Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, 30 August 2022, 8:21 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


AI-generated Deepfake Used to Scam Crypto Project Teams

An unidentified cybercrime group has run an extremely sophisticated operation against crypto asset developers. The group contacted multiple development teams, offering an online meeting with the Chief Communications Officer of Binance, Patrick Hillman, to discuss opportunities to list their crypto assets on the crypto trading platform.

Hillman discovered the scam when he started to receive messages thanking him for taking the time to participate in the meetings. It seems that the scammers had used recordings of TV appearances and interviews to create a deepfake which was able to interact convincingly during the online meetings. For the record, Hillman has no role related to listing of crypto assets on Binance.

Constantinescu, Vlad, Crypto Projects Scammed with Deepfake AI Video of Binance Executive, Bitdefender Hot for Security blog, 29 August 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/crypto-projects-scammed-with-deepfake-ai-video-of-binance-executive/.

RCE 0Day Sells for €8 Million

Three screenshots posted to Twitter suggest that an Israeli spyware company called Intellexa has sold an iOS and Android zero-day exploit toolkit to somebody for the sum of €8 million. The price includes a complete turnkey suite for data analysis, a project plan for delivery to the customer, and a one-year warranty. The key exploit offers remote command execution, delivered with one click via a web link.

vx-underground, Leaked documents online show the purchase (and documentation of) an $8,000,000 iOS Remote Code Execution 0day exploit, Twitter thread, 26 August 2022. Available online at https://twitter.com/vxunderground/status/1562550443712352256.

Turkish Coin Miner Hides in Free Software

A cryptocurrency miner called Nitrokod has infected over 100,000 users around the world by hiding itself in what appears to be a desktop application front end for Google Translate, downloaded from popular sites like Softpedia. The program installer, a file called GoogleTranslateDesktop2.5.exe, checks for the existence of a file called C:\ProgramData\Nitrokod\update.exe, and if it does not exist or is an old version, puts that program in place.

It then waits for at least four reboots on four different days before contacting a C2 server in order to download and install the next stage of the infection, in an attempt to evade sandbox malware detection. It then uses multiple scheduled tasks to stealthily download and install the subsequent stages, deleting all evidence of the previous stages as it does so, before finally - in stage 6 - downloading and installing the XMRig crypto miner. The process is so long, stealthy and involved that a victim is unlikely to detect it, and even if they do, unlikely to be able to figure out the original source of the infection.

Checkpoint has written up a case study on the malware as a showcase for their upcoming Infinity XDR (Extended Detection and Response) product.

Marelus, Moshe, Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications, Check Point Research blog, 29 August 2022. Available online at https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/.

Highly-Targetable Ransomware Written in Golang

Trend Micro has discovered a neat example of targeted ransomware written in the Go programming language. As their researchers point out, Golang is increasingly popular with malware authors, possibly because Go statically compiles any necessary libraries into the produced executable, rather than dynamically linking them at load or run time; the latter techniques require the required library and function names to be visible in the malware, and by not doing this, the malware authors have made reverse-engineering and analysis significantly harder.

The malware, called Agenda, is currently being used to target healthcare and education organizations in Indonesia, Saudi Arabia, South Africa and Thailand, and all the samples collected were highly customized, containing customer passwords, account and company ID's which are used as the filename extensions for encrypted files. The malware will also attempt to kill various services, change Windows passwords and reboot in safe mode. It shares some characteristics with the earlier REvil, Black Basta and Black Matter ransomware.

Fahmy, Mohamed, et. al., New Golang Ransomware Agenda Customizes Attacks, Trend Micro Research, 25 August 2022. Available online at https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: