Sep 14 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that does cybercrime dirty π€
π» Apple Mac users beware: MetaStealerβs coming to a screen near you π
π΅οΈ Agent Tesla, OriginBotnet, and RedLine Clipper unleashed via MS Word doc π
π¨βπ» Shameless scammers target Save the Children with ransomware attack π°
π’ Attention Mac users! There's a new information-stealing malware in town, and it's called MetaStealer. π± This sneaky malware is the latest addition to the growing list of threats targeting Apple's macOS, joining the ranks of MacStealer, Pureland, Atomic Stealer, and Realst. π
π‘οΈ According to security researcher Phil Stokes from SentinelOne, MetaStealer is targeting macOS-based businesses by posing as fake clients.
These cybercriminals trick victims into downloading malicious payloads disguised as rogue application bundles in DMG format. π΅οΈββοΈ Victims are lured in by threat actors pretending to be prospective design clients who share a password-protected ZIP archive containing the malware.
π MetaStealer's main goal is to steal valuable data, including iCloud Keychain information, saved passwords, and files from compromised Macs. It's worth noting that all observed samples so far are designed for Intel-based macOS machines.
π The malware first appeared in March 2023, with the most recent sample uploaded to VirusTotal on August 27, 2023.
π What makes MetaStealer stand out is its focus on business users, a departure from the usual tactics of macOS malware. This emphasises the growing trend of cybercriminals targeting Mac users for their valuable data. π¬
π MetaStealer has also been spotted impersonating popular services like TradingView, indicating that the threat actors behind it are constantly evolving their tactics.
Stay vigilant and ensure your Mac's security is up to date to protect yourself from this new threat! π»π
I came across ZZZ money club during the crypto market bull run when everyoneβs a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.
The group is very active and everyone in this private discord group is very chatty and helpful.
Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.
If you are interested in joining the group you can through the link below.
A new phishing campaign is targeting Windows users, delivering a triple threat of malware: Agent Tesla, OriginBotnet, and RedLine Clipper. π± Here's what you need to know:
π© The attack starts with a phishing email containing a Microsoft Word document. The document includes a blurry image and a fake reCAPTCHA to lure victims into clicking.
π» Clicking on the image triggers a loader from a remote server, which then deploys the malware:
OriginBotnet is used for keylogging and password recovery.
RedLine Clipper steals cryptocurrencies by altering wallet addresses.
Agent Tesla is a remote access trojan (RAT) that steals sensitive data like login credentials and keystrokes.
π€ The loader uses advanced techniques, like adding null bytes to increase its file size to 400 MB, to avoid detection by security software.
π Once activated, the loader establishes persistence on the host and deploys the final payloads. RedLine Clipper monitors the clipboard for cryptocurrency transactions, while Agent Tesla steals sensitive information and sends it to a command-and-control server.
π Additionally, a new malware called OriginBotnet is delivered, which can collect data, communicate with a server, and download plugins for keylogging and password recovery.
π΅οΈββοΈ It's possible that OriginBotnet is related to a previously identified threat called OriginLogger.
This complex attack chain demonstrates the evolving tactics of cybercriminals. Stay vigilant, and be cautious when opening email attachments. Ensure your antivirus and security software are up to date to protect your system from these threats. π‘οΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
βοΈ ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.
πΒ Leadership in Tech: A weekly newsletter for CTOs, engineering managers and senior engineers to become better leaders.
π§ Β Big Brain: Trending AI news, jobs and tools delivered in 3 minutes per day.
Let us know what you think!
The cybercrime group BianLian claims to have breached the IT systems of a major nonprofit organisation, likely Save The Children International. π This NGO, with a history dating back to 1919, operates in 116 countries and focuses on helping children worldwide. π’
π The attackers boast of stealing a whopping 6.8TB of data, including financial records, personal data, international HR files, email messages, and even medical and health data. π¨ They describe their victim as "the world's leading nonprofit" with $2.8 billion in revenues.
π BianLian is known for double-extortion ransomware attacks but recently shifted to pure extortion, minus the encryption. They have targeted healthcare and critical infrastructure sectors and are known for using the Go programming language to evade endpoint protection tools.
π‘ To protect against such attacks, experts recommend "strictly limiting the use of remote desktop services." The nonprofit confirmed the breach but assured that its operations continue as usual. They are working with specialists to assess the impact and take necessary steps.
π€ Let's hope this incident serves as a reminder to bolster cybersecurity measures, especially for organisations working to make the world a better place. Stay safe online! π‘οΈ
So long and thanks for reading all the phish!