Sep 13 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that thinks cybercrime is Kim Jung Unacceptable 🙈 He’s meeting with Putin! He’s meeting with Putin! 💀💀💀
Today’s hottest cybersecurity news stories:
👨💻 Facecrook: Vietnamese hackers unleash python-based stealer via FB 🐍
✈️ Introducing HijackLoader, the modular loader that everybody’s talking about 🗣️
🐈 This kitty’s got claws. Charming Kitten is back using ‘Sponsor’ backdoor 🚪
🚨 New Threat Alert:
A dangerous phishing attack is making waves on Facebook Messenger, using a swarm of fake and hijacked personal accounts to target your business accounts! 😱
🧐 The Details:
Researchers at Guardio Labs have uncovered this threat, originating from a Vietnamese-based group known as MrTonyScam. They employ a sneaky tactic involving tiny compressed file attachments, leading to a multi-stage process with obfuscation methods.
📂 Victims receive enticing messages with RAR and ZIP archive attachments.
These unleash a dropper fetching the next stage from GitHub or GitLab. This payload hides an obfuscated Python-based stealer, stealing login credentials and cookies from web browsers.
🍪 Here's the kicker:
The attackers delete stolen cookies, locking victims out of their own accounts. Then, they change passwords and seize control!
🌏 Global Impact:
While most attacks have hit the U.S., Australia, Canada, and more, no one is immune. Guardio Labs estimates 1 in 250 victims were infected in the last month.
💡 Why Facebook?
Cybercriminals can monetize compromised Facebook accounts easily. They use them to spread scams and ads to a broad audience.
🤝 Collaborative Threats:
This isn't the only recent Facebook threat. Experts note overlaps and connections among these threat actors, suggesting a coordinated effort or service-oriented cybercriminal ecosystem centred around social media platforms.
📢 Stay vigilant!
Educate yourself and your team to avoid falling prey to MrTonyScam and similar threats. Protect your business accounts, and report any suspicious activity.
I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.
The group is very active and everyone in this private discord group is very chatty and helpful.
If you are interested in joining the group you can through the link below.
🦠 The Threat:
A dangerous malware loader called HijackLoader is making waves in the cybercriminal world, delivering payloads like DanaBot, SystemBC, and RedLine Stealer.
🤖 What Makes It Dangerous:
Despite its lack of advanced features, HijackLoader's modular architecture allows it to use various modules for code injection and execution. This flexibility sets it apart from most loaders.
🕵️ Under the Radar:
This malware uses syscalls to avoid security monitoring, tracks and blocks security-related processes, and delays code execution by up to 40 seconds to avoid detection.
HijackLoader creates a shortcut file in the Windows Startup folder, ensuring it stays active on compromised hosts.
👎 Quality Concerns:
While it's a modular loader with evasion techniques, experts note the code quality is poor.
🌐 Evolving Threat Landscape:
In addition to HijackLoader, there's a rising trend of information-stealing malware like RisePro, which promises more control for users. A new Node.js-based stealer, distributed via fake Facebook ads, is also targeting Chromium-based browsers.
These developments show the ever-evolving cybercrime landscape, with stealers being a common initial attack vector for threat actors. This highlights the importance of robust cybersecurity measures.
🛡️ Stay Protected:
Keep your systems updated, use reputable security software, and educate your team to recognize and avoid suspicious content. Be vigilant in this constantly changing threat environment!
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
✈️ ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.
🌐 Leadership in Tech: A weekly newsletter for CTOs, engineering managers and senior engineers to become better leaders.
🧠 Big Brain: Trending AI news, jobs and tools delivered in 3 minutes per day.
Let us know what you think!
🔍 The Threat:
The Iranian cyber threat group Charming Kitten is back in action, targeting entities in Brazil, Israel, and the U.A.E. Their weapon of choice? A previously unknown backdoor called "Sponsor."
🦠 Code Name:
This campaign is being tracked by a Slovak cybersecurity firm as "Ballistic Bobcat." Their targets primarily include education, government, healthcare organisations, as well as human rights activists and journalists.
🎯 Victims Detected:
So far, at least 34 victims have been identified, with the attacks dating back to September 2021.
💼 How It Works:
Sponsor uses sneaky configuration files, deployed discreetly to appear harmless and evade detection. The attackers gain initial access by exploiting known vulnerabilities in Microsoft Exchange servers.
🌐 Global Reach:
This campaign is not limited by borders. It has affected organisations in multiple countries, echoing previous advisories by Australia, the U.K., and the U.S. in November 2021.
🛡️ Stay Safe:
Cybersecurity is crucial. Keep your systems updated, patch known vulnerabilities, and educate your team to recognize potential threats.
Charming Kitten's tactics may evolve, but with vigilance, you can protect your organisation!
So long and thanks for reading all the phish!