IT NEWS

Cybercriminals are targeting Mac users interested in cryptocurrency opportunities with fake calendar invites. During the attacks the criminals will send a link supposedly to add a meeting to the target’s calendar. In reality the link runs a script to install Mac malware on the target’s machine.

Cybersecurity expert Brian Krebs investigated and flagged the issue.

Scammers, impersonating cryptocurrency investors, are active on Telegram channels to get interested people to attend a meeting about a future partnership.

One of those investors called Signum Capital tweeted a warning on X in January that one of their team members was being impersonated on Telegram and sending out invites by direct message (DM).

The criminals reach out to targets by DM on Telegram and ask if they have an interest in hearing more about the opportunity in a call or meeting. If they show interest they will be sent a fabricated invitation for a meeting. When the times comes to join the meeting the invitation link doesn’t work. The scammers tell the victim it’s a known issue, caused by a regional access restriction, which can be solved by running a script.

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed to look at this method. This isn’t the first time criminals have used scripts to compromise users, he told us.

“AppleScript has been used against Mac users with moderate frequency by malware creators over the years. It has the advantage of being very easy to write, and if compiled, is also extremely difficult to reverse engineer.”

According to Reed, AppleScripts can be provided in a few different forms. One is a simple .scpt file that opens in Apple’s Script Editor app. This has a few drawbacks for criminals: A victim would need to click something within Script Editor to run the script, and they would able to see the code, which might be a problem because AppleScript tends to be more human readable than most other scripts. However, there are ways to obfuscate what the code is doing, and many users won’t bother to read it anyway.

Another option is an AppleScript applet. This is something that acts like a normal Mac app. It contains a basic AppleScript executable and the script to be run. In this form, the script can be code signed, notarized, given an icon, and otherwise made to appear more trustworthy. The code could be pretty bland, and unlikely to trigger any kind of detection from Apple’s notarization process, but could download and execute something less trustworthy.

Scripts have another advantage for criminals, Reed warned.

“AppleScripts also have the advantage of being able to very easily get administrator permissions.”

A script that attempts to run a command with administrator privileges will ask users to authenticate, triggering a password dialog.

If the user enters their password, the script doesn’t actually get to see it, but everything else the script attempts to do “with administrator privileges” will successfully run as root without further authentication. This makes it very easy for the script to show a standard authentication request dialog and trick the user into giving root permissions.

“So, in summary, AppleScript can be quite effective for writing malware. In fact, some malware has been written exclusively – or almost exclusively – in AppleScript, such as OSX.DubRobber or OSX.OSAMiner.”

In this case, the script was a simple Apple Script that downloaded and executed a macOS-oriented Trojan. The nature of the Trojan is unknown, but it certainly won’t surprise anyone if it turns out it was a banking Trojan that specializes in stealing cryptocurrencies.

Recognizing the scam

To avoid falling victim to these scammers, it’s good to know a few of their tactics.

• Targets are approached by DM on Telegram.
• Topics are cryptocurrency investment opportunities.
• The scammers have a preference for the Calendly scheduling platform.
• A fake “regional access restriction” creates a sense of last minute urgency.
• The script had the .scpt (Apple script) extension.
• The script was hosted on a domain that pretended to be a meeting support site.

The presence of Mac malware is unfortunately still underestimated, but you can find protection by Malwarebytes for Mac and protect Mac endpoints in your environment by ThreatDown solutions.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Pig butchering scams are big business. There are hundreds of millions of dollars involved every year. The numbers are not very precise because some see them as a special kind of romance scam, while others classify them as investment fraud.

The victims in Pig Butchering schemes are referred to as pigs by the scammers, who use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the butchering–meaning they’ll be bled dry of their money.

And they usually start by someone sending you a message that looks like it’s intended for someone else.

The accounts sending the messages often use stock photographs of models for their profile pictures. But even though you won’t know these people, a simple reply of “I’m not Steve, but…” is almost exactly what the scammers want—an initial foothold to talk to you a bit more.

After some small talk, the scammer will ask if you’re familiar with investments, or cryptocurrency. They’ll then do one of two things:

• Direct you to a genuine cryptocurrency investment portal, and send you some money to invest or have you do it on your own dime. Eventually you’re asked to transfer all funds and/or profit to a separate account which belongs to the scammer. At that point, your money has gone and the proverbial pig has been butchered after a period of so-called “fattening up” (in other words, gaining your trust and convincing you to go all out where investing is concerned).
• Direct you to a fake cryptocurrency site, often imitating a real portal. The site may well have its numbers tweaked or otherwise deliberately altered to make it look as though your suggested investments are sound bets. The reality is that they are not, and by the time you realize it, your money has gone.

