Post Content Read More
Related Posts
RansomHouse Automated Attacks Using Tool Dubbed MrAgent
RansomHouse Automated Attacks Using Tool Dubbed MrAgent
[[{“value”:”
The RansomHouse group recognized as a Ransomware-as-a-Service (RaaS), surfaced in the latter part of 2021 and has been actively utilizing ransomware variants to compromise corporate networks.
RansomHouse ransomware employs phishing and spear phishing emails as its primary attack vectors. Additionally, they leverage third-party frameworks, such as Vatet Loader, Metasploit, and Cobalt Strike to enhance their attack capabilities.
The group extorts its victims twice: first by encrypting their files and demanding a ransom, and then by naming and shaming non-paying victims on their site, where they also disclose the victim’s stolen data.
Recently, the group has been identified using MrAgent, a newly developed tool that facilitates the continuous and widespread distribution of ransomware.
Document
Live Account Takeover Attack Simulation
How do Hackers Bypass 2FA?
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
.
“Their tactics, techniques, and procedures (TTPs) show a mature and sophisticated level of execution, leveraging content delivery network (CDN) servers for exfiltration, and utilizing a Tor-based chat room for victim negotiations”, Trellix shared with Cyber Security News.
“This group is identified for using a unique ransomware variant, dubbed Mario ESXi, along with MrAgent, to target both Windows and Linux-based systems.”
How MrAgent Used to Deploy Malware?
MrAgent is a binary designed to run on hypervisors with the express intention of automating and tracking ransomware deployment across big settings containing many hypervisor systems.
The binary connects to a collection of command and control servers, which must be specified as a command-line argument. Upon initialization, the agent generates a unique system host ID, obtains the local IP address, and turns down the system’s firewall.
Further, the binary will then initiate an infinite loop that will send out a heartbeat, connect to each command and control server in a round-robin manner, and wait for commands.
The binary can plan and monitor the release of a ransomware binary. The binary also has extra capabilities to retrieve information about the hypervisor environment remotely, such as the virtual machines and their properties executing on the hypervisor.
Additionally, it can be used to drop all active (non-root) SSH sessions to the system, remove files, modify the welcome message shown on the hypervisor’s monitor, and run commands locally on the machine.
Researchers noticed an increase in RansomHouse group’s attacks from just one in 2022 to eleven in 2023 against firms with yearly revenues between $10M and $50M. The same gains apply to companies with revenue ranging from $1 million to $500 million, indicating a shift in focus toward medium-sized organizations.
According to Malwarebytes researchers, the ransomware groups have established communication channels, including a Telegram account and a leak site, to interact with victims, journalists, and individuals interested in monitoring their activities, similar to other ransomware groups.
Defenders are, therefore, urged to observe how threat actors operate and to tailor their security perimeter to both anticipate and respond to such attacks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post RansomHouse Automated Attacks Using Tool Dubbed MrAgent appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
NiceRAT Malware Targets South Korean Users via Cracked Software
NiceRAT Malware Targets South Korean Users via Cracked Software
Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.
The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.
“Due to the nature of crack programs, information sharing amongst Read More
Major Phishing-as-a-Service Syndicate ‘BulletProofLink’ Dismantled by Malaysian Authorities
Major Phishing-as-a-Service Syndicate ‘BulletProofLink’ Dismantled by Malaysian Authorities
Malaysian law enforcement authorities have announced the takedown of a phishing-as-a-service (PhaaS) operation called BulletProofLink.
The Royal Malaysian Police said the effort, which was carried out with assistance from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI) on November 6, 2023, was based on information that the threat actors behind the platform Read More
The Hacker News | #1 Trusted Cybersecurity News Site