Grandoreiro Light Variant Revealed
Grandoreiro continues to be used by its partners in new campaigns, although its key operators were arrested in early 2024. GReAT discovered a new lite version of the attack that focused on Mexico and targeted approximately 30 banks.
Grandoreiro continues to be used by its partners in new campaigns, although its key operators were arrested in early 2024. GReAT discovered a new lite version of the attack that focused on Mexico and targeted approximately 30 banks.
Data shows that Grandoreiro has been active since 2016. The threat targeted more than 1,700 financial institutions and 276 cryptocurrency wallets in 45 countries and regions in 2024, and recently added Asia and Africa to its target list, becoming a truly global financial threat.
Security experts say Brazilian authorities are investigating the operators behind the Grandoreiro banking Trojan operation leading to arrest After assisting in a coordinated operation, INTERPOL discovered that the group had split the code base into lighter, fragmented versions of the Trojan to continue their attacks.
Recent analysis identified a diluted version focused primarily on Mexico and used to target approximately 30 financial institutions. The creators of this version likely have access to the source code and are launching new attack campaigns using simplified old malware.
Multiple variants of Grandoreiro, including the new lite version and its predecessor malware, accounted for approximately 5% of global banking Trojan attacks detected by security experts in 2024, making it one of the most active threats worldwide.
Öncül also analyzed Grandoreiro’s new samples in 2024 and observed new tactics. The attack records mouse activity to mimic real user behavior to avoid detection by machine learning-based security systems that analyze behavior. The malware then replays these recorded natural mouse movements, aiming to trick anti-fraud tools into seeing their activity as legitimate.
Additionally, Grandoreiro has adopted a cryptographic technique known as Ciphertext Stealing (CTS), which he has not previously encountered in malware. The aim here is to encrypt malicious code strings. “Grandoreiro has a large and complex structure.
Security
RedLine Catches Stealer Infamous 1 With Magnus
Following the seizure of RedLine Stealer by international authorities, security researchers published their research into the stealer’s undocumented backend modules, which aided law enforcement in the takeover effort.
Following the seizure of RedLine Stealer by international authorities, security researchers published their research into the stealer’s undocumented backend modules, which aided law enforcement in the takeover effort.
Security researchers, in collaboration with law enforcement, collected numerous modules used to run the infrastructure behind RedLine Stealer in 2023. The Dutch National police, together with the FBI, Eurojust and several other law enforcement agencies, dismantled the infamous RedLine Stealer operation and its clone called META Stealer on October 24, 2024.
This global effort, called Operation Magnus, resulted in the removal of three servers in the Netherlands, the seizure of two domain names, the detention of two people in Belgium, and the unsealing of charges against one of the alleged perpetrators in the United States.
Security researchers participated in a partial takedown of the RedLine malware in April 2023, enabling the removal of several GitHub repositories used as dead-drop analyzers for the malware’s control panel. At that time, previously undocumented backend modules of this malware family were investigated in collaboration with other researchers at Flare. These modules do not directly interact with the malware, but instead handle authentication and provide functionality for the control panel.
More than 1,000 unique IP addresses used to host RedLine control panels were identified. While there is some overlap, this puts the number of subscribers to RedLine MaaS at around 1,000. The 2023 versions of RedLine Stealer, reviewed in detail, use the Windows Communications Framework for communication between components, while the latest version in 2024 uses a REST API.
“Based on our analysis of source code and backend samples, we determined that RedLine Stealer and META Stealer share the same creator.” he said.
These unique IP addresses were used to host RedLine panels. Of these hosted panels, Russia, Germany, and the Netherlands each represent about 20 percent of the total, while Finland and the United States each represent about 10 percent. It was also able to detect multiple different backend servers. In terms of their geographical distribution, the servers are mostly located in Russia (about a third), while the UK, the Netherlands, and the Czech Republic each represent about 15 percent of the servers we detected.
First discovery in 2020
RedLine Stealer is an information-stealing malware first discovered in 2020, and rather than being operated centrally, it operates on a MaaS model where anyone can purchase a turnkey information-stealing solution from various online forums and Telegram channels.
Customers, whom we call affiliates, can receive monthly subscriptions or lifetime licenses; For their money, they get a control panel that generates malware samples and acts as a C&C server for them.
The examples created are local cryptocurrency wallets; cookies, saved ID information and saved credit card information from browsers; It can collect a wide variety of information, including saved data from Steam, Discord, Telegram, and various desktop VPN applications. Using an off-the-shelf solution makes it easier for affiliates to integrate RedLine Stealer into larger campaigns. Some notable examples include ChatGPT free download in 2023 and what appear to be video game cheats in the first half of 2024.
Magnus Before Operation RedLine was among the most common data-stealing malware, with a large number of affiliates using its control panel. But the malware-as-a-service initiative appears to be led by a small number of individuals, some of whom have now been identified by law enforcement.
Security
Introduced Scam Copilot 1 Powered by Al Technology
Bitdefender Announces AI-Powered Fraud Defense Platform Scam Copilot!
Bitdefender Announces AI-Powered Fraud Defense Platform Scam Copilot!
Bitdefender, a global cybersecurity leader, announced Scam Copilot, an advanced technology platform powered by artificial intelligence (AI).
Scam Copilot, which detects and combats fraud attempts, stands out as an advanced platform designed for devices such as computers, tablets and mobile phones. Providing protection against malware, identity theft and data theft with a strong defense layer, Scam Copilot provides an integrated service in all Bitdefender’s cyber security products.
According to the report prepared by the Global Anti-Scam Alliance (GASA), it is stated that global losses due to fraud will exceed one trillion US dollars in 2023. Additionally, the report found that 78% of the nearly 50,000 people surveyed had experienced at least one scam within a 12-month period.
bitdefender The 2024 Consumer Cybersecurity Assessment Report revealed that scams delivered via text message were the most common security incident, affecting almost half of the seven thousand respondents.
Introduced to users by Bitdefender in response to the sharp increase in fraud-related cybercrimes, Scam Copilot was developed powered by Large Language Models (LLMs) and artificial intelligence.
These technologies prevent cybercriminals from creating and distributing highly persuasive phishing messages in any language, making it extremely easy for consumers to detect scams and fraud attempts on their own.
“A True Game Changer”
Scam Copilot combines fraud detection and prevention technologies under one roof. The application proactively monitors users during activities such as web browsing, sending e-mail, and chatting via messaging applications, and warns users of the threats it detects.
Leveraging Bitdefender’s real-time global threat intelligence and artificial intelligence, ScamCopilot constantly evolves and adapts seamlessly as new fraud methods emerge.
Main Features and Benefits
- Complete Fraud and Fraud Protection: Scam Copilot provides comprehensive protection in digital environments, including web browsing, email, messaging, chat applications, push notifications and calendar invitations.
- Intuitive AI-Powered Chatbot Assistance: Scam Copilot provides best practice guidance for users to stay informed about alerts and stay safe. It also includes an advanced chatbot that allows users to engage in natural conversations to get a trusted second opinion on potential scams.
- Geographically Specific Fraud Wave Alerts: Scam Copilot warns users about emerging or trending scam campaigns. Alerts provide detailed information about campaign type, distribution methods, key tactics and potential risks, providing users with timely information to prevent evolving threats.
- Protection for High Risk Groups: Scam Copilot provides strong protection for groups frequently targeted by scammers, including the elderly, children and teenagers. The platform adapts to user behavior and offers simple and personalized suggestions to take action.
- Strengthening Fraud Awareness: Scam Copilot not only protects against scams, it also offers contextual recommendations tailored to specific interactions. It aims to help consumers achieve fraud awareness and feel confident in navigating the digital world safely.
Security
Lazarus Exploited Chrome Zero-Day Vulnerability
GReAT has uncovered a sophisticated malware campaign by the Lazarus Advanced Persistent Threat (APT) group targeting cryptocurrency investors worldwide.
GReAT has uncovered a sophisticated malware campaign by the Lazarus Advanced Persistent Threat (APT) group targeting cryptocurrency investors worldwide.
An attack using the Manuscrypt malware, used by the Lazarus group and documented by GReAT in over 50 unique campaigns targeting various industries, has been detected.
Detailed analysis revealed a sophisticated malicious campaign that relied heavily on social engineering techniques and generative artificial intelligence to target cryptocurrency investors.
The Lazarus group is known for its highly sophisticated attacks on cryptocurrency platforms and has a bad track record of exploiting zero-day exploits. This newly revealed campaign followed the same pattern.
Security researchers found that the threat actor exploited two vulnerabilities, including a previously unknown bug, in V8, Google’s open-source JavaScript and WebAssembly engine.
The zero-day vulnerability in question was fixed with the code CVE-2024-4947 after it was reported to Google. This vulnerability allowed attackers to run arbitrary code, bypass security features, and perform various malicious activities. Another vulnerability was used to bypass Google Chrome’s V8 sandbox protection.
Attackers exploited this vulnerability by luring users to a carefully designed fake gaming website that invited users to compete globally with NFT tanks.
To maximize the effectiveness of the campaign, they focused on building trust and designed details that would make promotional activities appear as real as possible.
In this context, social media accounts were created on X (formerly Twitter) and LinkedIn to promote the game over several months, and artificial intelligence-generated images were used to increase credibility.
Lazarus has successfully integrated generative AI into its operations. Kaspersky experts predict that attackers will design even more sophisticated attacks using this technology.
The attackers also tried to engage cryptocurrency influencers for further promotion. They used their presence on social media to not only spread the threat but also directly target crypto accounts.
Security experts have discovered another legitimate game that appears to be a pioneering prototype of the attackers’ game. Shortly after the attackers launched a campaign to promote their game, real game developers claimed $20,000 worth of cryptocurrency was transferred from their wallets. claimed.
The fake game’s logo and design differed only in logo placement and visual quality, but otherwise mirrored the original. Given these similarities and overlaps in code, security experts emphasize that Lazarus members have gone to great lengths to lend credibility to their attacks.
-
Software2 weeks ago
Sony May Become the New Owner of From Software
-
Social Media1 week ago
HD Calling and Noise Canceling Features Come to Facebook Messenger
-
Artificial Intelligence1 week ago
Samsung and OpenAI in Talks for ChatGPT Integration with Galaxy AI
-
Mobile2 weeks ago
The Thickness of Apple iPhone 17 Air Will Be Only 6 mm
-
Life2 weeks ago
Sony Releases Its New Flagship Camera Alpha 1 II
-
Cinema and Art1 week ago
New Trailer of a Minecraft Movie Released!
-
Software1 week ago
Voice Message Conversion from WhatsApp: Now You Can Read Your Messages!
-
Hardware news and contents2 weeks ago
Surprise Upgrade to Apple’s M4 MacBook Pro Models: Quantum Dot Display