• BluStealer malware steals cryptocurrency and spreads through phishing emails

    Avast analysts talked about a malicious spam campaign spreading BluStealer malware that steals cryptocurrency.

    This info-stealer is designed to “pull” Bitcoin, Ethereum, Monero and Litecoin) from popular wallets – ArmoryDB, Bytecoin, Jaxx Liberty, Exodus, Electrum, Atomic, Guarda and Coinomi.

    In total, experts tracked more than 12,000 phishing emails around the world.

    phishing emails

    In mid-September, the Avast Threat Intelligence team recorded a surge in malicious activity – phishing emails using the names of the shipping company DHL and the Mexican metallurgical company General de Perfiles, and distributing the BluStealer malware.

    example of a phishing email
    An example of a phishing email

    As a rule, in such messages it is said that a certain parcel was delivered to the head office of the company due to the absence of the recipient on the spot. Next, the recipient is asked to fill out the attached document in order to transfer the delivery. When the user tries to open it, the BluStealer installation starts.

    In phishing campaigns associated with General de Perfiles, recipients receive emails stating that they have overpaid their bills and that some credit has been saved for them, which will be included in the invoice of the next purchase. As in the campaign imitating DHL, the General de Perfiles message contains BluStealer as an attachment.

    The countries most affected by BluStealer are Russia, Turkey, USA, Argentina, UK, Italy, Greece, Spain, France, Japan, India, Czech Republic, Brazil and Romania. So, Russian users received 139 such letters.

    A large number of malware samples studied by Avast belonged to one specific campaign, which was identified by the unique .NET downloader. For example, spam messages contained .iso attachments and download URLs. These attachments contain executable malware files packaged using the mentioned .NET loader.

    BluStealer combines the functionality of a keylogger and document downloader, and also steals cryptocurrency: it can steal data from cryptocurrency wallets, such as private keys and credentials, as a result of which the victim can lose access to their assets.Avast researchers say.
    BluStealer is also able to detect cryptocurrency addresses copied to the clipboard and replace them with those previously set by the cybercriminals. As a result, the cryptocurrency ends up in the hands of cybercriminals, and not where the transfer was actually made.

    Let me remind you that I also told that BulletProofLink Cybercrime Offers Phishing as a Service.

  • The new version of the Jupyter malware is distributed through the MSI installer

    Security researchers talked about a new version of the Jupyter malware, an info-stealer written in the .NET programming language that is known for attacking only medical and educational organizations.

    The new chain of infection, discovered by the specialists of the information security company Morphisec on September 8, 2021, not only confirms the ongoing activity of the malware, but also demonstrates “how cybercriminals continue to develop their attacks to make them more effective and elusive.”

    First documented in November 2020, the Jupyter (also known as Solarmarker) malware was allegedly created by Russian developers and is designed to steal data from Firefox, Chrome and Chromium-based browsers.

    Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.Morphisec researchers wrote.

    In addition, the malware is a full-fledged backdoor and is capable of stealing data and uploading it to a remote server, uploading and executing payload. According to Morphisec, new versions of Jupyter have started to appear since May 2020.

    Jupyter developer is constantly modifying and supplementing the original Jupyter in an effort to collect as much information as possible about the compromised machines. It is not yet clear what the ultimate goal of this campaign is, but in theory, stolen data can be used for sale, and hackers can use compromised machines as entry points into companies’ networks for further attacks.the researchers write.

    In August 2021, Cisco Talos experts attributed the attacks to “a truly highly skilled attacker, primarily aimed at stealing credentials and other data.”

    In February of this year, cybersecurity company CrowdStrike described the malware as packaged in a multi-stage, heavily obfuscated PowerShell loader, which leads to the execution of a backdoor on .NET.

    Although previous attacks used legitimate files of well-known software such as Docx2Rtf and Expert PDF, the recently discovered chain of infections began to use the Nitro Pro PDF application.

    The attack begins by deploying an MSI installer that is over 100 MB in size, allowing attackers to bypass anti-virus solutions. The installer is obfuscated using the third-party Advanced Installer application packer.

    Once the MSI is launched, a PowerShell downloader is executed embedded in a legitimate Nitro Pro 13 file, the two versions of which are signed with authentic digital certificates from a valid company in Poland. Finally, the loader decodes and runs the .NET Jupyter module in memory.

    Let me remind you that I also talked about the fact that Swarez Trojan and Dropper Distributed under the Disguise of 15 Popular Games.

  • BulletProofLink Cybercrime Offers Phishing as a Service

    Microsoft experts argue that BulletProofLink (aka BulletProftLink or Anthrax), a phishing-as-a-Service (PHaaS) cybercriminal service, is responsible for many phishing campaigns targeting companies and organizations in the recent years.

    It should be noted that BulletProofLink was first discovered back in October 2020 by OSINT Fans researchers, who published a series of articles (1, 2, 3) describing some of the mechanisms of the PHaaS platform.

    Researchers now report that BulletProofLink’s attackers provide cybercriminals with a variety of subscription services, from selling phishing kits (collections of phishing pages and templates that mimic the login forms of well-known companies) and email templates, to hosting and automated services.

