AI-Driven Phishing Kit

Researchers track the activity using a small but unusual clue: four mushroom emojis hidden inside the text “OUTL.” So far, this marker has been linked to more than 75 separate attack setups.

The attackers collect stolen email usernames and passwords, along with the victim’s IP address and location. This information is then sent to the attackers using Telegram and Discord.

To trick users, the phishing page copies the Outlook login screen and displays prompts in Spanish, making it look legitimate to victims.

After a victim enters their login details, the phishing tool quickly adds extra context to the stolen data. It checks the user’s IP address using api.ipify.org and pulls location details from ipapi.co.

This data collection happens instantly, before the stolen credentials are sent to the attackers.

The campaign shows careful planning. Even though the attackers change how the code is hidden, the way the operation runs stays mostly the same.

Sage Hollow researchers first spotted the activity by noticing the repeated mushroom emoji marker, which helped them trace more related attacks.

Over time, the phishing kit has appeared in multiple versions. Some use heavy obfuscation and anti-analysis tricks, while others are left completely open and resemble AI-generated code. The latest version, disBLOCK.js, uses clean formatting, clear function names, and Spanish comments explaining each step — signs that the code was likely generated with AI rather than written fully by hand.

How the Phishing Kit Works

The phishing tool is designed with separate pieces, keeping its settings away from the main logic. In earlier versions, a file called xjsx.js was used to store Telegram bot details with only basic hiding techniques.

When someone enters their login details on the fake page, the tool runs through a set process. It checks whether the email address is valid, then reaches out to external services to collect IP and location information.

All stolen data is bundled into a standard message format and sent over regular HTTPS connections. The attackers use either Telegram bots or Discord webhooks to receive this information.

Newer samples rely more on Discord webhooks because they work as one-way channels. Even if the link is discovered, past data cannot be viewed.

This setup points to a shared phishing platform, where multiple attackers reuse the same toolkit across different campaigns.

Security Recommendations

• Organizations should enable phishing-resistant MFA on Microsoft accounts to reduce the impact of stolen passwords.
• Email gateways should be tuned to detect look-alike Outlook login pages and block messages that redirect users to external authentication sites.
• Security teams should monitor outbound traffic for suspicious connections to Telegram bot APIs and Discord webhooks, especially from user workstations.
• User awareness remains critical. Employees should be reminded to verify login pages and avoid entering credentials through email links.
• Incident response teams should reset affected credentials immediately and review sign-in logs for abnormal locations and IP addresses.

The post AI-Driven Phishing Kit Targets Microsoft Accounts appeared first on First Hackers News.

How the iCloud Calendar Phishing Scam Works

Attackers use iCloud Calendar invites to send fake emails. These emails come from Apple’s servers, so they seem real. Here’s how the scam operates:

• Fake Alerts: The emails pretend to be purchase or account notifications. Thus, users think they’re from Apple.
• Bypassing Filters: Since they use Apple’s servers, spam filters often miss them. As a result, they reach your inbox.
• Dangerous Links: The invites have links to phishing websites. These sites steal your login details or install malware like Agent Tesla.

For example, similar scams have targeted Google Calendar and Microsoft 365, showing a growing trend.

This iCloud Calendar phishing scam is risky for several reasons:

• Trusted Source: Emails from Apple’s servers look genuine. Hence, users trust them more.
• Wide Reach: Millions use iCloud. Therefore, attackers can target many people.
• Sneaky Methods: Attackers use SVG attachments to dodge email filters. This helps them spread malware or steal data.

In short, this scam exploits trust in Apple, making it very dangerous.

How to Stay Safe from Phishing Scams

• Check the Sender: Look closely at the email address. Even if it seems like Apple’s, check for odd details.
• Avoid Strange Links: Don’t click links in unexpected calendar invites. Instead, delete them.
• Use Two-Factor Authentication: Turn on 2FA for your Apple ID. This adds extra security.
• Update Security Tools: Keep your antivirus software current to catch malware.
• Report Suspicious Emails: If an invite looks fishy, report it to Apple and delete it.

By following these steps, you can stay safe from phishing attacks.

The post iCloud Calendar Phishing Scam: Cybercriminals Use Apple’s Servers appeared first on First Hackers News.

