Legitimate Tools, Sinister Exploits: Attackers Ride the Advanced Installer Wave

According to Cisco Talos researcher Chetan Raghuprasad, the attacker leverages Advanced Installer to bundle legitimate installers like Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro with malicious scripts.

At the core of this attack lies the Custom Actions feature within Advanced Installer, enabling the automation of processes during program installation. This tool triggers the PowerShell script M3_Mini_Rat, functioning as a backdoor, granting remote system access.

Following the activation of the backdoor, the victim’s computer is infiltrated by cryptocurrency miners PhoenixMiner and lolMiner. PhoenixMiner specializes in Ethereum mining, widely used in decentralized applications, while lolMiner stands out for its ability to mine two cryptocurrencies concurrently, significantly amplifying the attack’s impact.

Based on the nature of the infected applications, it appears that the victims predominantly operate within sectors such as architecture, engineering, construction, and entertainment. Additionally, these program installers are predominantly in French, suggesting a focus on French-speaking users.

Analysis of DNS queries directed to the hackers’ servers reveals that the footprint of victims primarily spans France and Switzerland, with sporadic infections in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.

These attacks likely employed tactics like “SEO poisoning” or manipulating search engine rankings to boost the visibility of their installers in search results.

Another illustration of exploiting legitimate tools is evident in a recent investigation by cybersecurity firm Check Point. Attackers are utilizing Google Looker Studio, a data visualization application, to craft fraudulent websites aimed at pilfering cryptocurrencies. This approach allows them to circumvent traditional defense mechanisms.

In essence, hackers capitalize on Google’s credibility to deceive email security services into believing that their messages are not phishing attempts and are genuinely from Google.

The trojan in use is designed to communicate with a remote server. However, thus far, the server has remained unresponsive, making it challenging to ascertain the precise types of malware it might be distributing.

The post Advanced Installer’s Crypto Twist appeared first on Deeplab.

These seemingly legitimate software installers conceal malicious scripts that, once executed, inject remote access trojans (RATs) and cryptocurrency miners into the systems of unsuspecting technicians.

The attackers deliberately target professionals in fields such as graphic design, animation, and video editing. These individuals often use high-performance computers with robust graphics cards capable of achieving higher hash rates for cryptocurrency mining, making their systems more enticing for crypto-mining operations.

Crypto Malware Strikes Globally: Advanced Installer Abused

According to Cisco Talos experts, this malware campaign has been active since November 2021. While the majority of victims are in France and Switzerland, notable infections have also occurred in the US, Canada, Germany, Algeria, and Singapore.

Analysts have identified two distinct attack methods within this campaign. In both scenarios, attackers exploit the legitimate Windows tool “Advanced Installer” to create Windows installation files bundled with malicious PowerShell and batch scripts.

These two attack methods diverge in terms of script complexity, the intricacy of the infection chain, and the final payloads deployed on compromised devices.

The first method employs a batch script (core.bat) to establish a recurring task that runs a PowerShell script decrypting a backdoor named “M3_Mini_Rat.” This backdoor grants attackers remote access, enabling them to conduct system reconnaissance and introduce additional payloads to the compromised system.

The second method results in the installation of either the PhoenixMiner or lolMiner cryptocurrency miner. PhoenixMiner specializes in Ethash-based cryptocurrencies, while lolMiner supports various protocols.

Both miners deliberately utilize only 75% of the GPU’s capacity and pause mining activities when the graphics card approaches a temperature of 70 degrees Celsius. This cautious approach prevents noticeable drops in system performance, overheating, and increased fan activity that might tip off the victim to the presence of a cryptominer.

To fortify defenses against such attacks, experts recommend exclusively downloading software from official or trusted sources, employing robust antivirus solutions, and regularly updating both the operating system and installed applications. Frequent updates often include patches for vulnerabilities that could be exploited by hackers.

Adhering to these guidelines can substantially reduce the risk of falling prey to such cyber threats.

The post Hackers Exploit Designers for Mining appeared first on Deeplab.

Russian users of the crypto exchange became victims of hackers shortly after Binance introduced restrictions against Russians. On August 27, clients from the Russian Federation began receiving mass phishing emails offering to download a special program. It allegedly helped bypass the restrictions imposed by the P2P trading platform.

“To download the application, the user is directed to a unique link on a file-sharing site, where a zip-archive with styler malware is located,” explained Kargalev.

He added that styler malware poses a massive threat, and incidents involving it can lead to severe consequences for companies. According to the expert, a compromised account can result not only in data leaks but also become the starting point for subsequent, more severe hacker attacks.

Restrictions in P2P Trading for Russians

In late August, Binance altered the terms of P2P trading for Russians, making rubles the only available currency for users with Russian verification. Previously, the exchange had replaced the names of “Sber” and “Tinkoff” cards on the P2P platform with “green” and “yellow.” Later, the alternative names of unsanctioned banks were also removed from the platform.

Changes in P2P trading for Russians followed accusations that the cryptocurrency exchange had helped Russians evade sanctions. The Wall Street Journal reported that despite joining the sanctions in 2022, the exchange continued to process significant volumes of ruble transactions.

Binance is Ready to Leave Russia

Amidst Binance’s extensive issues in Russia, the exchange’s representatives have expressed readiness to exit the region. A company representative informed the Wall Street Journal that all options, including a complete withdrawal, are under consideration.

Analysts foresee that such an outcome would have a substantial impact on the local crypto market. According to the analytical resource CCData, in July, the ruble trading volume on the P2P platform of the crypto exchange reached $8 billion. Many Russians used the exchange for international money transfers. If Binance departs, they will need to seek alternative exchange options.

The post Hackers Target Binance Russia appeared first on Deeplab.

Breached Borders: Attack Exposes BlockFi, FTX, and Genesis Customers

Cryptocurrency lender BlockFi and the formerly insolvent trading platform FTX disclosed a data breach stemming from an attack on a Kroll employee managing the bankruptcy process for both firms.

Kroll officially stated that the attack on August 19, 2023, targeted an employee whose T-Mobile number was commandeered by attackers without authorization. As a result, the attackers obtained files containing personal information of customers from BlockFi, FTX, and Genesis.

The SIM-swapping incident involving the Kroll employee has escalated the vulnerability of BlockFi, FTX, and Genesis customers to potential phishing attempts or similar attacks. Some users have already reported receiving suspicious emails offering assistance in withdrawing digital assets from their FTX accounts.

Despite Kroll’s primary role in cyber risk management, its employees seemed unaware of the associated risks of relying on T-Mobile for wireless communication. This incident underscores the necessity of minimizing dependence on mobile carriers for security measures.

The attack on Kroll serves as a stark reminder of the imperative to decrease reliance on mobile carriers to ensure security. Although many online services mandate a phone number during registration, the ability to remove that number from your profile is a crucial step in safeguarding personal information.

The post Kroll Leak: Crypto Data Risk appeared first on Deeplab.

According to the actor, we are talking about a sum of ₽45 million. At the same time, he demands much more from him. However, Derevyanko is not going to tell the details of his deception yet and promised that he will reveal the story a little later.

“Very soon I will make an official statement, here I will tell the whole country how it was,” he said.

How Derevyanko Was Cheated

According to the Telegram channel Baza, Derevyanko invested in crypto-business and got into ₽45 million. This money is demanded from him by a businessman with whom he carelessly entered into an agreement to make money.

To fix the profit, the Russian actor decided back in late 2021. Then an acquaintance offered him to invest in cryptobusiness and receive every month a large percentage of investment without any risks. The proposal interested Derevyanko, and he immediately invested about ₽1 million, and soon received the entire amount and 10% on top.

Having received a profit from the investment, the actor, with the help of an acquaintance, turned to a successful crypto-businessman to conclude a contract and earn already 84% per annum on the amount of investment. After the first success, Derevyanko appreciated the idea, so he immediately signed the papers and began to wait for the profit. However, in July, the actor received a lawsuit from the businessman demanding to return him ₽45 million.

It is not known where Derevyanko got such debts from, as he initially trusted a more experienced acquaintance. However, he is sure that his buddy and the crypto-businessman simply deceived him and are now trying to cheat him out of his money.

The Use of Cryptocurrency in Pyramid Schemes is Growing

Last year, the Bank of Russia reported that more than 58% of the financial pyramids identified in the first quarter of 2022 were related to cryptocurrencies. According to Valery Lyakh, Director of the Bank of Russia’s Department for Countering Unfair Practices, attackers are actively using the information agenda.

To secure their assets, Lyakh advised Russians to disable VPNs. In his opinion, disabling VPNs is useful because “most financial pyramids advertise themselves via the Internet.”

