How the criminals launder crypto.

Jun 16 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got that Friday feeling 🎉🎉🎉

Welcome to our weekly segment. It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it. This week it’s Microsoft.

In the latest Patch Tuesday updates for June 2023, Microsoft has released fixes for its Windows operating system and other software components to address significant security vulnerabilities.

Out of the total 73 vulnerabilities addressed, six have been classified as Critical, 63 as Important, two as Moderate, and one as Low severity. This also includes three vulnerabilities resolved in the Chromium-based Edge browser, which Microsoft has incorporated into its software.

It is noteworthy that Microsoft has also closed 26 additional vulnerabilities in Edge, all of which were rooted in the Chromium framework. Among these fixes is CVE-2023-3079, a zero-day bug that Google had recently disclosed as actively exploited in the wild.

From a cybersecurity standpoint, the June 2023 updates are notable as they mark the first time in several months that no publicly known zero-day vulnerabilities in Microsoft products are included, nor are there any vulnerabilities under active attack at the time of the release.

The most critical fix in this update is CVE-2023-29357 (CVSS score: 9.8), which addresses a privilege escalation vulnerability in SharePoint Server. This flaw could potentially be leveraged by an attacker to gain administrator privileges.

Now on to today’s hottest cyber security stories:

  • Ransomware hackers use cloud mining to launder crypto ransoms

  • GravityRAT android trojan nicks WhatsApp backups and deletes files

Bit of Friday fun you can watch this 5 minute episode of Scooby do – https://www.youtube.com/watch?v=Qxm6kiHlGGw

Mine your own business!

New findings have revealed that ransomware actors and cryptocurrency scammers are now joining nation-state actors in exploiting cloud mining services to launder digital assets.

According to a report by blockchain analytics firm Chainalysis, cryptocurrency mining plays a vital role in the industry but also attracts malicious actors due to its potential for acquiring money with a clean source on the blockchain.

In March, Google Mandiant disclosed that the North Korea-based APT43 had utilized hash rental and cloud mining services to obscure the forensic trail and launder stolen cryptocurrency.

Cloud mining services enable users to rent computer systems and utilize their computing power (hash power) to mine cryptocurrencies without the need to manage the mining hardware themselves.

Chainalysis highlights that it's not only nation-state hacking groups who are leveraging such services. They provide an example where mining pools and wallets associated with ransomware actors were used to transfer funds to a highly active deposit address at an undisclosed mainstream cryptocurrency exchange.

This activity involved $19.1 million from four ransomware wallet addresses and $14.1 million from three mining pools. A significant portion of these funds were routed through a network of intermediary wallets and pools.

Chainalysis explains that in this scenario, the mining pool functions similarly to a mixer, obscuring the origin of funds and creating the illusion that the funds are derived from legitimate mining activities rather than from ransomware.

The trend of using cloud mining to launder cryptocurrency appears to be growing. The cumulative value of assets transferred from ransomware wallets to exchanges through mining pools has surged from under $10,000 in Q1 2018 to nearly $50 million in Q1 2023.

Todays AI Midjourney render above, crazy how quick it does this

I smell a GravityRAT

Since June 2022, a new version of the Android remote access trojan, GravityRAT, has emerged in a targeted campaign, disguising itself as messaging apps called BingeChat and Chatico.

In a recent report, ESET researcher Lukáš Štefanko stated that the updated GravityRAT can extract WhatsApp backups and execute commands to delete files. These malicious apps also offer legitimate chat functionality based on the OMEMO Instant Messenger app, which is an open-source platform.

Introducing SpaceCobra

GravityRAT, also known as SpaceCobra, is a cross-platform malware capable of infecting Windows, Android, and macOS devices. The activity associated with this malware, which Meta disclosed last month, suggests that the threat actor behind it is likely based in Pakistan. The attacks involving GravityRAT have primarily targeted military personnel in India and the Pakistan Air Force, with the malware being disguised as cloud storage and entertainment apps.

The use of chat apps as a method to distribute the malware was previously identified in November 2021 by Cyble. They analysed a sample named "SoSafe Chat," which was uploaded to the VirusTotal database from India.

Although the chat apps BingeChat and Chatico are not available on Google Play, they are distributed through illicit websites that promote free messaging services, namely bingechat[.]net and chatico[.]co[.]uk.

"This group used fictitious personas — posing as recruiters for both legitimate and fake defence companies and governments, military personnel, journalists, and women looking to make a romantic connection — in an attempt to build trust with the people they targeted," Meta said in its Quarterly Adversarial Threat Report.

Scary stuff. And that’s the story of GravityRAT.

Have a good weekend, folks!

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he's your Dawg, he got you.

MONDAY: Microsoft exposes new attack

TUESDAY: Porn lovers rejoice

WEDNESDAY: Don’t be lured with this

THURSDAY: New malware strain to watch out for

footer graphic cyber security newsletter

Recent articles