SEKOIA Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/sekoia/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 04 Jul 2023 14:52:17 +0000 en-US hourly 1 https://wordpress.org/?v=76171 200474804 Russian Hacker Project DDoSIA Grew by Multiple Times https://gridinsoft.com/blogs/russian-hacker-project-ddosia/ https://gridinsoft.com/blogs/russian-hacker-project-ddosia/#respond Tue, 04 Jul 2023 14:21:11 +0000 https://gridinsoft.com/blogs/?p=15699 Analysts of the Sekoia company reported that the Russian DDoSia hacker project grew by 2400% in less than a year. That project pays volunteers to participate in attacks on Western organizations. More than 10,000 people are currently involved in the attacks. DDoS-for-hire services became particularly popular over the last years. We recently did the review… Continue reading Russian Hacker Project DDoSIA Grew by Multiple Times

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

]]>
Analysts of the Sekoia company reported that the Russian DDoSia hacker project grew by 2400% in less than a year. That project pays volunteers to participate in attacks on Western organizations. More than 10,000 people are currently involved in the attacks.

DDoS-for-hire services became particularly popular over the last years. We recently did the review of of the most popular ones. And if you are interested in criminal records, Cloudflare Recorded the Most Powerful DDoS Attack in the History of Observations.

What is DDoSIA project?

DDoSIA project appeared back in fall 2022. Then the Radware company announced that the project was launched in August 2022 by the group NoName057(16). The latter, however, appeared only in March 2023, as a pro-Russian hacker group. They created a DDoSia project in Telegram, where the operators posted a link to GitHub with instructions for potential “volunteers”.

These “volunteers” were offered to register via Telegram to receive a ZIP-archive with malware (dosia.exe). Archive contains a unique ID for each user. The most interesting feature of this project was the fact that participants could link their ID with a cryptocurrency wallet and receive money for participating in DDoS attacks. And the payment was proportional to the capacities provided by the concrete participant.

As Sekoia experts say now, the DDoSia platform has grown significantly over the past year and now has about 10,000 active participants who contribute to DDoS attacks. At the same time, more than 45,000 people have already subscribed to the main Telegram channels of hackers (all seven of them). In addition to just comments (what to do with DDoSia ataks), the platform has improved its toolkit and Tebera welcomes banaries for all OS programs, selling audience controls.

How that works?

Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Next, new participants receive a ZIP-archive containing a tool for attacks. As of April 19, 2023, the archive included the following files:

  1. d_linux_amd64 – executable file ELF 64-bit LSB, x86-64;
  2. d_linux_arm — 32-bit executable file ELF LSB, ARM;
  3. d_mac_amd64 — Mach-O x86-64 64-bit executable file;
  4. d_mac_arm64 — Mach-O arm64 64-bit executable file;
  5. d_windows_amd64.exe — executable file PE32+ (console) x86-64 for Microsoft Windows;
  6. d_windows_arm64.exe — executable file PE32+ (console) Aarch64 for Microsoft Windows.

To perform these useful loads, the text file with the client ID must be placed in the same folder as the payloads themselves, which makes it difficult for unauthorized execution of files by IT experts and other «outsiders».

DDoSIA mechanism
Internal mechanism of DDoSIA project

After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form. They can pick a specific target to attack. Experts studied the 64-bit Windows executable file and found that it is a binary written in Go, using AES-GCM encryption algorithms to communicate with the control server. The C&C server transmits the DDoSia target ID, host IP address, request type, port and other attack parameters to the client in an encrypted form, and all of this is then decrypted locally.

DDoSIA attack code
DDoS attack code

DDoSIA Massively Attacks Lithuania, Ukraine and Poland

Sekoia researchers collected data about some DDoSia targets for the period from May 8 to June 26, 2023, which were communicated by the server controlling the attacks. Basically, the groups and their «volunteers» were organizations from Lithuania, Ukraine and Poland, which accounted for 39% of the total activity of the project.

DDoS attacks graph
Chart of countries attacked by DDoSIA

Analysts noted that DDoSia attacked a total of 486 different sites. In May and June, crooks focused on attacks on educational platforms, possibly to disrupt end-of-school exams. In summary, the DDoSia project has already reached a sufficiently large size to create serious problems for its targets. Who knows what will happen when they will grow even more?

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-hacker-project-ddosia/feed/ 0 15699
Cybersecurity Experts Discovered a New Stealc Infostealer https://gridinsoft.com/blogs/new-infostealer-stealc/ https://gridinsoft.com/blogs/new-infostealer-stealc/#respond Wed, 22 Feb 2023 09:22:49 +0000 https://gridinsoft.com/blogs/?p=13453 ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline. Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport… Continue reading Cybersecurity Experts Discovered a New Stealc Infostealer

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

]]>

ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline.

Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport and Raccoon Stealer malware spreads masked as Cloudflare warnings.

Also information security specialists reported that Raccoon malware steals data from 60 different applications.

For the first time, analysts noticed the advertisement of the new malware back in January, and in February it began to actively gain popularity.