The post Russian Actor’s ₽45M Crypto Loss appeared first on Deeplab.

Details of the Heist

Stevens’ filed lawsuit paints a vivid picture of the modus operandi. The hacker, who is yet to be identified and goes by the pseudonym “Jane Doe,” employed a blend of publicly available information and data from the darknet. Armed with this data, the hacker managed to navigate past the security barriers set by Stevens’ cell phone provider and proceed to alter account passwords.

Following this, Jane Doe promptly ordered a new mobile device, transferring Stevens’ personal phone number to this new device’s SIM card. Before the actual heist, Stevens received a text message from the perpetrator, tauntingly stating their ability to hack into “any phone number in the mainland U.S.”

The climax of this cybercrime saw the thief successfully transfer a whopping $6.3 million from Stevens’ digital wallets. In a further twist, an audacious attempt to pilfer an additional $14 million in BTC and ETH from Stevens’ cold wallet was thwarted, thanks to the timely intervention of a Blockchain Capital staff member.

Reaction and Aftermath

Stevens’ cellular service provider only verified the SIM swapping incident on May 15, a day after the theft. By this juncture, the hacker had already laundered approximately half of the stolen funds via cryptomixers.

Historical Context

SIM swapping is not a novel threat. In December 2022, Nicholas Truglia of Florida was handed an 18-month prison term for conning cryptocurrency enthusiasts of over $20 million through similar means. In his case, the majority of the illicit gains were converted into Bitcoin and shared among his accomplices.

The magnitude of Stevens’ loss elevates this case, making it the most significant SIM swapping episode to date.

For cryptocurrency stakeholders and investors, this incident underscores the urgent need for heightened security measures and awareness about emerging cyber threats.

The post Top Blockchain Capital Executive Suffers $6.3 Million Loss appeared first on Deeplab.

Oracle was used to control the prices of DAI and wETH, according to cybersecurity firm PeckShield.

Magnate Finance: Base’s New Villain

At the time of writing, the total value of assets locked in the protocol (TVL) had decreased from around $6.51 million to slightly under $14,000.

Onchain investigator ZachXBT made note of the fact that the platform’s website is no longer accessible and the Telegram group has been removed. According to the analyst, there is a direct connection between the address from where the smart contract was deployed and the illegal withdrawal of $4.8 million from Solfire.

Solfire.Finance was found to have scammed consumers out of more than $3 million in January 2022. The platform removed its social media pages and website when the scam was discovered.

Magnate promoted itself as a platform for borrowing and lending money. A dynamic interest rate model and L2 revenue sharing were allegedly the foundations for its tokenization.

Base Network: Rampant Fraud

Numerous decentralized apps were spawned by Base’s L2 network, whose long-awaited release was finally made possible. The Ethereum network would become more scalable and user-friendly, according to Base. However, the network quickly turned into a haven for con artists searching for quick cash.

Encryption AI stands out among the various initiatives that have been launched. It turned into a tragic illustration of a fraud that cost $2 million.

Even before the blockchain was launched, Solidus Labs found more than 500 counterfeit tokens. Additionally, the investigation showed that roughly 300 of them contained undiscovered smart contract characteristics that permitted endless currency issuance. According to the research, an additional 70 smart contracts concealed the alteration in transaction costs.

Another significant fraud on Base that took place in late July is also described in the report. In honor of Coinbase CEO Brian Armstrong’s clean-shaven head, the cryptocurrency was given the moniker BALD.

With just a day to market its token meme, BALD saw tremendous growth on Twitter. Before riding off into the distance with a respectable $5.2 million, Solidus explains how the BALD token artificially inflated price and volume on the decentralized market LeetSwap.

The post Magnate Finance Scam Unveiled appeared first on Deeplab.

Data Heist: Threats to Pizza Hut and Beyond

The data samples posted by the hackers contained order information including names, addresses, phone numbers and encrypted customer bank card details. Verification by experts confirmed the authenticity of the stolen data.

The ShinyHunters hackers are demanding $300,000 for the removal of the stolen information. Previously, the group has already posted publicly available data of companies that refused to pay the ransom. Pizza Hut in Australia has not yet publicly commented on the incident and has not responded to the attackers’ demands.