WHAT IS SMTP SMUGGLING?

SMTP (Simple Mail Transfer Protocol) Smuggling is a technique used by attackers to manipulate the behavior of mail servers during the email transmission process. It involves exploiting inconsistencies or variations in the way different servers interpret and implement the SMTP protocol.

In a typical SMTP transaction, there are two phases: the client’s request to the server (DATA phase) and the server’s response. SMTP Smuggling takes advantage of discrepancies in how proxy servers and mail servers interpret the length of the message content during these phases.

By carefully crafting the headers and body of an email, attackers can deceive the servers into misinterpreting the message length, leading to discrepancies between the front-end proxy server and the back-end mail server. This can result in various security issues, such as bypassing security filters, evading detection, and enabling malicious activities like spoofing or injecting arbitrary content into emails.

SMTP Smuggling attacks are a type of protocol-level manipulation, exploiting the intricacies of communication between different components in the email delivery process. Defending against SMTP Smuggling often involves implementing secure and consistent configurations across all involved mail servers and proxies to prevent the exploitation of these protocol variations.

SMTP smuggling centers around inconsistencies in how distinct servers process the end-of-data sequence (<CR><LF>.<CR><LF>). Through exploiting these variations, attackers can escape the standard message data, introducing unauthorized commands.

This method relies on the inbound server’s ability to accept multiple SMTP commands in a batch, a functionality widely supported by most servers today.

Thorough investigation into this vulnerability has uncovered that SMTP servers belonging to major email providers such as Microsoft, GMX, and Cisco are susceptible to this exploit. Although Microsoft and GMX have taken steps to address these issues, Cisco has categorized the findings as a feature rather than a vulnerability and has opted not to modify the default configuration.

WHAT IS THE DANGER OF SMTP VULNERABILITY?

SMTP smuggling poses alarming implications as attackers can send deceptive emails from seemingly credible sources, evading authentication checks like DKIM, DMARC, and SPF.

In essence, employing this technique could allow fraudsters to infiltrate corporate emails previously immune to spam. While companies implementing this security method are likely cognizant of the risks and employ additional protective measures, the exposure itself increases the overall vulnerability to potential cyberattacks.

MITIGATING THE EFFECTS OF VULNERABILITY

To mitigate the effects of SMTP vulnerability:

1. Implement Security Updates: Regularly update and patch SMTP servers to address known vulnerabilities and ensure they are equipped with the latest security measures.
2. Enable Encryption: Utilize encryption mechanisms, such as STARTTLS, to secure the communication channels between SMTP servers and prevent eavesdropping or unauthorized access.
3. Protocol Compliance: Ensure that SMTP servers adhere to standardized protocols and follow best practices to minimize the risk of exploitation through protocol-level vulnerabilities.
4. Network Monitoring: Implement robust network monitoring tools to detect unusual SMTP traffic patterns, which may indicate potential exploitation or malicious activities.
5. Authentication Mechanisms: Strengthen authentication mechanisms, including enforcing strong passwords and implementing multi-factor authentication, to prevent unauthorized access to SMTP servers.
6. Implement Access Controls: Configure access controls to restrict access to SMTP servers only to authorized personnel, reducing the risk of unauthorized manipulation or exploitation.
7. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the SMTP infrastructure.
8. User Awareness Training: Educate users about phishing attacks and social engineering tactics that may exploit SMTP vulnerabilities, emphasizing vigilance in email interactions.
9. Intrusion Detection and Prevention: Deploy intrusion detection and prevention systems to monitor and block suspicious activities or unauthorized access attempts targeting SMTP servers.
10. Collaborate with Vendors: Stay informed about vendor advisories, security updates, and patches related to SMTP vulnerabilities, and promptly apply recommended mitigations.
11. Incident Response Plan: Develop and maintain an incident response plan specific to SMTP vulnerabilities, outlining procedures for detecting, responding to, and recovering from potential security incidents.
12. Backup and Recovery: Regularly back up critical email data and ensure the availability of efficient recovery mechanisms to minimize data loss in the event of a security breach.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post SMTP Smuggling Emerges as a Fresh Email Security Concern appeared first on First Hackers News.

