Carbanak’s back: Ransomware returns w/ new tactics

Dec 27 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s worried about Netanyahu whilst the hackers worry about netting Yahoo (accounts) ???????????? Kidding… we’re worried about both ????

Today’s hottest cybersecurity news stories:

  • ????‍???? Carbanak’s back: Ransomware returns w/ new tactics ♟️

  • ???? Android users beware! ‘Android/Xamalicious’ is lurking ????

  • ????️ Cloud Atlas' phishing attacks target Russian enterprises ????

Carbanak’s back with hack attack ????????????

???? Carbanak Banking Malware Adapts in Ransomware Attacks! ????

???? Cybersecurity firm NCC Group reports a resurgence of the notorious Carbanak banking malware, now deployed in ransomware attacks with updated tactics. ???? The malware has evolved, incorporating new distribution chains and leveraging compromised websites to impersonate business-related software like HubSpot, Veeam, and Xero.

???? Known since 2014, Carbanak, initially a banking malware, gained infamy with the FIN7 cybercrime syndicate for its data exfiltration and remote control capabilities. In the latest attack chain, malicious installer files on compromised websites pose as legitimate utilities, triggering Carbanak deployment.

???? November witnessed a surge in ransomware attacks, with 442 reported incidents, up from 341 in October. This year's total surpasses 4,000, a significant increase from 2021 and 2022 combined.

???? Industrials (33%), consumer cyclicals (18%), and healthcare (11%) were the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) experiencing the majority of attacks.

???? LockBit, BlackCat, and Play contributed to 47% of attacks, with BlackCat recently dismantled by authorities. NCC Group's Matt Hull anticipates monitoring if ransomware levels continue to climb next year.

???? Corvus, a cyber insurance firm, corroborates the spike in November, identifying 484 new ransomware victims posted to leak sites. The ransomware landscape shifts away from QBot, with attackers adopting software exploits and alternative malware families.

????️ As cybersecurity challenges persist, stay vigilant and prioritise security measures. The evolving threat landscape demands constant awareness! ????????

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

SupercalifragilisticXamalicious ????????????

???? Android Alert: Xamalicious Malware Strikes! ????

????️ Researchers have identified a dangerous Android backdoor named Android/Xamalicious, employing Xamarin—an open-source framework using .NET and C# for Android and iOS app development.

???? This malware employs deceptive tactics to gain accessibility privileges, attempting to perform fraudulent actions like ad clicking and app installations without user consent.

???? Evolved Tactics: Carrying a second-stage payload dynamically injected at runtime, Xamalicious communicates with a command-and-control server, potentially taking full control of the device.

???? Widespread Infections: Approximately 25 malicious apps, including health, games, horoscope, and productivity categories, were discovered. Google Play removed the identified apps proactively.

???? Unique Code Implementation: Written in .NET, Xamalicious hides its malicious code by using DLLs and employs obfuscation techniques and custom encryption, making it challenging to detect.

???? Security Measures: Xamalicious encrypts communication using JSON Web Encryption (JWE) tokens with RSA-OAEP. Despite efforts to remain undetected, McAfee detected this active threat.

???? Avoidance Tips: Users are urged to be cautious of apps requesting unnecessary accessibility services. If an app prompts such requests without a valid reason, it could be a red flag.

???? Global Impact: Affected users, primarily in the Americas, reported infections in the USA, Brazil, and Argentina, with European countries such as the UK, Spain, and Germany also affected.

???? Stay Protected: This threat was detected as Android/Xamalicious. Installing security software and keeping devices updated is crucial for a safer mobile experience.

???? Link to Ad-Fraud: Xamalicious showed a link to the ad-fraud app "Cash Magnet," indicating a financial motivation behind these threats.

???? Conclusion: Users are advised to remain vigilant, install security software, and stay updated to counter evolving malware threats.

Security is paramount for a secure mobile experience! ????????????️

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)


???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)


???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Atlas, don’t let it Cloud your judgement… ????????????

???? Cyber Espionage Alert: Cloud Atlas Strikes Russian Enterprises! ????

???? The notorious threat actor, Cloud Atlas, is back with spear-phishing attacks targeting Russian enterprises, hitting an agro-industrial company and a state-owned research firm, as reported by cybersecurity company F.A.C.C.T.

???? Known Tactics: Operating since 2014, Cloud Atlas, aka Clean Ursa, Inception, Oxygen, and Red October, specialises in cyber espionage, often targeting Russia and neighbouring countries like Belarus, Azerbaijan, Turkey, and Slovenia.

???? Attack Sequence: The attack, similar to the one detailed by Check Point and Positive Technologies in December 2022, leverages a phishing message using CVE-2017-11882, an old memory corruption flaw in Microsoft Office. The multi-stage attack deploys a PowerShell-based backdoor named PowerShower and DLL payloads communicating with an actor-controlled server.

???? Phishing Techniques: Cloud Atlas's massive spear-phishing campaigns rely on effective methods, using lure documents exploiting known vulnerabilities to compromise targets. The recent attacks imitate popular Russian email services like Yandex Mail and VK's Mail.ru.

????️ Stealth Tactics: Known for sophisticated tactics, Cloud Atlas maintains consistency in its toolkit, avoiding open-source implants and utilising legitimate cloud storage and well-documented software features to evade detection.

????️ Advanced Persistent Threat: This development follows reports of at least 20 Russian organisations compromised by "Hellhounds," an advanced persistent threat actor employing Decoy Dog, a modified version of Pupy RAT, to gain remote control and transmit telemetry data.

???? Persistent Adversary: Cloud Atlas demonstrates a high level of sophistication, emphasising the need for robust cybersecurity measures. Stay vigilant, keep software updated, and employ security solutions to protect against evolving cyber threats! ????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa: The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles