Legitimate Windows Tool Abused for Crypto-Mining Malware 🚫💻

Sep 12 2023

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that knows its only a matter of minutes before the first #iPhone15 gets hacked 😞

Today’s hottest cybersecurity news stories:

  • 👨‍💻 Legitimate advanced installer weaponized in crypto-mining attacks ⛏️

  • ✉️ Fake Telegram apps on Google Play infect MILLIONS via hidden spyware 🕵️

  • 👨‍⚖️ U.K. and U.S. penalise 11 Russia-based TrickBot cybercrime gangsters 👤

Hackers: With my mine on my money, and my money on my mine 💰💸🔪

📢 Legitimate Windows Tool Abused for Crypto-Mining Malware 🚫💻

Hey there, cyber warriors! 🔐💂‍♂️

👾 Threat actors have been misusing a legit Windows tool, Advanced Installer, since November 2021, to unleash cryptocurrency-mining malware on unsuspecting PCs! 😱

According to Cisco Talos researcher Chetan Raghuprasad, attackers sneakily bundle malicious scripts with popular software like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro.

They use Advanced Installer's Custom Actions feature to make these installers execute these nasty scripts. 🤖💣

🎯 Victims of this scheme include architecture, engineering, construction, manufacturing, and entertainment sectors. Most of the installers are in French, targeting French-speaking users. 🇫🇷

🖥️ These industries rely on high GPU power, making them prime targets for cryptojacking. 💰💻

🌐 The attacks have hit France and Switzerland hardest, with sporadic infections in the U.S., Canada, and more. 🌍🔒

The malware deployed includes an M3_Mini_Rat backdoor and crypto-mining nasties like PhoenixMiner and lolMiner. The initial access may involve sneaky SEO poisoning techniques. 😈🔍

🔗 The M3_Mini_Rat is a PowerShell script with remote admin capabilities, while PhoenixMiner mines Ethereum, and lolMiner tackles two virtual currencies at once! 💎💸

In a related twist, hackers are now using Google Looker Studio for phishing attacks to trick you into fake crypto sites. Beware! 📧🕵️‍♂️

Stay vigilant, update your security, and keep your crypto safe! 💪🔒

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

The Spyware that #! @*&%ed me 💀💀💀

🔍 Beware! Spyware Disguised as Telegram Hits Google Play Store 📱🚫

Heads up, smartphone users! 📢 A sneaky spyware campaign impersonating Telegram has been lurking in the Google Play Store, aiming to snatch your data. 😱

🕵️‍♂️ Kaspersky's Igor Golovin discovered these rogue apps, dubbed "Evil Telegram" by experts, designed to swipe names, user IDs, contacts, phone numbers, and chat messages, sending them to rogue servers. 🕵️‍♀️📱

Here are the sneaky apps you should watch out for:

  • 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) – 10 million+ downloads

  • TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) – 50,000+ downloads

  • 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) – 50,000+ downloads

  • 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) – 10,000+ downloads

  • ئۇيغۇر تىلى TG – تېلېگرامما (org.telegram.messenger.wcb) – 100+ downloads

Notably, the last one seems to target the Uyghur community. 😡🎯

💡 To trick users, these imposters use package names like "org.telegram.messenger.wab," playing on typos to slip past Google's radar. They look and feel like Telegram but come with a secret module to steal your info. 😈🔒

This isn't the first time copycat apps have caused trouble. Recently, a BadBazaar malware campaign used a fake Telegram to grab chat backups.

Back in March, fake Telegram and WhatsApp apps intercepted cryptocurrency transfers.

 Be cautious out there! 🚨💳

Stay safe, double-check app names, and report anything suspicious. Your data is precious! 🤳🔐

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ✈️ ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

  • 🌐 Leadership in Tech: A weekly newsletter for CTOs, engineering managers and senior engineers to become better leaders.

  • 🧠 Big Brain: Trending AI news, jobs and tools delivered in 3 minutes per day.

Let us know what you think!

TrickBot or treat? 🎃

🚫 US & UK Sanction 11 Alleged TrickBot Cybercriminals 🕵️‍♂️🔒

The U.S. and UK governments have slapped sanctions on 11 individuals believed to be part of the notorious Russian TrickBot cybercrime gang. 💻

🛡️ TrickBot has long been a haven for cybercriminals, with ties to Russian intelligence services and a history of targeting U.S. government and companies, including hospitals. 😷🏥

Here are the key players hit by the sanctions:

  • Andrey Zhuykov (senior admin)

  • Maksim Sergeevich Galochkin (software dev)

  • Maksim Rudenskiy (lead coder)

  • Mikhail Tsarev (HR and finance)

  • Dmitry Putilin (infrastructure)

  • Maksim Khaliullin (HR manager)

  • Sergey Loguntsov (developer)

  • Vadym Valiakhmetov (developer)

  • Artem Kurov (developer)

  • Mikhail Chernov (utilities)

  • Alexander Mozhaev (admin)

  • Keyser Söze 😂😂😂

The sanctions aim to expose these individuals and disrupt their criminal activities, which pose a threat to UK security. 🚨

This marks the second time in seven months that both governments have targeted TrickBot and similar cybercrime syndicates. Additionally, indictments have been unsealed against nine defendants related to TrickBot and Conti ransomware schemes. 🕵️‍♀️💼

TrickBot, a banking trojan turned malware suite, evolved into a professional organisation with ties to Conti ransomware.

Despite efforts to dismantle them, cybercriminals adapt and persist. Stay vigilant! 🔍💪

So long and thanks for reading all the phish!

Recent articles