Security News

"This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns," Mandiant said in a new report. Some of the core features offered by the platform comprise the ability to craft customized phishing kits, manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns.

It said the Eternity group - also known as EternityTeam and Eternity Project - is offering the multifunction LilithBot malware through a dedicated Telegram group and a Tor link where cybercriminals can acquire various payloads via subscriptions. The malware as a service group has been active since at least January, distributing a range of modules under the Eternity brand that - along with the stealer and miner malware - include ransomware, a distributed denial-of-service bot, worm and dropper, and a clipper that spoofs crypto addresses in wallets, the researchers wrote in a report.

A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan. Sold on the dark web for €189 a month, Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case Agent Tesla.

Hornetsecurity released an Email Threat Review, which cited a decline in Excel attacks, but reported a sharp increase in Intuit phishing attacks. This Help Net Security video reveals how criminals impersonate company brands and organizations to steal information.

NATO officials are investigating after criminals put up some data for sale on dark forums that they claim is "Classified" information stolen from European missile maker MBDA. MBDA has denied any sensitive material has been compromised and said it had refused to pay the gang a ransom, claiming the data for sale was obtained from an "External hard drive" rather than its systems. According to the BBC, which saw samples of the files and has reportedly spoken to the miscreants, 80GB of data - which it was unable to verify - is being offered up for 15 Bitcoins, or approximately $297,000, and the extortionists claim to have made at least one sale.

Several new marketplaces have appeared on the dark web, claiming to be the dedicated online portals for notorious criminal cartels from Mexico. The emergence of these markets was spotted by DarkOwl analysts, who identified a trend, shifting from large markets that drew law enforcement attention to smaller, less publicized sites.

Called Dark Utilities, the service provides a full range of C2 capabilities to give attackers an easier and inexpensive platform for launching remote access, command execution, cryptocurrency mining, and distributed denial-of-services attacks. Dark Utilities is the latest example of malware-as-a-service and ransomware-as-a-service that diversify cyber criminals' revenue by letting them profit from less-skilled programmers on top of their own exploits.

A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by domestic violence perpetrators and child sex offenders. "The Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor, to more than 14,500 individuals across 128 countries," the Australian Federal Police alleged in a press release over the weekend.

Threat actors are increasingly abusing Internet Information Services extensions to backdoor servers as a means of establishing a "Durable persistence mechanism." Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands.

An emerging and fast-growing threat group is using a unique business model to offer cybercriminals a broad range of services that span from leaked databases and distributed denial-of-service attacks to hacking scripts and, in the future, potentially ransomware. As a clearer picture of AIG emerged, it became obvious that the group's operations were anything but business as usual.