On hack forums and Telegram channels, Stealc is advertised by someone under the nickname Plymouth. He says that the malware is a “non-resident stealer with flexible settings and a convenient admin panel.”

new infostealer Stealc
Advertisement Stealc

In addition to the usual targeting of data from browsers, extensions and cryptocurrency wallets for such malware (the malware targets 22 browsers, 75 plugins and 25 desktop wallets), Stealc can also be configured to capture certain types of files that the malware operator wants to steal.

new infostealer Stealc
Configuration Instructions for Browser Attacks

The advertisement notes that when developing Stealc, its authors relied on solutions already existing “on the market”, including Vidar, Raccoon, Mars and Redline.

Sekoia analysts noticed that Stealc, Vidar, Raccoon, and Mars have in common that they all load legitimate third-party DLLs (eg sqlite3.dll, nss3.dll) to steal sensitive data. The researchers also say that the organization of communication with the control server of one of the samples of the new stealer they analyzed is similar to Vidar and Raccoon.

In total, the researchers identified more than 40 Stealc C&C servers and several dozen malware samples. According to them, this indicates that the new malware has aroused considerable interest among the cybercriminal community.

new infostealer Stealc
Malware development

One of Stealc’s distribution methods that researchers have already discovered is YouTube videos that describe how to install the cracked software and contain links to download sites. In such programs, a stealer is built in, which starts working and communicates with the control server after the installer is launched.

new infostealer Stealc
Site distributing stealer

According to experts, hacker clients with access to the Stealc administration panel can generate new stealer samples, and this increases the chances of the malware leaking and making it available to a wider audience in the future.

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-infostealer-stealc/feed/ 0 13453
Chinese Hackers Injected a Backdoor into the MiMi Messenger https://gridinsoft.com/blogs/backdoor-in-mimi-messenger/ https://gridinsoft.com/blogs/backdoor-in-mimi-messenger/#respond Tue, 16 Aug 2022 10:12:17 +0000 https://gridinsoft.com/blogs/?p=9935 SEKOIA and Trend Micro specialists published reports on the activity of the Chinese hack group APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse) and said that hackers introduced a backdoor into the MiMi messenger. The attackers have created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and use it to… Continue reading Chinese Hackers Injected a Backdoor into the MiMi Messenger

The post Chinese Hackers Injected a Backdoor into the MiMi Messenger appeared first on Gridinsoft Blog.

]]>
SEKOIA and Trend Micro specialists published reports on the activity of the Chinese hack group APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse) and said that hackers introduced a backdoor into the MiMi messenger.

The attackers have created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and use it to attack Windows, Linux, and macOS users.

Let me remind you that we also wrote that Chinese Hackers Use Ransomware As a Cover for Espionage, and also that Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities.

So, SEKOIA researchers write that MiMi for macOS version 2.3.0 was hacked almost four months ago, on May 26, 2022. The compromise was discovered during the analysis of the infrastructure of the HyperBro remote access trojan associated with APT27: the malware contacted the application, which seemed suspicious to the experts.

Trend Micro analysts have also noticed this campaign (independently of their colleagues) and now report that they have identified old trojanized versions of MiMi targeting Linux (rshell backdoor) and Windows (RAT HyperBro).

At the same time, the oldest sample of rshell for Linux is dated June 2021, and the first victim of this campaign became known back in mid-July 2021. In total, at least 13 different organizations in Taiwan and the Philippines were attacked, of which eight were affected by shell.

Experts say that in the case of macOS, the malicious JavaScript code injected into MiMi checks if the app is running on the Mac and then downloads and runs the rshell backdoor. After launch, the malware collects and sends system information to its operators and waits for further commands.

Hackers can use the malware to list files and folders and read, write, and download files on compromised systems. In addition, the backdoor can steal data and send specific files to its control server.

Chinese Hackers Injected a Backdoor into the MiMi Messenger

According to experts, the connection of this campaign with APT27 is obvious. Thus, the cybercriminals’ infrastructure uses a range of IP addresses already known to information security specialists. In addition, similar campaigns have already been observed before. For example, a backdoor was introduced into the Able Desktop messenger (Operation StealthyTrident), and malicious code was packaged using the already known tool associated with APT27.

It is worth emphasizing that it is impossible to say that we are discussing an attack on the supply chain. The fact is that according to Trend Micro, hackers control the servers hosting the MiMi installers, and experts suggest that they are dealing with a compromise of a legitimate and not too popular messenger targeted at the Chinese audience.

In turn, SEKOIA analysts say that MiMi looks very suspicious: the site associated with the messenger (www.mmimchat[.]com) does not contain a detailed description of the application, terms of use and links to social networks. Check of the legitimacy of the developer company Xiamen Baiquan Information Technology Co. Ltd. also failed. As a result, SEKOIA experts write that hackers could have developed the messenger, which is initially a malicious tool for tracking specific targets.”

At this stage, SEKOIA cannot assess the goals of this campaign. Since the use of this app in China appears to be minimal, it is likely that it was developed as a targeted surveillance tool. It is also likely that after the stage of social engineering carried out by the [malware] operators, the target users were offered to download this application, ostensibly to bypass the censorship of the Chinese authorities.the researchers conclude.

The post Chinese Hackers Injected a Backdoor into the MiMi Messenger appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/backdoor-in-mimi-messenger/feed/ 0 9935