Operation Endgame looking for Emotet Mastermind

Jun 04 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s cybercrime-a-phobic πŸ™ƒπŸ™ƒπŸ™ƒ

Today’s hottest cybersecurity news stories:

  • πŸ‘¨β€πŸ’» Emotet’s got authorities running scared #shook 😰

  • πŸ›‘ Flaws in Cox modems could impact millions 🌍

  • 😲 Gulp! RAT-Droppings found in npm package πŸ“¦Β 

You better Emotet yourself before you wreck yourself πŸ”«πŸ”ͺπŸ©ΈπŸ˜ˆπŸ€΅πŸ’΅β›“οΈπŸ’€

Kevin James Kingofqueens GIF by TV Land

Gif by tvland on Giphy

🚨 Operation Endgame Seeks Info on Emotet Mastermind "Odd" 🧠

Law enforcement authorities involved in Operation Endgame are seeking information about an individual known as "Odd," who is allegedly the mastermind behind the infamous Emotet malware.

Who is "Odd"? 🎰

Aliases: Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, Veron

Authorities believe Odd may not be working alone and could be collaborating with others on different malware projects.

Background on Emotet πŸŒ†

Aliases in the Cybersecurity Community: Gold Crestwood, Mealybug, Mummy Spider, TA542

Evolution: Originally a banking trojan, Emotet evolved into a multipurpose tool capable of delivering other malware such as TrickBot, IcedID, and QakBot.

Recent Activity: An updated version of Emotet was found in March 2023 using Microsoft OneNote email attachments to bypass security. No new activity has been seen since April 2023.

Operation Endgame's Efforts πŸ”š

Recent Actions: The operation has resulted in four arrests and the takedown of over 100 servers linked to malware operations like IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

Target: The aim is to disrupt the Initial Access Broker (IAB) ecosystem that facilitates ransomware attacks.

Germany's Federal Criminal Police Office (BKA)

Revelation: Identified eight cybercriminals involved in SmokeLoader and Trickbot operations, adding them to the E.U. Most Wanted List.

Impact on Cybercrime πŸ‘¨β€πŸ’»

Affected Groups: The crackdown has impacted Russian cybercrime organisations like BlackBasta, Revil, and Conti, which have used these malware services to attack Western companies, including medical institutions.

Community Reaction 🀯

Underground Forums: Cybercriminals on forums like XSS.IS are on high alert. The forum moderator "bratva" advised members to check their virtual private servers (VPSes) for disruptions between May 27 and 29, 2024.

Speculation: Users are speculating about the possibility of an insider ("rat") working with law enforcement, especially in light of leaked Conti ransomware logs.

What to Watch For

Potential Threats: Be aware of compromised accounts and malicious emails that use stolen credentials from RATs and info stealers to gain initial access to networks.


Stay Vigilant: As authorities continue their efforts to dismantle cybercriminal networks, it’s crucial to remain vigilant against potential cyber threats. πŸŒπŸ”’

Β Major Cox up πŸ™ˆπŸ™ˆπŸ™ˆ

🚨 Cox Modem Vulnerabilities Patched to Prevent Unauthorised Access πŸ› οΈ

Recently patched authorization bypass issues in Cox modems could have been exploited to gain unauthorised access and execute malicious commands on these devices.

Key Points πŸ”‘

Research Findings: Security researcher Sam Curry discovered vulnerabilities that allowed external attackers to execute commands, modify modem settings, and access personal information of business customers.

Potential Impact: Attackers could gain permissions equivalent to an ISP support team, affecting millions of modems.

Disclosure and Response: The vulnerabilities were responsibly disclosed to Cox on March 4, 2024, and were addressed within 24 hours. There is no evidence of exploitation in the wild.

Behind the Scenes 🎬

ISP Access: ISPs like Cox have extensive access to customer devices for remote management, including changing settings and viewing connected devices.

Internal Infrastructure: ISPs use internal infrastructures, such as Xfinity, that bridge consumer devices to exposed APIs. Vulnerabilities in these systems could compromise millions of devices.

Research Details πŸ”¬

API Endpoints: Curry's analysis found about 700 exposed API endpoints. Some could be exploited to gain administrative access and execute unauthorized commands by replaying HTTP requests.

Example Exploit: The "profilesearch" endpoint could search for a customer’s business account details using their name, retrieve hardware MAC addresses, and modify accounts.

Potential Attack Scenario βš”οΈ

Hypothetical Attack: An attacker could:

  • Look up a Cox customer and get complete account details.

  • Query the hardware MAC address to retrieve Wi-Fi passwords and connected devices.

  • Execute arbitrary commands to take over accounts.

Underlying Issues πŸ‘‡

Complex Management: Managing a wide range of customer devices via a REST API is complex. This complexity likely contributed to the security flaws.

Authorization Mechanism: The issues arose from relying on a single internal protocol for access, highlighting the need for better authorization mechanisms.

Curry's Perspective πŸ›

Insight: Curry was surprised by the level of access ISPs have to customer devices. He noted that better authorization mechanisms could prevent such vulnerabilities.

Past Research

Curry's team previously disclosed vulnerabilities in vehicles and points.com that could unlock, start, and track cars, and access and manage customer rewards points.

Conclusion 🏁

The patching of these vulnerabilities highlights the importance of secure management practices for customer devices by ISPs. It underscores the need for robust authorization mechanisms to prevent unauthorised access and potential misuse.

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

Smells like RAT-Droppings πŸ€πŸ€πŸ€

🚨 New Suspicious Package on npm Drops Remote Access Trojan 🐎

Cybersecurity researchers have discovered a new malicious package uploaded to the npm package registry, designed to deploy a remote access trojan (RAT) on compromised systems. Here's a breakdown of what was found:

Package Details πŸ“¦

Name: glup-debugger-log

Target: Users of the gulp toolkit, disguised as a "logger for gulp and gulp plugins."

Downloads: 175 times to date.

Malware Analysis πŸ‘Ύ

Discovery: Software supply chain security firm Phylum identified the package.

Obfuscated Files: The package contains two obfuscated files working together to deploy the RAT.

Initial Dropper: Sets the stage for the malware campaign by compromising the target machine if it meets specific criteria, then downloads additional malware components.

Remote Access Mechanism: Provides persistent control over the compromised machine.

Technical Breakdown βš™οΈ

Manifest File: The library's package.json file contains a test script running a JavaScript file ("index.js") which, in turn, calls an obfuscated JavaScript file ("play.js").

Checks and Persistence: The "play.js" file functions as a dropper that:

Performs checks for network interfaces, specific Windows OS types (Windows NT), and the number of files in the Desktop folder (seven or more).

Ensures the target is an active developer machine, avoiding deployment on VMs or new installations.

If criteria are met, launches another JavaScript ("play-safe.js") to set up persistence.

Persistence and Command Execution ⚑

HTTP Server Setup: "play-safe.js" establishes an HTTP server listening on port 3004 for incoming commands.

Command Execution: Executes commands and sends the output back to the client as plaintext.

Phylum's Insights πŸ’‘

Nature of the RAT: Described as both crude and sophisticated due to its minimal functionality, self-contained nature, and heavy reliance on obfuscation.

Evolving Threats: Highlights the growing complexity and cleverness of malware in open-source ecosystems, with attackers developing compact, efficient, and stealthy malware designed to evade detection while maintaining powerful capabilities.

This discovery underscores the importance of vigilant monitoring and security practices in the software supply chain to protect against evolving threats.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles