ShadowTalk Update: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!

ShadowTalk Update: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
November 16, 2020 | 2 Min Read

ShadowTalk hosts Stefano, Kim, Dylan, and Adam bring you the latest in threat intelligence. This week they cover: 

  • RegretLocker’s approach to quickly encrypting files – how their efficiency compares to counterpart Ryuk
  • Vx Underground’s code used in ransomware attacks
  • APT32, or OceanLotus, using social media and news sites to draw in users and redirect them to phishing pages
  • U.S. DoJ seizes $24 Million in cryptocurrency, assisting the Brazilian government

Listen 👇

ShadowTalk Threat Intelligence Podcast · Weekly: RegretLocker, OceanLotus, Millions Seized in Cryptocurrency, and more!

OceanLotus manipulates sites for malicious Asian campaign

On 06 Nov 2020, security researchers reported that the Vietnamese state-associated APT group “OceanLotus” had launched several malicious campaigns by creating and manipulating fake websites. OceanLotus conducted similar activity in 2017, but the latest campaigns have established several new sites and Facebook groups to renew the group’s targeting of users across South-East Asia. These websites, most of which purportedly offer news related to Vietnam and its neighbors, have been profiling users, redirecting to phishing pages, and distributing malware payloads to its victims.

Ghimob banking trojan steals credentials from financial apps

On 09 Nov 2020, security researchers discovered a new banking trojan, “Ghimob”, which originated in Brazil. Ghimob has allegedly been attempting to steal credentials from 153 financial apps belonging to banks, as well as cryptocurrency and financial technology companies, in Brazil, Germany, Portugal, Peru, Angola, and Mozambique. Once a device is infected, the trojan enables an attacker to access it remotely and complete financial transactions on the victim’s device. Ghimob blocks victims from seeing the fraudulent transactions as they take place, and from uninstalling the app and restarting or shutting down the device.

Sodinokibi ransomware group nabs KPOT trojan source code

On 04 Nov 2020, researchers reported that the operators of the “Sodinokibi” ransomware had acquired the source code of the “KPOT” trojan. KPOT is an information stealer that was first observed in 2018. It can steal passwords from various applications, including web browsers, email clients, virtual private networks, and cryptocurrency wallets. The news followed the auction of the trojan’s source code, by the KPOT author, on an unnamed Russian-language cybercriminal forum in October 2020. The only bidder was “UNKN”, a member of the Sodinokibi ransomware group, who offered the initial asking price of USD 6,500.

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 13 November

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us