Cybercriminals are exploiting Google Search Ads to promote phishing websites, with a focus on pilfering user credentials—especially those associated with Kinsta’s crucial service, MyKinsta, used for managing WordPress and other cloud-based applications.

KINSTA PHISHING: HACKERS EXPLOIT GOOGLE ADS

In an email notification, Kinsta reveals that cybercriminals are employing Google Ads as their primary method for phishing attacks.

These malicious actors intentionally focus on individuals who have previously visited Kinsta’s official websites. They create deceptive websites closely resembling Kinsta’s own, skillfully luring users to click on them.

The email from Kinsta states:

The main goal was to entice users to input their Kinsta login credentials on the fraudulent website. Once obtained, attackers could leverage these credentials to access users’ WordPress websites, potentially leading to severe consequences. This may involve:

• Compromised websites may expose sensitive information, including customer data, financial details, and intellectual property.
• Attackers could inject malicious code into compromised websites, redirecting visitors to phishing sites or facilitating the spread of malware. The website’s content may be defaced or substituted with malicious messages.
• Access to payment gateways or sensitive financial information could result in financial losses for users or their clients.
• A successful phishing attack might tarnish Kinsta’s reputation, raising concerns about its security measures and eroding user trust.

Google Ads, a widely-used advertising platform, is regrettably gaining popularity among hackers and cybercriminals, who exploit its broad reach and visibility for various malicious activities.

Google Ads were used to promote counterfeit downloads for popular software such as Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave on several websites.

PROTECTING AGAINST PHISHING THREATS

To safeguard against phishing threats:

1. Stay Informed: Stay updated on the latest phishing tactics and techniques.
2. Verify Emails: Verify the legitimacy of emails, especially those requesting sensitive information or containing unexpected links.
3. Use Security Software: Employ reliable antivirus and anti-phishing tools to detect and prevent phishing attempts.
4. Check URLs: Hover over links to preview the destination URL before clicking. Be cautious of misspellings or slight variations in web addresses.
5. Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA on your accounts.
6. Educate Users: Provide training and awareness programs to educate individuals about recognizing and avoiding phishing attempts.
7. Report Suspicious Emails: Encourage users to report any suspicious emails promptly.
8. Regularly Update Software: Keep software, browsers, and security tools up to date to patch vulnerabilities.
9. Use Secure Connections: Ensure that websites use HTTPS, and avoid entering sensitive information on unsecured sites.
10. Implement Email Filtering: Utilize advanced email filtering systems to identify and block phishing emails before they reach users.
11. Employ DMARC Protection: Implement DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent email spoofing.
12. Conduct Simulated Phishing Tests: Regularly conduct simulated phishing tests to evaluate users’ susceptibility and reinforce security awareness.

The post Kinsta Alerts About Phishing Campaign on Google Ads appeared first on First Hackers News.

According to the project’s GitHub description, RETVec undergoes training to exhibit resilience against character-level manipulations, encompassing insertion, deletion, typos, homoglyphs, LEET substitution, and other variations.

The RETVec model undergoes training using an innovative character encoder that efficiently encodes all UTF-8 characters and words.

While major platforms such as Gmail and YouTube depend on text classification models to detect phishing attacks, inappropriate comments, and scams, threat actors are known to develop counter-strategies to evade these defense measures.

They have been observed employing adversarial text manipulations, ranging from homoglyph usage to keyword stuffing and even incorporating invisible characters.

RETVec, with its out-of-the-box compatibility for over 100 languages, strives to contribute to the development of more resilient and efficient server-side and on-device text classifiers, emphasizing robustness and efficiency.

Vectorization, a methodology in natural language processing (NLP), involves mapping words or phrases from vocabulary to corresponding numerical representations. This process facilitates further analysis, including sentiment analysis, text classification, and named entity recognition.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Google Introduces RETVec: Gmail’s Latest Safeguard Against Spam and Malicious Emails appeared first on First Hackers News.

Anticipated to surpass 2022 sales, Black Friday and Cyber Monday on November 24 and November 27, 2023, are projected to outperform previous records. In 2022, consumer spending peaked at $9.12 billion on Black Friday and $11.3 billion on Cyber Monday, with global online sales reaching $40 billion by 5 PM ET, as per Salesforce analytics.

