Browsing category


Advanced Persistent Threat (APT), Banking Trojan, Cybercrime, Cybercrime Trends, Cybercriminals, DRIDEX, Gozi, IBM X-Force Research, Malware, Malware analysis, Ramnit, Ransomware, Threat Intelligence, Trickbot, X-Force,

The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018

Banking Trojans and the gangs that operate them continue to plague banks, individuals and organizations with fraudulent transactions facilitated by malware and social engineering schemes. At last check, cybercrime cost the global economy more than $600 billion in 2017 , and forecasts for 2018 predicted $1.5 trillion in losses.

No matter how you turn these numbers, they are a burden that keeps growing and encouraging a rife, complex industry of online crime.

Going Behind the Numbers of the ‘IBM X-Force Threat Intelligence Index’

Every year, increasingly organized cybercrime gangs shuffle their tactics, techniques and procedures (TTPs) to evade security controls on the micro level and law enforcement on the macro level. Behind each malware named on the top 10 chart below, codes are distributed and operated differently and focus on different parts of the globe. The chart is populated by organized cybercrime gangs that have ties to yet other cybercrime gangs, each doing its part to feed the perpetual supply chain of a digital financial crime economy.

In cybercrime, it can be said that the more things change, the more things stay the same. In 2018, however, I must admit I was finally surprised when two malware gangs that did not appear connected at first began openly collaborating. It thus became clearer than ever that the banking Trojan arena is dominated by groups from the same part of the world, by people who know each other and collaborate to orchestrate high-volume wire fraud.

To learn more about the malware that shaped 2018, let’s begin by looking at the top constituents of the gang-owned Trojan chart and drill down on information gathered by IBM Security for the top three.

Top Trojan Chart 2018 - IBM Security Research

Figure 1: Top 10 chart of the most active banking Trojan families in 2018 (source: IBM X-Force)

1. TrickBot

TrickBot, a banking Trojan operated by a Russia-based threat group, was one of the most aggressive Trojans of 2018. It targets banks across the globe with URL-heavy configurations that often include a large number of targeted bank brands from across the globe.

TrickBot’s operators focus on business banking and high-value accounts that are held with private banking and wealth management firms, but they also diversified in 2018 to include various e-commerce and cryptocurrency exchange platforms on their target lists.

According to IBM X-Force data that was gathered since TrickBot’s rise, no other financial Trojan is as consistently active in terms of infection campaigns and deployment of redirection attacks, indicating that its operators have ample resources and connections to develop and operate the malware in different parts of the world. Despite this overall capability, X-Force saw TrickBot sharpening its focus in 2018 and targeting a handful of countries in each campaign, keeping major economies such as the U.K. and the U.S. on almost every target list.

Intergang Collaboration With IcedID

Some of the trends in TrickBot’s activity in 2018 included collaboration with another banking Trojan, IcedID, which IBM X-Force discovered in September 2017, as well as operating the Ryuk ransomware, a subset of TrickBot’s botnet monetization strategy. These highlight a larger trend of intergang collaboration among Trojan operators striving to generate larger profits in spite of growing security control sophistication.

At first, TrickBot and IcedID appeared unrelated. But about eight months into IcedID’s existence, signs of a link between the two became apparent. In May 2018, X-Force researchers observed TrickBot dropping IcedID, whereas it had previously been dropped primarily by the Emotet Trojan, the same distributor that also drops TrickBot in different campaigns.

By August 2018, our researchers noted that IcedID had been upgraded to behave in a similar way to the TrickBot Trojan in terms of its deployment. The binary file was modified to become smaller and no longer featured embedded modules. The malware’s plugins were being fetched and loaded on demand after the Trojan was installed on infected devices. These changes made IcedID stealthier, modular and more similar to TrickBot.

In addition to its increased stealth level, IcedID also started encrypting its binary file content by obfuscating file names associated with its deployment on the endpoint. Also similar to TrickBot is IcedID’s event objects, which coordinate multiple threads of execution in Windows-based operating systems. IcedID began using named events to synchronize the execution between its core binary and the plugins selected for loading. When a plugin was called upon, it was fetched by its ID number from the attacker’s server and, when loaded, assigned a unique ID.