Once you are satisfied with the profit on your investment and decide to cash out, the problems come at you from different directions. A hefty withdrawal fee, a huge tax to be paid, will need to be paid to get your money back. Which you won’t, but this is the last drop the scammers will try to wring out of you.

John Oliver talked at length about Pig Butchering scams in the latest episode of Last Week Tonight with John Oliver (HBO), lifting the lid on some shocking examples of people who got scammed, and the role that organized crime plays behind the scenes. (Note that you’ll need to be in the USA to watch it, or have a good VPN

As John Oliver put it:

“You may have an image of a person who might fall for pig butchering, but unless you are looking in a mirror, you might be wrong.”

So here are some pointers.

How to avoid becoming the pig

The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:

• Stray messages for “someone else” appear out of the blue.
• The profile pic of the person you’re talking to looks like someone who is a model.
• Common scam opening lines may involve: Sports, golfing, travel, fitness.
• At some point they will ask you about investments and/or cryptocurrency.
• They will ask you to invest, or take some of their money and use that instead.

As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).

Digital Footprint scan

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.

Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.

“The property is listed on several websites so contact me directly by mail to check for availability.”

So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.

“My name is Carla Taddei, I am a co-host of this property, your dates are available.

The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.

Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com

If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”

Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.

However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.

Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.

The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.

“Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.

Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.

Please forward and the payment confirmation once done so I can validate your booking.”

The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.

One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.

Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.

We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.

How to recognize and avoid scams

There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.

• When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
• Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
• Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
• In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
• Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
• Double check the website again before entering personal details or financial information.
• Keep your software updated and use a web filter that will alert you to suspicious sites.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.

The bug was found by a bounty hunter from Nepal called Samip Aryal and has now been fixed by Facebook.

In his search for an account takeover vulnerability, the four times Meta Whitehat award receiver started by looking at the uninstall and reinstall process on Android. By using several different user agents he encountered an interesting response in the password reset flow.

After investigation, a few characteristics of the login code made it an interesting attack vector:

• The code was valid for two hours
• It did not change during that period when requesting it
• There was no validation if you attempted a wrong login code

Combined with the fact that these codes are only 6 digits, Samip saw opportunities for a brute force attack, where an attacker repeatedly tries to access login credentials in the hope of eventually getting into an account.

After uncovering all this information, and with his extensive knowledge about the Facebook authentication process, Samip found the method to take over an account was relatively simple:

• Pick any Facebook account.
• Try to login as that user and request a password reset (Forgot password).
• From the available reset options choose “Send code via Facebook notification”.
• This creates a POST request. As part of a POST request, an arbitrary amount of data of any type can be sent to the server in the body of the request message.
• Copy that POST request and use a method to try all the 100,000 possibilities. Note, 100,000 possibilities may sound like a lot, but given the two hour time-frame there are plenty of options to do that.
• The matching code responds with a 302 status code, a redirect that confirms the search was successful.
• Use the correct code to reset the password of the account and the attacker can now take over the account.

There was one caveat. The owner of the account will see the notification on the device they are logged in with. And strangely enough the notifications came in two flavors.

The difference in notification which makes it a zero-click or not

The first one works as described above, but the second one does require the account owner to tap that notification before Facebook generates a login code. That makes it a lot harder to take over the account.

A detailed report of how Samip found the vulnerability is available on his Medium page.

Facebook has awarded Samip a bounty and fixed the issue. Together with other bounty hunters, Samip submitted hundreds of reports to Meta which they resolved, making Facebook and other platforms a safer place along the way.

Paying attention pays off

There are a few takeaways from this method that Facebook users, and users of other platforms for that matter, might use to their advantage.

• Pay attention to the signs that a password request has been initiated (email, notifications, texts, etc.) Somebody could be trying to take over your account. Follow the instructions on the password reset notification if it’s not you doing the reset.
• Don’t use the Facebook login option on other platforms, and certainly not on ones that have personal or financial information about you.
• Turn on 2FA for Facebook to make it harder for criminals to hijack your account.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In late January 2024, the ThreatDown Managed Detection and Response (MDR) team found and stopped a three-month long malware campaign against a Managed Service Provider (MSP) based in Europe. In line with our observations of attackers increasingly relying on legitimate software in their attackers, the attacker employed various Living Off the Land (LOTL) techniques to avoid detection.