Yet, the shopping frenzy also presents a significant opportunity for financially-motivated cybercriminals to exploit unsuspecting shoppers, capitalizing on their ignorance.

Here are the key points consumers and enterprises should be aware of for a secure and prosperous shopping season:

Watch Out for Malicious Emails

Phishing stands out as a prevalent method through which cybercriminals aim to lure their targets into malicious activities. Whether through phishing and spear phishing emails, smishing messages, or vishing calls disguised as promotional offers, the real intent is often to deliver malware or pilfer credentials and financial information.

“The key advice for employees is to remain cautious of email promotions advertising products at prices that seem too good to be true. It’s crucial to enhance staff awareness and education on phishing emails, including the tactics criminals use, such as spoofing websites to steal credit card data and passwords,” emphasized Boyd.

Recognizable signs of phishing encompass unsolicited communication, grammatical errors, content inducing a sense of urgency, unexpected attachments, unfamiliar sender addresses, and communications at unusual hours.

Boyd suggests employees avoid using the same password across multiple online accounts, opting instead for multifactor authentication and employing email security tools.

Adopt Email Marketing Policy Change

In October 2023, Google and Yahoo unveiled a marketing email policy change focused on authenticating messages to enhance spam and scam prevention. The policy mandates that companies sending over 5,000 emails on either platform must implement the following three authentication methods:

1. Sender Policy Framework (SPF)
2. Domain Keys Identified Mail (DKIM)
3. Domain-based Message Authentication Reporting and Conformance (DMARC)

“Recent announcements by Google and Yahoo are reshaping the intersection of marketing and cybersecurity, transforming email authentication standards from recommended best practices to mandatory marketing requirements. Unauthenticated messages will be rejected, shifting SPF, DKIM, and DMARC from the SOC to the boardroom, redefining the email marketing baseline,” said Seth Blank, CTO at Valimail, to Spiceworks.

The new policy is set to take effect in February 2023 for Google and Q1 2024 for Yahoo. Blank emphasized that 2023 is notably distinct, as marketers seek to swiftly distinguish themselves from scammers.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Ensuring Your Security During Black Friday and Cyber Monday 2023 appeared first on First Hackers News.

All about Email Marketing:

Email marketing represents a form of direct communication, specifically tailored to users displaying interest in a company’s products or services. This approach enables messages to directly reach customers, facilitating personalized communication.

However, it’s important to note that this can occasionally result in higher bounce rates, while also fostering greater customer engagement.

Email marketing places human contact at the core of promotional strategies. Rather than depending solely on impersonal methods, it seeks to establish a personal channel of communication with customers, rendering the communication more direct and authentic.

Via an email address, messages are crafted and promptly delivered to the recipient, fostering interaction by enabling customers to respond. Most importantly, this approach allows for the personalization of communication, as messages can be customized to align with the unique needs and interests of individual clients.

Emails should be carefully crafted to convey vital information regarding the products or services offered by the company.

Types of Email Marketing 

To harness the full potential of email marketing, it is crucial to familiarize yourself with the various types of marketing emails at your disposal. Strategies and approaches may differ depending on the email type, and each of them can confer specific advantages for your business.

1. Informational Emails: Informational emails serve as a valuable tool in email marketing. They are designed to deliver essential information to your customers, such as announcing new products or upcoming offers.
2. Transactional Emails: Transactional emails are dispatched following a successful transaction. These emails can also be utilized to promote additional products or services to customers.
3. Regular Newsletters: Regular newsletters represent a highly effective technique for maintaining engagement with your audience. They provide a consistent means of communicating important updates, promotions, and valuable content to your subscribers.