Although malware authors do sometimes copy from one another, our research indicates these modifications were not coincidental. Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together.

Longtime Partners?

Ties between TrickBot and IcedID may have started years ago in a collaboration designed to help both groups maximize their illicit operations and profits. During the six-year activity phase of the Neverquest (aka Catch or Vawtrak) Trojan, it collaborated with the Dyre group to deliver Dyre malware to devices already infected with Neverquest.

The original Dyre group partly disbanded in late 2015, followed by the rise of TrickBot, which is believed to be the successor to Dyre. Neverquest halted operations following the arrest of one of its key members in 2016, after which the IcedID Trojan appeared. With the two featuring advanced capabilities and evident cybercrime connections with other gangs, their current-day collaboration likely started years ago.

The TrickBot-Ryuk Connection

Another TrickBot trend that started in 2018 is a connection with ransomware. Reminiscent of the Dridex Trojan’s links to the Locky and then BitPaymer ransomware, TrickBot began dropping ransomware called Ryuk. Unlike wide-cast nets that spread ransomware to as many email recipients as possible, Ryuk, like BitPaymer, is spread in targeted campaigns where attackers go through the typical advanced persistent threat (APT) kill chain and manually breach the network.

Ryuk attackers often go through reconnaissance stages, looking for valuable data to hijack. The goal: Infect established organizations with Ryuk and then demand large sums in ransom payments that average hundreds of thousands of dollars each.

Malware drop killchain

Figure 2: Ryuk campaigns — a four-step routine to drop three different Trojans to target devices (source: IBM X-Force)

Upon investigating Ryuk’s code, it quickly became apparent that this ransomware was not entirely new. Ryuk closely resembles the Hermes ransomware that was linked with malicious activity by a nation-state-sponsored group called Lazarus (aka Hidden Cobra).

Is Ryuk connected to Hermes? That’s one possibility. It could also be that some Lazarus members collaborate with banking Trojan operators through cross-border partnerships to steal and launder large amounts of cybercrime money via Eastern Europe and Asia, or that someone with access to the Hermes code reused it to create Ryuk.

Whatever the source of Ryuk, it shows that TrickBot’s operators are diversifying their nefarious activity, continuing to focus heavily on the business sector and launching targeted attacks that press organizations to pay.

Major Trojans collaborate

Figure 3: Collaboration between major malware gangs (source: IBM X-Force)

TrickBot TTPs and Evolution

In terms of its TTPs, TrickBot’s operators focus their efforts on businesses and, therefore, opt for distribution through booby-trapped productivity files and fake bank websites. After infection, TrickBot modules allow it to spread laterally in compromised networks and infect additional users.

TrickBot continues to use both server-side injections deployed on the fly from its attack server and redirection attacks hosted on its servers to hijack users and present them with a fake replica of their bank’s website.

In 2018, TrickBot’s developers added three new functions to the malware, facilitating the theft of Remote Desktop Protocol (RDP) credentials, Virtual Network Computing (VNC) credentials and PuTTY open-source terminal emulator credentials. It steals Windows system reliability and performance data and features a new mechanism for storing its configuration and elliptic curve cryptography (ECC) public keys.

The TrickBot botnet is supported by what’s considered a mature infrastructure, where some campaigns featured 2,458 unique command-and-control (C&C) IP addresses used in 493 main configuration releases across 276 versions — all in one week.

X-Force expects to see TrickBot maintain its position on the global malware chart unless it is interrupted by law enforcement in 2019.

2. Gozi

Gozi (aka Ursnif) has been highly active in the wild for more than a decade now, a rare occurrence in the cybercrime arena. The malware was first discovered in 2007, when it was operated by a closed group of developers and cybercriminals. At the time, it was used to target online banking users mostly in English-speaking countries.

Throughout the years, Gozi has gone through almost every phase a banking Trojan can go through. Its code was leaked in 2010, giving rise to other Trojans, such as Neverquest, that also dominated the cybercrime charts for years after. It was used in the Gozi-Prinimalka ordeal in 2012 and, in 2013, was fitted with a master boot record (MBR) rootkit to create high persistence through a computer’s MBR.