MSPs are a prime target of cyberattacks for two main reasons. One, they provide services to multiple clients, giving attackers access to a broader network of targets through a single breach. Two, MSPs often operate on tight security budgets, making them more vulnerable to attacks.

Almost immediately after onboarding the MSP in mid-January, the ThreatDown MDR team found extensive evidence of an ongoing malware campaign. The attackers, who targeted the MSP’s network from October 2023 to January 2024, silently monitored and manipulated the network for months, leveraging legitimate remote access tools like AnyDesk and TeamViewer and attempting to install malware like Remcos RAT and AsyncRAT.

Let’s dive into the details of this incident and how ThreatDown MDR neutralized the threat.

Initial discovery and evidence of compromise

In late October 2023, ThreatDown Endpoint Detection and Response (EDR) flagged multiple suspicious outbound connections on the MSP’s network. These were attempts to communicate with known malicious external sites and IPs, involving several endpoints within the network.

This activity was immediately blocked by ThreatDown, marking the first documented evidence of a security breach. The nature of these attempts—targeting sites associated with RDP-based attacks and other malicious activities—indicated a possible compromise.

List of malicious sites automatically blocked by ThreatDown MDR.

Expanding presence and evasion

Following the initial detections in October, the attacker quietly expanded their presence within the network. On December 8th, network scanning activity was detected from an endpoint, indicative of the attacker’s efforts to map out the network for further exploitation. This activity went beyond mere exploration, suggesting a systematic approach to identify additional targets or vulnerabilities within the MSP’s digital environment.

Escalation and discovery of malware

The situation escalated in January 2024 with the discovery of malware on several endpoints, linked to unauthorized remote access tools like ScreenConnect and AnyDesk.

This pointed towards a more aggressive phase of the attack, with the attackers deploying malware to maintain and expand their access. An attempt to uninstall McAfee via PowerShell, observed on an endpoint, further underscored the attackers’ intentions to weaken the network’s defenses.

Detection of malware leveraging RMM tools.

Ongoing surveillance and response

The implementation of ThreatDown MDR services on January 18th, 2024, was a strategic move by the MSP to gain deeper insights into the attackers’ movements. By this time, the attackers had already established a significant presence within the network, as evidenced by the attempted communications with a known AsyncRAT botnet C2 server and the discovery of additional remote management and monitoring (RMM) tools on the network.

Connections to AsyncRAT were detected and automatically blocked by ThreatDown MDR

Fortunately, the ThreatDown MDR team caught the attack in action and made several immediate recommendations for the MSP, including:

• Isolating the compromised endpoints to halt the infection spread and re-imaging them for a clean slate.
• Changing all administrative and local passwords three times to fortify security.
• Restoring all infected endpoints from secure backups, eliminating the use of local administrator accounts, and implementing application and DNS filtering to control software usage and web access.

Threat hunting with ThreatDown MDR

How ThreatDown MDR works

MSPs continue to be a prime target in cyber attacks—and as we’ve seen in this case study, attackers are in it for the long-haul, able to remain undetected for several months after compromising a network.

The attacker’s use of legitimate tools such as TeamViewer, ScreenConnect, and PowerShell, in their months-long attack on the MSP underscores a key theme we’ve been writing about on the blog recently: attackers are increasingly relying on LOTL techniques in their attacks to avoid detection.

In this example, if the attack had been allowed to continue, the MSP could have suffered a ransomware attack, data breach, or both. Fortunately, however, by hunting down LOTL techniques for the MSP based on suspicious activity and past indicators of compromise (IOCs), the ThreatDown MDR team successfully stopped the threat.

Protecting your MSP from stealthy LOTL threats takes an elite team of security professionals scouring your systems 24×7 for IOCs and suspicious activity observed on endpoints. Learn more about ThreatDown today.

In an updated #StopRansomware security advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) has warned the healthcare industry about the danger of the ALPHV ransomware group, also known as Blackcat. According to the advisory:

Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.

We have reported in the past that ransomware groups show absolutely no respect to previous promises to leave the healthcare sector alone. This is not a new phenomenon, but ALPHV focusing on healthcare specifically is a relatively new one.