The benefits of email marketing for your business growth

Email marketing offers numerous benefits for your business growth. Here are some of the key advantages:

1. Cost-Effective: Email marketing is one of the most cost-effective forms of marketing. It doesn’t require the same advertising expenses as traditional media or paid social media campaigns. You can reach a large audience with a relatively small budget.
2. Targeted Audience: With email marketing, you can segment your audience based on various factors such as demographics, purchase history, or engagement level. This allows you to send highly targeted and relevant content to different groups, increasing the likelihood of conversions.
3. High ROI: Email marketing consistently delivers a high return on investment (ROI). When done effectively, it can generate significant revenue for your business. The low cost and ability to reach a receptive audience contribute to its high ROI.
4. Personalization: Email marketing allows for personalization, which enhances the customer experience. You can address recipients by their names and tailor content to their preferences, increasing engagement and conversion rates.
5. Automation: Email marketing platforms offer automation features that enable you to send automated messages based on triggers, such as welcome emails, abandoned cart reminders, and follow-up emails. Automation saves time and ensures timely communication with customers.
6. Measurable Results: Email marketing provides detailed metrics and analytics, allowing you to track open rates, click-through rates, conversion rates, and more. This data helps you refine your strategies and make data-driven decisions.
7. Increased Traffic: Email marketing can drive traffic to your website, blog, or social media profiles. You can include links in your emails to direct recipients to specific landing pages, increasing website visits and engagement.
8. Builds Customer Loyalty: Consistent and valuable email communication can strengthen your relationship with customers. It keeps your brand top-of-mind and encourages repeat purchases, fostering customer loyalty.
9. Global Reach: Email marketing enables you to reach a global audience. You can send emails to subscribers and customers anywhere in the world, expanding your business’s reach beyond geographical boundaries.
10. Easily Shareable: Recipients can easily forward your emails to others who might be interested in your products or services, helping to expand your customer base through word-of-mouth referrals.
11. A/B Testing: You can conduct A/B tests on different elements of your emails, such as subject lines, content, and CTAs. This helps you refine your email marketing strategy for better results.
12. Compliance and Privacy: Adhering to email marketing regulations and respecting subscribers’ privacy is essential. Following best practices and obtaining consent builds trust and maintains a positive reputation.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post The importance of email marketing for businesses appeared first on First Hackers News.

The attacker may use social engineering techniques to make their email look genuine and include a request to click on a link, open an attachment, or provide other sensitive information, such as login credentials.

How to Spot Phishing emails?

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. You might get an unexpected email or text message that looks like it’s from a company you know or trust, like a bank or credit card or utility company. Or maybe it’s from an online payment website or app. 

1. Emails Demanding Urgent Action

2. Emails with Bad Grammar and Spelling Mistakes

3. Emails with an Unfamiliar Greeting or Salutation

4. Inconsistencies in Email Addresses, Links & Domain Names

5. Suspicious Attachments

6. Emails Requesting Login Credentials, Payment Information or Sensitive Data

How to Avoid scams:

1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes on news about new phishing scams.

2. Think Before You Click!  –A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information, but the email may not contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.

3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it.

4. Verify a Site’s Security –  Make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well.  Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products.

5. Check Your Online Accounts Regularly –To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

6. Keep Your Browser Up to Date –  Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit.

7. Use Firewalls –Firewalls are an effective way to prevent external attacks, acting as a shield between your computer and an attacker. Both desktop firewalls and network firewalls, when used together, can bolster your security and reduce the chances of a hacker infiltrating your environment. 

8. Be Wary of Pop-Ups –Pop-up phishing involves fraudulent messages that “pop up” for users when they are surfing the web. In many cases cyber criminals infect otherwise legitimate websites with malicious code that causes these pop-up messages to appear when people visit them.

9. Use Antivirus Software – Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date.

10.Eliminate the Obvious – Some fake websites are just too poorly implemented to convince anyone who’s paying attention. If you link to a site and it just looks like garbage, press Ctrl+F5 to totally reload the page, in case the bad appearance was a fluke. But if it still doesn’t look right, stay away.

The post The rise of phishing scams and how to avoid them. appeared first on First Hackers News.

What is IPFS ?

The InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data. It is designed to enable decentralized storage of resources on the internet. It was built to be resilient against content censorship, meaning that it is not possible to effectively remove content from within the IPFS network once it’s stored there.

This includes Dark Utilities, a command-and-control (C2) framework that’s advertised as a way for adversaries to avail remote system access, DDoS capabilities, and cryptocurrency mining, with the payload binaries provided by the platform hosted in IPFS.

Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.

