ShadowTalk hosts Stefano, Kim, Dylan, and Adam bring you the latest in threat intelligence. This week they cover:
- RegretLocker’s approach to quickly encrypting files – how their efficiency compares to counterpart Ryuk
- Vx Underground’s code used in ransomware attacks
- APT32, or OceanLotus, using social media and news sites to draw in users and redirect them to phishing pages
- U.S. DoJ seizes $24 Million in cryptocurrency, assisting the Brazilian government
OceanLotus manipulates sites for malicious Asian campaign
On 06 Nov 2020, security researchers reported that the Vietnamese state-associated APT group “OceanLotus” had launched several malicious campaigns by creating and manipulating fake websites. OceanLotus conducted similar activity in 2017, but the latest campaigns have established several new sites and Facebook groups to renew the group’s targeting of users across South-East Asia. These websites, most of which purportedly offer news related to Vietnam and its neighbors, have been profiling users, redirecting to phishing pages, and distributing malware payloads to its victims.
Ghimob banking trojan steals credentials from financial apps
On 09 Nov 2020, security researchers discovered a new banking trojan, “Ghimob”, which originated in Brazil. Ghimob has allegedly been attempting to steal credentials from 153 financial apps belonging to banks, as well as cryptocurrency and financial technology companies, in Brazil, Germany, Portugal, Peru, Angola, and Mozambique. Once a device is infected, the trojan enables an attacker to access it remotely and complete financial transactions on the victim’s device. Ghimob blocks victims from seeing the fraudulent transactions as they take place, and from uninstalling the app and restarting or shutting down the device.
Sodinokibi ransomware group nabs KPOT trojan source code
On 04 Nov 2020, researchers reported that the operators of the “Sodinokibi” ransomware had acquired the source code of the “KPOT” trojan. KPOT is an information stealer that was first observed in 2018. It can steal passwords from various applications, including web browsers, email clients, virtual private networks, and cryptocurrency wallets. The news followed the auction of the trojan’s source code, by the KPOT author, on an unnamed Russian-language cybercriminal forum in October 2020. The only bidder was “UNKN”, a member of the Sodinokibi ransomware group, who offered the initial asking price of USD 6,500.
For more details, read the full Weekly Intelligence Summary here: