OPWNAI : Cybercriminals Starting to Use ChatGPT
(published: January 6, 2023)
Background:
Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool.
Takeaway:
ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware.
Turla: A Galaxy of Opportunity
(published: January 5, 2023)
Background:
Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022.
Takeaway:
Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.”
Learn about our Penetration Testing Services
SpyNote: Spyware with RAT Capabilities Targeting Financial Institutions
(published: January 5, 2023)
Background:
In the last quarter of 2022, ThreatFabric researchers have detected a significant increase in volume for the SpyNote (SpyMax) Android spyware. The latest version, SpyNote.C, was marketed by its developer under the Cypher Rat alias. It received additional capabilities to target mobile banking applications. In October 2022, the developer made the SpyNote.C (Cypher Rat) source code public and moved to work on a newer private spyware dubbed CraxsRat.
Takeaway:
It is paramount that users use the official Google Play store and review all available information regarding an application prior to downloading, even if the application is located on an official app store. This review can include an overlook of the comments (while keeping in mind that some comments could be fake) and examining the permissions an application will request upon installation.
BlindEagle Targeting Ecuador With Sharpened Tools
(published: January 5, 2023)
Background:
Financially-motivated threat group APT-C-36 (Blind Eagle) has been active in South America since 2018. Its new campaign targets Ecuador and Columbia with phishing emails impersonating government agencies. APT-C-36 relies on target IP geolocation to limit the targeting to a certain country or two. The group continues to refine its tools and experiment with new infection chains. APT-C-36 has been adding features to the QuasarRAT leaked code base and abusing the living-off-the-land tool mshta.
Takeaway:
When receiving a purported government email, determine if it is a proper channel of communication for the alleged agency. Double-check sender information and domain names for the links that the email prompts you to click.
Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe
(published: January 3, 2023)
Background:
An upgraded version of the Raspberry Robin automated framework has been detected targeting Spanish and Portuguese-speaking financial organizations in Europe. The latest version of Raspberry Robin received a modified execution mechanism, more extensive code obfuscation and added encryption layer. The malware employs multiple anti-analysis techniques and expanded the number of collected information points used for victim fingerprinting.
Takeaway:
These new Raspberry Robin samples seem to share the C2 IP address with its previous iteration. Block known Raspberry Robin indicators and adhere to basic anti-phishing measures.
Ransomware Gang Cloned Victim’s Website to Leak Stolen Data
(published: January 1, 2023)
Background:
On December 26, 2022, the ALPHV (BlackCat) ransomware group added a new channel for exposing stolen information. After a compromised company in the financial services industry refused to pay ransom, ALPHV released the exfiltrated data on their Onion website, while also releasing it via a clearnet domain typosquatted for the company name.
Takeaway:
The ALPHV ransomware group is continuously innovating (previously they were first to enable a search function for the stolen data). Ransomware is an evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