However, researchers with Cisco Talos said that this legitimate use also makes it harder for security teams to sniff out malicious IPFS activity. This has been a driving factor behind a growing volume of malware samples – including Hannabi Grabber and Agent Tesla – in attacks this year that leverage IPFS.

Resources stored within IPFS can be accessed using an IPFS client or by building an IPFS “gateway” using publicly available tools. Any computer can download the IPFS software in order to start hosting and serving files, and because of this ease of use, coupled with challenges around the moderation of IPFS hosted content, IPFS is lucrative for attackers, said researchers.

In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim’s system.

Brumaghin said that attackers will continue to close in on new technologies that are related to the emerging concept of the distributed web, also referred to as Web3.

IOCS

3607ad99e031e5f5cfc93fc0886f0b79d6bcec5b8ed341beb9aadf1433fe8877
422ef98bf095435e5875a22607cd949b7befbee6cd800604145dd00ca44748d2
4e2d0315759262210266e77b3adff7ea3bf02e24f3a585c177d648d4ab20e0cf
7abeb65b5ca90bb2963d1eddb2c1ca3663aa0c8eb4401be375a429e98c36b1c9
9231bc7c1c33e51e0794e5f2364edc54be39160d48235bc74edac3b34a6cb41a
9eed6f3d692496d1bc0cfde4632a069585cd3dfa20af05ade322326a17c6eda9
a6ead3b89944a4f8b1a2c28d669c4e0029101c2f15600b8071bb6cc30a29e698
b0cb0be1dd30b6de83b2d5c7b91b21a0cb98f95ac4b2eebcc80b8efc688b2295
bf35e7ee59cf81f74be092d43acbb711377f115426db8e9f6f45fa1bbb3086b7
c092c2a4bc5f4587b4631b773aedaae59048002e59280e8c3448c8073f14a37e
c1beb3da95b1d28e3dbc2a192cbef0737e32fd75023da55d4dfa8d80d4f11463
c2f66871aeed4da97fb75a3d753bf3349257a5028a7c7a27ce043301d1bbc9a4
c35ddc08b1708ce739bbb96d5ace6bdec5bb0bc51533ac83fc88499bfe24b585
c7778e2be8b71fb75b9e53b651d17d7cdf3e25b6128fdd23224c582f08e5f72e
d8e16aa541f4c978f49126b25b8dd1efe19d51f9e92613e56dad1580036c2b0e
e311e522fc0a361a3f04e6594b1199f8fc1ccb01a390d0dd67f260969ca026cf
e7c3b0ad59ca932e4c293d3e76bd0c18a9d8b96b6bff5c88d917169b5f00b673
f844fee4de0dc8c0aa88c06a287db928aa307d804a1b630acf504f2192a7007f
138.201.103.170

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Several Cyber Attacks Observed Leveraging IPFS Decentralized Network appeared first on First Hackers News.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

Black Basta was observed deploying a custom EDR evasion tool used to displays a fake Windows Security GUI and tray icon which leaves users with the fake impression that Windows Defender is working properly, while in fact it has been disabled, along with EDR and antivirus tools.

The Sentinel Labs’s analysis revealed that Black Basta ransomware operators develop and maintain their own toolkit, they documented only collaboration with a limited and trusted set of affiliates.

The threat actors were disabling Windows Defender executing the following scripts:

\Windows\ILUg69ql1.bat
\Windows\ILUg69ql2.bat
\Windows\ILUg69ql3.bat

The attackers also used the same naming convention (ILUg69ql followed by a digit) for batch scripts found in different intrusions.

powershell -ExecutionPolicy Bypass -command “New-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force” powershell -ExecutionPolicy Bypass -command “Set-MpPreference -DisableRealtimeMonitoring 1” powershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defende

One sample was packed with a backdoor — called BIRDDOG — that has been used in multiple past FIN7 operations and that beacons to a command-and-control server using the same bulletproof hosting services that FIN7 deploys. Code samples found on public malware repositories using the same packer pre-dated the creation of BIRDDOG by two months and revealed a Cobalt Strike DNS beacon. After further analysis, the researchers concluded that the packer used to compress BIRDDOG is an updated version.

“At this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new operations from the old,” researchers Antonio Cocomazzi and Antonio Pirozzi said. “It is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.”

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers appeared first on First Hackers News.