum is attacking websites running Adobe’s Magento 2 software since January 2023, posing a significant risk to digital stores.

???? Critical Flaw Exploitation

Xurum exploits a now-patched vulnerability (CVE-2022-24086) in Adobe Commerce and Magento Open Source. Successful exploitation of this flaw, with a high CVSS score of 9.8, can lead to arbitrary code execution ????.

???? Payment Data at Risk

This campaign, linked to Russian actors, is particularly interested in payment stats from orders placed within the past 10 days. The attackers aim to access this sensitive data from victim Magento stores.

????️‍♂️ Intricate Tactics

The attack chain is intricate. After leveraging the vulnerability, the threat actors execute malicious PHP code to gather information and deploy a web shell named wso-ng, posing as a Google Shopping Ads component. This shell springs to action upon receiving the “magemojo000” cookie.

???? Evolved Web Shell

The malicious wso-ng web shell has evolved, featuring a hidden login page to steal victim credentials. It even integrates with legitimate tools like VirusTotal and SecurityTrails, amplifying its potency.

???? Stay Protected

E-commerce sites, particularly Magento 2 users, must stay cautious. Update software, enhance security measures, and remain vigilant against evolving threats. Attackers are demonstrating advanced techniques, targeting specific instances with precision.

???? Growing Concern

Remember, cyber threats are advancing. Attackers are increasingly focusing on lesser-known sites, such as WordPress, for hosting phishing pages. Neglected websites can become unwitting tools for malicious activities.

As the digital landscape evolves, fortify your defences and ensure secure online shopping experiences! ????????????️

So long and thanks for reading all the phish!

Recent articles