In 2016, X-Force reported about the rise of the GozNym hybrid, a two-headed beast spawned from the Nymaim malware and embedded with the Gozi financial fraud module. Starting in 2017, X-Force researchers reported that a new variation of Gozi was being tested in Australia: Gozi v3. The malware was based on the same code of the original Gozi ISFB but featured some modifications on the code injection level and attack tactics.

In 2018, Gozi v2 was the second-most active Trojan in the wild, working across the globe and in Japan. V2 is operated separately from the v3 version that continues to target banks in the Australia-New Zealand region. The malware is operated in a cybercrime-as-a-service model that allows different cybercriminals to use the botnet to conduct fraud.

To reach new victims, Gozi is distributed in document and spreadsheet attachments that prompt the user to enable macros. In recent campaigns, when the user complies, the macro runs the WMI Provider Host process (wmiprvse) to execute a malicious PowerShell script. The script is designed to fetch the payload and uses string concatenation to evade detection.

Recently, in the case of attack schemes against banks in Europe, Gozi delivered custom-tailored client-side code for each targeted bank brand users accessed, likening its tactics to redirection attacks in which each brand is targeted in a specific way.

Gozi’s distributors use malicious websites to host their resources but check the target device’s Geo IP to reduce the potential of exposure. If either Russian or Chinese keyboard settings are detected during its installation, the deployment ends.

This malware has been part of the top-most constituents of the global malware chart for the past five years, and X-Force expects to see this longtime staple of the organized cybercrime arena maintain its position on the chart in 2019.

3. Ramnit

Ramnit is a prolific banking Trojan that has been active in the wild since 2010. Ramnit started out as a self-replicating worm, leveraging removable drives and network shares to spread to new endpoints. As the project evolved, Ramnit morphed into a modular banking Trojan and started spreading via popular exploit kits such as Angler and RIG.

Although it was one of the most prominent Trojans between 2011 and 2014, Ramnit was targeted by law enforcement in 2015. While it was one of the only botnets to ever survive a coordinated disruption, its operators have not returned to the same level of activity since. In recent years, Ramnit has been an on-again-off-again operation, seeing long lulls in its cybercrime activity and narrowing its attack turf over time to focus mostly on the U.K., Canada and Japan.

2018: Reemergence and Intergang Collaboration

In 2018, the Ramnit Trojan returned to the cybercrime arena with revamped code and a new partner, a proxy malware known as Ngioweb. Ramnit’s developer modified its financial module to enhance its capabilities and changed the internal module’s name from “Demetra” to “Camellia.”

Ramnit’s 2018 comeback resulted in a reported infection of more than 100,000 devices within the span of two months, as part of an operation code-named “Black.” In this campaign, Ramnit went back to its worm roots and was used as a first-stage infection in a kill chain designed to amass a large proxy botnet for Ngioweb.

How good was this new partnership for Ramnit? We can only assume that it was used to create a massive proxy botnet that would resemble the Gameover Zeus botnet in its architecture. The Black campaign was short-lived, and by the end of 2018, Ramnit was linked with Emotet, Dridex and BitPaymer for using the same dropper as those Trojans and being used itself as a dropper for Dridex.


Configuration and code comments show that Ramnit is probably being developed by new team members. Configuration injects were modified to Lua programming and, in many cases, came bugged or unsophisticated. This was not the case for this malware in past years.

For its deployment routine, Ramnit began leveraging code that relies on PowerShell scripts in what’s known as reflective PE injection. Its modules are not pulled from a remote server but come packed with the core malware, and its reliance on a domain generation algorithm (DGA) has been modified to include hardcoded domains.

Will we continue to see Ramnit in 2019? X-Force researchers expect to see the same activity pattern for this malware with its come-and-go nature in Japan and Europe. Ramnit will likely drop from its current rank on the global Trojan chart and be overtaken by IcedID and newcomers like BackSwap and DanaBot.

Threat Landscape Staples

Banking Trojans have been a burdensome part of the cybercrime threat landscape for more than a decade now. The past five years have shown us that this breed of attackers is only becoming more sophisticated over time, incorporating technical knowledge with advance social engineering to focus schemes on victims that can yield the biggest profits: businesses, cryptocurrency and high-value individuals.

While previous years saw gangs operate as adversaries, occupy different turfs and even attack each other’s malware, our research from 2018 connected the major cybercrime gangs together in explicit collaboration. This trend is a negative sign that highlights how botnet operators join forces, revealing the resilience factor in these nefarious operations.

While it can be hard to detect this type of evolving malware, it’s possible to stop banking Trojans before they make it into your device or your organization. Proper security controls and user education, as well as planned incident response, can help keep this threat at bay and contain its detrimental effects if ever an account is taken over and robbed by highly experienced criminals.

To learn more about the top security threats of 2018 and what 2019 may have in store, download the “IBM X-Force Threat Intelligence Index.” Check out page 30 in the report for our expert team’s tips on mitigating threats and increasing preparedness for a possible breach.

Read the full “IBM X-Force Threat Intelligence Index”

The post The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Limor Kessem

Computer Security, Cyber Security News, Extensive Ransomware Attack, Malware, Ransomware,

Extensive Ransomware Attack Hits Worldwide Operation at Aluminum Manufacturing Gaint Norsk Hydro

Extensive Ransomware Attack

Extensive Ransomware Attack forced to shut down operations at, Norsk Hydro, one of the world’s largest aluminum producers. The company suffered production outages across Europe and the U.S. The cyberattack shut down operations in the number of metal extrusion and rolled products plants, which transform the aluminum into finished products for car makers and for […]

The post Extensive Ransomware Attack Hits Worldwide Operation at Aluminum Manufacturing Gaint Norsk Hydro appeared first on GBHackers On Security.

Computer Security, Cyber Attack, Exploit, Malware, Ransomware, Vulnerability, Windows, WinRAR,

Alert !! Hackers Launching New JNEC.a Ransomware via WinRAR Exploits – Do not Pay

JNEC.a Ransomware

A brand new JNEC.a ransomware spreading via recently discovered WinRAR vulnerability exploit to compromise windows computer & demand the ransom amount. This exploits leverage the recently discovered WinRAR ACE code injection vulnerability, since then attackers continuously exploiting to intrude the targeted system in various ways. WinRAR is the worlds most popular Compression tool that used […]

The post Alert !! Hackers Launching New JNEC.a Ransomware via WinRAR Exploits – Do not Pay appeared first on GBHackers On Security.

Chinese Government, Computer Security, Cyber Security News, Gandcarb, Ransomware,

Gandcrab Ransomware Attack on Chinese Government Internal Network

Chinese Government

Hackers launched ransomware attacks on Chinese Government department and infected their internal computer network to lock the file and demand the ransom. The Gandcrab Ransomware is a widespread Ransomware, nowadays it evolves with newly updated features under constant development, to target various countries. Cybercriminals initiated this attack from outside of the country to target the […]

The post Gandcrab Ransomware Attack on Chinese Government Internal Network appeared first on GBHackers On Security.

bitcoin, Government Network, Ransomware, ransomware attack, Ryuk,

Massive Ryuk Ransomware Attack on Entire Computers of Jackson County, Georgia – $400,000 Ransom Paid

Jackson County

Rural Jackson County, Georgia computer systems are infected with Massive Ryuk ransomware attack that leads to shut down all the operations. Since there is no way to recover the files back without the decryption key, officials paid $400,000 as a ransom amount to cybercriminals in order to recover the infected system. Authorities Confirmed that the […]

The post Massive Ryuk Ransomware Attack on Entire Computers of Jackson County, Georgia – $400,000 Ransom Paid appeared first on GBHackers On Security.