    BulletProofLink service

    Basically, customers simply sign up to BulletProofLink for a $ 800 fee and BulletProofLink operators do the rest for them. The services of the cybercriminals include: setting up a web page to host a phishing site, installing the phishing template itself, configuring a domain (URL) for phishing sites, sending phishing emails to victims, collecting credentials obtained during these attacks, and then delivering the stolen logins and passwords for “solvent clients” at the end of the week.

    If a customer wants to change their phishing templates, BulletProofLink operators have a separate store where attackers can buy new attack templates for between $ 80 and $ 100 each. There are currently about 120 different templates available on the BulletProofLink Store, and there are tutorials on the site to help customers use the service.

    BulletProofLink price

    Microsoft researchers also report that BulletProofLink operators are not clean on hand and steal from their customers: the service saves copies of all collected credentials, which are then sold on the darknet, bringing them additional profit.

    Microsoft describes BulletProofLink as a technically complex operation, and notes that service operators often use hacked sites to host their phishing pages. Also, in some cases BulletProofLink compromises the DNS records of hacked sites in order to create subdomains for hosting phishing pages.


    When we investigated phishing attacks, we found a campaign that used a large number of newly created and unique subdomains – more than 300,000 at a time.say experts, describing the scale of BulletProofLink's work.
    Microsoft calls this tactic “endless abuse of subdomains.” It allows attackers to create unique URLs for each phishing victim using only one domain, bought or compromised specifically to carry out the attacks. Even worse, unique URLs pose a problem in preventing and detecting such attacks, because security solutions are usually focused on exact matching of domains and URLs.

    Let me remind you that we talked about how The Capoae malware installs a backdoor plugin on WordPress sites.

  • Cring ransomware operators exploit 11-year Adobe ColdFusion vulnerability

    An unknown cybercriminal group in a matter of minutes remotely hacked into a server with an outdated version of Adobe ColdFusion 9 and seized control over it, and 79 hours later deployed the ransomware Cring on the server.

    A server owned by an unnamed service provider was used to collect timesheets and accounting data for payroll, as well as to host a number of virtual machines.

    According to the experts of the information security company Sophos, the attacks were carried out from an Internet address belonging to the Ukrainian Internet provider Green Floid.

    In an attack recently investigated by Sophos, an unknown threat actor exploited an ancient-in-internet-years vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of the ColdFusion server remotely, then to execute ransomware known as Cring on the server, and against other machines on the target’s network.Sophos specialists write.
    Andrew Brandt
    Andrew Brandt

    Sophos senior researcher Andrew Brandt says devices with outdated, vulnerable software are a tidbit for hackers.

    However, the big surprise is the fact that the server with 11-year-old software attacked by ransomware was actively and daily used. As a rule, the most vulnerable are unused devices or forgotten “ghost machines”.

    After gaining initial access to the server, the attackers used various sophisticated methods of hiding malicious files, injecting code into memory, and concealing an attack by overwriting files with corrupted data. In addition, hackers have deactivated security solutions by taking advantage of the fact that anti-tampering features were disabled.

    In particular, attackers exploited directory traversal vulnerabilities (CVE-2010-2861) in the Adobe ColdFusion 9.0.1 and earlier administration console. The vulnerabilities allowed remote reading of arbitrary files, including files containing administrator password hashes (password.properties).

    In the next stage of the attack, the hackers exploited an even earlier vulnerability in ColdFusion (CVE-2009-3960) to upload a malicious Cascading Stylesheet (CSS) file to the attacked server, which in turn downloaded the Cobalt Strike Beacon executable file.

    This file served as a conduit for downloading additional payloads, creating accounts with administrator privileges, and even disabling endpoint protection and anti-virus engines like Windows Defender before starting the encryption process.

    Let me remind you that we talked about the fact that Strange malware prevents victims from visiting pirate sites.

  • The Capoae malware installs a backdoor plugin on WordPress sites

    Akamai experts write that Capoae malware infiltrates WordPress sites, installs a plugin with a backdoor on them, and then uses the system to mine cryptocurrency.

    Expert Larry Cashdollar warns that the main tactic of such malware is spreading through vulnerable systems, as well as cracking unreliable administrator credentials. The studied sample of the malware Keshdollar named Capoae.



    This malware is delivered to hosts running WordPress via the download-monitor plugin with a backdoor, which cybercriminals install on sites after successfully brute-forcing credentials.

    The attack also involves deploying a binary to Golang, whereby the obfuscated payload is retrieved via a GET request, which the malicious plugin makes to the attacker’s domain.

    The malware can also decrypt and execute other payloads: basically, the Golang binary exploits various RCE vulnerabilities in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062) and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) in order to brute force and not only work its way into the system and ultimately launch the XMRig miner.

    Attackers do not forget that they need to act unnoticed. To do this, they use the most suspicious-looking paths on the disk and directories where real system files can be found, and also create a file with a random six-digit name, which is then copied to another location (before deleting the malware after execution).

    The use of multiple vulnerabilities and tactics in the Capoae campaign underscores how seriously the operators [of this malware] intend to gain a foothold in as many systems as possible. The good news is that the same security methods that we recommend for most organizations still work here. Do not use weak or default credentials for servers or applications deployed there. Make sure to keep your applications up to date with the latest security fixes and check them from time to timethe expert sums up.

    Let me remind you that I also wrote that Researchers warned of new DarkRadiation ransomware.

Back to top button