Go Back

ShadowTalk Update – Tochka Dark Web Market Offline, Market.ms Closes, and Data Leakage Stories

December 16, 2019
ShadowTalk Update – Tochka Dark Web Market Offline, Market.ms Closes, and Data Leakage Stories

Alex, Harrison, Kacey, and Charles chat this week on some dark web and cybercriminal updates, data leakage stories that have hit the news, plus a GDPR story where an ISP was hit with a €9.6 Million Fine.

Listen below 👇👇👇

Updates from this week’s Intelligence Summary

  • In the spotlight this week: “Lazarus Group” has been linked to a new trojanized Mac OS X application, demonstrating the threat group’s preference for employing OS X malware over the past two years.
  • Weekly highlights include: “APT32” targeting the car manufacturers BMW and Hyundai, “Snatch” ransomware forcing systems to run in Safe Mode, and the “Gamaredon” threat group targeting Ukrainian government, defense, law-enforcement, and media organizations.

 

Lazarus Group strengthens malware arsenal against OS X

The North Korean state-associated threat collective Lazarus Group has been linked to a trojanized Mac OS X cryptocurrency application called Union Crypto Trader, which uses random online payloads to run and execute in memory. The incident illustrates a trend with Lazarus Group, whose members have―over the past two years―firmly incorporated OS X malware into their cache of tactics, techniques, and procedures (TTPs). Multiple other threat actors have targeted OS X systems during 2019, but OS X-related attack methods and malware are often overlooked, resulting in poor detection rates by anti-virus software, in comparison to malware targeting other operating systems.

 

APT32 goes after car manufacturers BMW, Hyundai

The Vietnamese state-associated threat actor APT32 (aka OceanLotus) infiltrated the networks of car manufacturers BMW and Hyundai. APT32 reportedly targeted BMW in early to mid-2019 and used the “Cobalt Strike” penetration testing toolkit as part of their operation to establish backdoor malware on compromised networks. Technical details on the Hyundai attack were not provided. APT32 also targeted the automotive industry earlier in 2019, and the most likely motive, as deemed by researchers, is the of aid domestic production. Based on APT32’s activity over the past 12 months, more attacks against car manufacturers are likely into the mid-term future.

 

Snatch ransomware pushes systems into Safe Mode to enable encryption

A new cyber-threat campaign was detected distributing the Snatch ransomware variant. An automated attack model was used, whereby a victim’s network was targeted through brute-force password cracking attacks against vulnerable and exposed services. Once the perpetrators gained access, they used this foothold to spread internally within victims’ networks. The Snatch executable forced infected systems to reboot into Safe Mode before beginning the ransomware encryption process; this was likely conducted to circumvent endpoint detection systems, which do not run in Safe Mode.

 

Gamaredon group targets Ukrainian government organizations

A new spearphishing campaign against Ukrainian individuals and entities is likely being conducted by Gamaredon, given that the campaign’s TTPs have been previously attributed to this threat group. The spearphishing began in mid-October 2019 with emails sent to Ukrainian defense, government, law-enforcement, and media organizations. The operation has been described as “ongoing” as of 25 Nov 2019.

 

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 05 Dec - 12 Dec 2019

And to stay up to date with the latest from Digital Shadows, subscribe below.