Computer Security, Cyber Crime, Hacked Websites, Internet, jcry, Ransomware, Windows,

Hackers Spreading JCry Ransomware that Infecting Windows users via Compromised Websites


Cyber criminals spreading new ransomware called Jcry which is written in Go language via #OpJerusalem2019 campaign that attack Windows users to encrypt the file and demand the ransom. #OpJerusalem2019 is recently launched a cyber attack against the Israeli Government and the private websites including Coca-Cola, ToysRUs, McDonald ’s. In result, An anonymous hacker group compromised […]

The post Hackers Spreading JCry Ransomware that Infecting Windows users via Compromised Websites appeared first on GBHackers On Security.

"Edge", browser, chrome, Fake Browser Update, Firefox, Malware, Ransomware,

Beware!! Fake Browser Update Drops a Ransomware & Banking Malware into Your Computer

Fake Browser Update

Researcher recently discovered a malicious Fake Browser Update campaign that being delivered a ransomware and banking malware into target computer via fake browser update. Threat actors are spreading this fake browser mostly via compromised websites that are powered by WordPress and also attackers used other hacked CMS websites. Thousands of hacked sites are used for […]

The post Beware!! Fake Browser Update Drops a Ransomware & Banking Malware into Your Computer appeared first on GBHackers On Security.

cryptocurrency, cryptocurrency miner, IBM Security, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Incident Response (IR), Ransomware, Skills Gap, threat hunting, Threat Intelligence, X-Force,

Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks

Cybercriminals made a lot of noise in 2017 with ransomware attacks like WannaCry and NotPetya, using an in-your-face approach to cyberattacks that netted them millions of dollars from victims. But new research from IBM X-Force, the threat intelligence, research and incident response arm of IBM Security, revealed that 2018 saw a rapid decline in ransomware attacks as cybercrime gangs shifted tactics to remain under the radar.

Ransomware attacks declined by 45 percent between Q1 2018 and Q4 2018, according to the research. That doesn’t mean cybercrime is on the decline, however. Instead, cybercriminals employed cryptojacking, the stealthy theft of computing power to generate cryptocurrency, at a much higher rate. Cryptojacking surged by 450 percent over the course of 2018, according to the newly released “IBM X-Force Threat Intelligence Index 2019.”

Wendi Whitmore, global lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) team, said in an interview that ransomware was highly successful for several years, but the payoff was starting to decline.

“It appears, for a variety of reasons, cybercriminals are getting less money from ransomware attacks and potentially getting a better return on their investment and their time from cryptojacking,” Whitmore said.

IBM X-Force observed a 45 percent decline in ransomware attacks and a 450 percent increase in cryptojacking over the course of 2018, as shown by the trend lines in this chart.

Cryptojacking and Other Stealth Attacks

The term cryptojacking refers to the illicit use of computing resources to generate cryptocurrency such as bitcoin, which peaked in value at nearly $20,000 in late 2017, and Monero, which has generated millions of dollars for cybercriminals over the past decade.

Cryptojacking involves infecting a victim’s computer with malware or through browser-based injection attacks. The malware uses the processing power of the hijacked computer to mine (generate) cryptocurrency. The spike in central processing unit (CPU) usage may cause systems to slow, and enterprises may be affected by the presence of the malware on their network servers and employee devices.

While less destructive than ransomware, the presence of cryptomining malware in enterprise environments is concerning because it indicates a vulnerability that may be exploited in other attacks.

“The victim doesn’t usually know their computer has taken over for that purpose,” Whitmore said.

Yet an even stealthier form of attack doesn’t use malware at all. More than half of cyberattacks (57 percent) seen by X-Force IRIS in 2018 did not leverage malware, and many involved the use of nonmalicious tools, including PowerShell, PsExec and other legitimate administrative solutions, allowing attackers to “live off the land” and potentially remain in IT environments longer. These attacks could allow cybercriminals to harvest credentials, run queries, search databases, access user directories and connect to systems of interest.

Attacks that don’t use malware are much more challenging for defense teams to detect, Whitmore said, because they are leveraging tools built into the environment and can’t be identified through signatures or typical malware detection techniques. Instead, defense teams need to detect malicious commands, communications and other actions that might look like legitimate business processes.