The company’s official website and social media accounts are also so far devoid of any information about the hack or notification to customers. Questions about the data theft sent to Pizza Hut management by local media have also gone unanswered so far.

The stolen data can be used to steal money from bank cards, phishing attacks and other criminal purposes. The incident jeopardizes the security of one million customers of a pizza chain in Australia.

While colossal in scale, the incident still hasn’t overtaken another major event that occurred in Australia this year. The March attack on Australia’s Latitude Group literally devastated the company, only narrowly avoiding wiping out the entire business, thanks in large part to good management and numerous mitigation measures.

Such incidents demonstrate the vulnerability of large companies to hacker groups and emphasize the importance of ensuring strong protection of internal company data, confidential information about customers, partners and employees.

The theft of millions of people’s personal data is a serious crime that carries significant reputational and financial risks for any business.

The post Pizza Hut: 1M Data Hacked appeared first on Deeplab.

The investigation claims that $23.4 million was stolen from Web3-projects by thieves in August. The blockchain Base, which was only introduced on August 9 and has already been the target of four attacks, is also under attack.

The most attacks have been made against the Ethereum blockchain, with five incidences documented across all network protocols. With attacks on LeetSwap, SwirlLend, Magnate Finance, and RocketSwap, Base experienced four incidents in addition to the BNB network. These three networks collectively accounted for 62% of all August network outages.

Optimism suffered two occurrences, which amounted for 9.5% of total losses; in contrast, Arbitrum, Solana, Avalanche, Fantom, and Linea each had one event, which combined accounted for 28.7% of losses.

DeFi is a Top Target for Hackers

Hacker assaults made up 67.7% of occurrences in August, costing $15.8 million in losses, of which fraud was responsible for $7.6 million, or 32.3%.

Attackers mostly targeted Decentralized Finance (DeFi) systems; centralized platforms avoided being exploited at this time.

Compared to CeFi, DeFi will continue to be the most popular exploit target in August 2023. DeFi accounts for all losses in full, whereas CeFi has not had any significant hacks, the research says.

2023 Overtakes 2022 in the Number of Attacks

168 instances of hacking and hacker assaults were reported last year, according to Immunefi experts. The outcome was a $3.77 billion loss for the Web3 sector from 2022 to 2023.

The majority of that money was lost by four distinct projects: FTX, Wormhole, BNB Chain, and Ronin Network. The loss in 2022, however, was 51.2% lower than the $8.08 billion that hackers and scammers took in 2021.

The post $1.25B Heist: Web3’s Ongoing Plunder appeared first on Deeplab.

Highlighting the gravity of the situation, the team furnished a list of Terra’s legitimate communication channels across various social media platforms, emphasizing the importance of sourcing updates solely from these verified sources. Reinforcing the urgency of the matter, Kiruse, a blockchain developer associated with Terra, seconded the initial claims. While acknowledging the hacking incident, Kiruse cited the delay in his report, attributing it to fears that Terra’s Twitter might also have been compromised. On a brighter note, he reassured users that the latest version of the Terra Station app remains uncompromised. Yet, out of an abundance of caution, he urged users to keep away from it.

Interestingly, the hacking fiasco enveloping Terra’s website isn’t isolated. Mere days post its launch, the decentralized platform on the Terra Classic blockchain — Terraport Finance — had its liquidity pools drained. The malicious actor managed to abscond with assets to the tune of $2 million, subsequently shifting them to Binance and MEXC Global. Suspicions abound, as the platform’s launch on March 31 saw developers incinerate nearly 100 million LUNC tokens by April 7, in what appears to be an effort to rejuvenate Terra. Such actions have fueled speculations, with community insiders hinting at a potential security audit failure for Terraport.

Unfortunately, these aren’t isolated events. A staggering $656 million was filched from the crypto industry within the initial six months of 2023. These illicit gains resulted from an alarming 108 protocol attacks, 110 rag pools, and numerous phishing exploits. Providing a small sliver of hope, about $215 million—representing 45.5% of the assets swiped in outright attacks — were reclaimed. Still, a significant chunk, approximately $113 million, was funneled into cryptocurrency mixers like Tornado Cash, making the chances of their recovery bleak.

These relentless attacks underscore the pressing need for bolstered security measures in the crypto industry, as attackers increasingly refine their craft and intensify their onslaught.

The post Terra Blockchain Site Compromised Amidst a Surge in Crypto Hacks appeared first on Deeplab.