On the grapevine you can hear that ALPHV asked their affiliates to focus on this industry as a kind of payback for the disruptions to their infrastructure in December last year by law enforcement.

The recent attack on Change Healthcare has been reportedly caused by ALPHV, but we don’t feel it’s right to say that they didn’t attack healthcare way before the said disruption.

And unfortunately ALPHV is not the only one. In a new low, the attack on Lurie Children’s Hospital has been claimed by the Rhysida ransomware group.

ALPHV is a Ransomware-as-a-Service (RaaS) group, meaning that its ransomware is made available to criminal affiliates using a software-as-a-service (SaaS) business model. ALPHV was ranked second in the list of most active big game ransomware groups of 2023.

According to the advisory, ALPHV’s affiliates use advanced social engineering techniques and open source research on a company to gain initial access. They pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. After the initial breach they deploy remote access software such as AnyDesk, Mega sync, and Splashtop to prepare the theft of data from the network.

From the initial access they use various other legitimate, living off the land (LOTL), tools to further their access. Once the data has been safely moved to their Dropbox or Mega accounts, the ransomware is deployed to encrypt machines in the network. The latest ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, as well as VMWare instances.

It is unclear how ALPHV would stimulate attacks on healthcare institutions among its affiliates. We do understand that some of the data found during these attacks is very valuable on the underground market.

Having seen how devastating attacks on healthcare can be, we would encourage every cybercriminal involved to waive their right to be treated in any healthcare facility. Or, at least, try and realize the damage they are doing and the potential impact on people’s health.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.

Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, followed by WinSCP, Advanced IP Scanner, Slack and Notion.

Threat actors are targeting business users with payloads such as FakeBat, Nitrogen or Hijackloader. One other malware family we have seen here and there is Rhadamanthys. In this blog post, we detail the latest distribution chain related to this malware.

Key points

• Rhadamanthys is an infostealer distributed via malspam and malvertising.
• Google searches for popular software such as Notion return malicious ads.
• Threat actors are using decoy websites to trick users into downloading malware.
• The initial payload is a dropper that retrieves Rhadamanthys via a URL pasted online.
• The TexBin paste site shows the URL was seen/accessed 8.5K times.

Malicious ad

Threat actors continue to impersonate well-known brands via sponsored search results. As can be seen below in a search for Notion (productivity software), an extremely deceiving ad is shown. Because it includes the official logo and website for Notion, most users will not think twice and click on the link.

While the ad looks real on the surface, the Google Ads Transparency Center page (which can be accessed by clicking on the menu right next to the ad’s URL) shows this ad was created by a certain ‘BUDNIK PAWEŁ’ from Poland. According to the same report, the first ad first appeared on January 23, 2024.

As a matter of fact, we have been tracking this fraudulent advertiser for a few weeks and had reported it to Google in early February, when we first ran into it. At the time, victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT.

In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper. In the web traffic seen below, we can see that the threat actor uses a number of redirects to evade detection. URL shorteners and redirectors are quite common for the initial ad click, often followed by an attacker-controlled domain responsible for cloaking traffic.

There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.

Landing page and payload

The landing page is the decoy site that victims will see after they click on the ad. Apart from the URL in the address bar, it looks very similar to the official web site for Notion, although somewhat simplified. There are two download buttons, one for Mac and the other for Windows.

The Mac payload (Notion.dmg) is a new variant of Atomic Stealer. Thanks to Luis Castellanos from Block for sharing a sample with us.

The Windows binary is a signed file but its digital signature is not valid. The name of the signer that shows here is from the inventor of PuTTY, a popular admin tool. This digital certificate is likely fake or was revoked, but it may evade detection in some cases.

This dropper contacts the paste site TextBin where it retrieves a URL for the followup payload, Rhadamanthys. If the numbers are correct this unlisted paste was viewed 8.5k times already.

Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs (screenshot from Joe Sandbox):

Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.

Conclusion

Not a lot has changed with malvertising campaigns focused on software downloads as we enter the second year of actively tracking them. Sponsored search results continue to be highly misleading due to the fact that any verified individual is able to impersonate popular brands by using their logo and official site within the ad itself.

We are aware of reports shared within private circles, that businesses were compromised after an employee clicked on a malicious ad. Follow-up activities post infection include the usual ‘pentesting tools’ that precede a company-wide breach or ransomware deployment.

The infrastructure used in this particular attack was reported to the relevant parties. Malwarebytes and ThreatDown customers are protected against the payloads and distribution sites.