“Attackers are identifying that it’s a lot easier to stay in an organization longer-term if they don’t install anything funny that might get detected by a wide variety of technologies, or by really smart defenders who are constantly looking in the environment to identify something that’s new or different,” Whitmore said.

Attackers are infiltrating IT environments with stealthy techniques that target misconfigurations and other system vulnerabilities, Whitmore said, and using tried-and-true methods that are still very difficult to prevent at a wide scale, such as phishing. Publicly disclosed security incidents involving misconfiguration increased by 20 percent between 2017 and 2018, according to X-Force research. Meanwhile, IBM X-Force Red, an autonomous team of veteran hackers within IBM Security who conduct various types of hardware and software vulnerability testing, finds an average 1,440 unique vulnerabilities per organization.

Still, humans represent one of the largest security weaknesses, with 29 percent of attacks analyzed by IBM X-Force involving compromises via phishing emails. Nearly half (45 percent) of those phishing attempts were business email compromise (BEC) scams, also known as CEO fraud or whaling attacks.

These highly targeted attacks are aimed at individuals responsible for making payments from business accounts, claiming to come from someone inside the organization such as the CEO or chief financial officer (CFO). The FBI reported that between October 2013 and May 2018, BEC fraud had cost organizations $12.5 billion.

Read the complete X-Force Threat Intelligence Index Report

Transportation in the Crosshairs

Among the more surprising findings in this year’s X-Force Threat Intelligence Index report is the level of attacks on the transportation industry, which was the second-most attacked industry in 2018, behind only financial services. In 2017, transportation was the 10th most targeted industry, but in 2018 it was targeted in 13 percent of attacks, behind financial services, which was targeted in 19 percent of attacks.

“That was a pretty surprising finding for us,” Whitmore said. “To see the transportation industry emerge as the second-most impacted industry really means that we’re seeing a lot more activity overall in that industry.”

A few factors changed the game this year, Whitmore noted, including the industry’s growing reliance on data, website applications and mobile apps, and the increasing amount of information consumers are sharing. Transportation companies hold valuable customer data such as payment card information, personally identifiable information (PII) and loyalty rewards accounts. Cybercriminals are interested in targeting that information to monetize it.

Additionally, Whitmore said, there’s “a widespread attack surface in the transportation industry, leveraging things like third-party providers with legacy systems and a lot of communications systems that are out of their direct management.”

Proactive Defenses and Agile Response

There are signs that organizations are increasing their security hygiene by applying best practices such as access controls, patching vulnerabilities in software and hardware, and training employees to spot phishing attempts, Whitmore said.

Yet cybersecurity is a daily fight, and the security skills gap means security teams have to be agile and collaborative while augmenting their capabilities with supporting security technologies and services.

The IBM X-Force Threat Intelligence report offers recommendations for organizations to increase preparedness through preventive measures such as threat hunting — proactively searching networks and endpoints for advanced threats that evade prevention and detection tools.

Additionally, risk management models need to consider likely threat actors, infection methods and potential impact to critical business processes. Organizations need to be aware of risks arising from third parties, such as cloud service providers, suppliers and acquisitions.

Finally, the IBM X-Force Threat Intelligence Index emphasizes remediation and incident response. Even organizations with a mature security posture may not know how to respond to a security incident. Effective incident response is not only a technical matter; leadership and crisis communications are key to rapid response and quickly resuming business operations.

Read the complete X-Force Threat Intelligence Index Report

The post Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Zorabedian

CrackNow, Kickass Torrents, Malware, Ransomware, Torrents, Torrents Sites,

Torrents Sites Banned A Famous “CrackNow” Torrent Uploader that sharing GandCrab Ransomware


Many of the torrent sites strictly banned the popular torrent uploader CrackNow that caught for upload malicious files including GandCrab Ransomware. A lot more malicious torrents files are uploading in the torrent site which is very common nowadays but this kind of malicious activities from trusted torrent uploader is a rare case scenario. Torrents sites […]

The post Torrents Sites Banned A Famous “CrackNow” Torrent Uploader that sharing GandCrab Ransomware appeared first on GBHackers On Security.