Additionally, EDR customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

Endpoint users will see a customizable message when they click on an ad such as those that appear on a search engine results page:

Indicators of Compromise

Malvertising chain

pantovawy.page[.]link
cerisico[.]net
notione.my-apk[.]com
alternativebehavioralconcepts[.]org

Dropper

6f4a0cc0fa22b66f75f5798d3b259d470beb776d79de2264c2affc0b5fa924a2

Dropper IP

185[.]172[.]128[.]169

Rhadamanthys download URL

yogapets[.]xyz/@abcmse1.exe
birdarid[.]org/@abcnp.exe

Rhadamanthys

e179a9e5d75d56140d11cbd29d92d8137b0a73f964dd3cfd46564ada572a3109
679fad2fd86d2fd9e1ec38fa15280c1186f35343583c7e83ab382b8c255f9e18

Rhadamanthys C2

185[.]172[.]128[.]170

On Wednesday February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group—experienced serious system outages due to a cyberattack.

In a Form 8-K filing the company said it:

“identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”

Change Healthcare is one of the largest healthcare technology companies in the United States. Its subsidiary, Optum Solutions, operates the Change Healthcare platform. This platform is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.

The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.

According to Reuters, the group behind the attack is the ALPHV/BlackCat ransomware group. ALPHV is currently one of the most active groups, and generally associated with Russia. They are certainly no strangers to attacking healthcare providers. In our monthly ransomware reviews you will typically find them in the top five of ransomware groups. Even after a disruption in December 2023 they returned and maintained a high level of activity.

BleepingComputer confirmed Reuters assertion, saying it had received information from forensic experts involved in the incident response that linked the attack to the ALPHV ransomware gang.

It would certainly make more sense to us that the attacker was a ransomware group than a nation-state associated group, but both ALPHV and UnitedHealth have not commented on this. That’s no surprise since the investigation is probably still ongoing and solving the security issue is a higher priority.

What the ramifications of any stolen data are, remains to be seen, but they could be very serious given the size of the company and the nationwide application of their electronic health record (EHR) systems, payment processing, care coordination, and data analytics.

In a February 26 update the company says it took immediate action to disconnect Change Healthcare’s systems in order to prevent further impact. You can follow updates about the issue on the dedicated incident report site.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.

These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

What are Android banking trojans?

The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.  

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.

These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.

Still, the tricks behind “RecoverFiles” aren’t yet over.

Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.

But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.

Slipping under the radar

The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.

The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.

So, what’s a cybercriminal to do?

In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from somewhere else on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan.

What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.

These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.  

What does it all mean for me?

There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.

All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.

As we wrote in the 2024 ThreatDown State of Malware report:

“Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”

Staying safe from Android banking trojans

Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.

Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The German Federal Office for Information Security (BSI) has published a report on The State of IT Security in Germany in 2023, and the number one threat for consumers is… identity theft.

The thing is, you can protect your devices and your online privacy as much as possible, but what happens when some organization which you have trusted with your personal information gets breached?

The report states:

“For consumers, the issue of data leaks was prominent in the reporting period (2023). In many cases, these were related to ransomware attacks, in which cybercriminals exfiltrated large amounts of data from organizations in order to later threaten to publish it unless a ransom or hush money was paid.“

In addition to data breaches, there is the danger of information stealers that allow cybercriminals to obtain various types of personal data, such as login details for various online services, and financial information. The stolen data may also include website cookies and biometric data that can be used by criminals to defraud the victim.

Cybercriminals are also getting better at using these data. For example, the report mentions that on one of the largest underground marketplaces for identity data, cybercriminals offered interested parties a browser plug-in that made it possible to import stolen credentials directly into the web browser, allowing criminals to assume the victim’s digital identity with just a few clicks.

We’ve previously talked about the dangers of data brokers that, by trading and buying, are accumulating massive troves of personal data. Now, with the mass availability of Artificial Intelligence tools, it becomes so much easier to correlate all these data sets and piece together a complete profile of everyone affected.

As you can see, it’s usually not the victim’s fault that their data become available to cybercriminals. In many cases, there isn’t even that much that they could have done about it. Some services simply are not available in the offline world anymore, and we have no choice than to trust an organization with our information.

So, all we can do is make sure we come prepared to act when a data breach affects us, and keep an eye on how much we share and how much others will be able to find out about us.

What to do in the event of a data breach

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Digital Footprint scan

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.