If you have not read about Darcula, you should. This blog post from February 20th talks about and links to an article. We’ll possibly be putting this in our future topic list among others we’ve blogged recently.
I thought that was bad, but now, we’ve got Encrypt Hub.
Between these two, the phishing landscape is going to get very interesting.
A threat actor tracked as ‘EncryptHub,’ aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
According to a report by Prodaft, which was published internally last week and made public yesterday, since June 2024, when EncryptHub initiated operations, it has compromised at least 618 organizations.
Its too bad that some of the organizations that were apparently breached were not listed in the article. It doesn’t help consumers to read an article like this without having some idea who may have been breached. How the hell are we going to protect ourselves from this if we don’t know who was compromised? Someone explain this to me.
After gaining access, the threat actors install Remote Monitoring and Management (RMM) software, followed by the deployment of information stealers like Stealc and Rhadamanthys. In many observed cases, EncryptHub also deploys ransomware on compromised systems.
Which former groupsthat we’ve talked about are mentioned within this article? They may have been talked about more in particular to news specific things, but talked about just the same.
The answer is in the next paragraph which says:
Prodaft told BleepingComputer that the threat group is affiliated with RansomHub and BlackSuit, having deployed both ransomware encryptors in the past and possibly acting as an initial access broker for them or a direct affiliate.
The fact we’re not sure is not the concerning aspect to me. This thing can take a lot of data with it if the actors want it.
We’ve never heard of larva208 and this paragraph talks about them a little bit.
Larva-208’s attacks involve SMS phishing, voice phishing, and fake login pages that mimic corporate VPN products like Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet, and Microsoft 365.
Some of these have also be talked about because of their problems, and this should not necessarily be a surprise to me.
One of the things you’ll be reading in this article is the fact that there are at least 70 different domains that are used for this attack. If the registrar would send out probes and actually care about the domain and its use, we would really see a slip in this type of behavior.
The image shows a login screen for a Cisco SSL VPN Service. It has fields for entering a username and password, and an option to choose a group, labeled “TestVPN.” A “Login” button is below these fields. The background features a watermark pattern with the word “PRODAFT” repeated across it. With a 30 day grace period as you could be just starting your business, if they don’t get a response, you could lose your domain. This way, malacious domains only have a 30 day net, VS the rest who can have up to 10 years at a time.
The attackers typically impersonate IT support in their messages to the targets, claiming an issue with VPN access or a security concern with their account, directing them to log in on a phishing site.
TSB and other programs have said time and time again that this is the true method to get someone to believe. This is why you need to know what you’re using and question whether this would be something ligitamate. Even if you clicked, we always tell you to check those links.
Victims receive links that redirect them to phishing login pages where their credentials and multi-factor authentication (MFA) tokens (session cookies) are captured in real-time.
Once the phishing process is over, the victim is redirected to the service’s real domain to avoid raising suspicion.
What a rlief, eh?
The image is a flowchart depicting a phishing attack scheme. It shows a threat actor attempting to deceive a victim user by sending a fake link (https://weblinkteams.com). The flowchart displays how the victim is redirected to a fraudulent login page (https://weblinkteams.com/login) through an HTTP 302 redirect. The input and output sections at the bottom contain URLs related to Microsoft’s OAuth2 authorization, indicating an attempt to intercept user credentials by exploiting authentication mechanisms. The phishing sites are hosted on bulletproof hosting providers like Yalishanda, which ProDaft says does not typically respond to justified takedown requests.So now we are learning about a new company that Krebs should look in to. I love his reporting on these bullet proof hosting companies, they really tell a good story.
Prodaft has also discovered there’s another subgroup tracked as Larva-148, which helps purchase the domains used in the phishing campaigns, manage hosting, and set up the infrastructure.
Like I said above, we don’t know if this is the same or whether it is all different.
It’s possible that Larva-148 sells domains and phishing kits to EncryptHub, though their exact relationship hasn’t been deciphered yet.
Deploying malwareOnce EncryptHub breaches a targeted system, it deploys various PowerShell scripts and malware to gain persistence, remote access, steal data, and encrypt files.
This is probably the biggest thing out of the article that might be the topic of conversation.
In samples of the scripts seen by BleepingComputer, the threat actor attempts to steal a large amount of data from breached systems, including:
- Data from various cryptocurrency wallets, including MetaMask, Ethereum Wallet, Coinbase Wallet, Trust Wallet, Opera Wallet, Brave Wallet, TronLink, Trezor Wallet, and many others.
- Configuration data for various VPN clients, including Cisco VPN Client, FortiClient, Palto Alto Networks GlobalProtect, OpenVPN, and WireGuard.
- Data from popular password managers, including Authenticator, 1Password, NordPass, DashLane, Bitwarden, RoboForm, Keeper, MultiPassword, KeePassXC, and LastPass.
- Files that match particular extensions or whose names contain certain keywords, including images, RDP connection files, Word documents, Excel spreadsheets, CSV files, and certificates. Some of the keywords in file names that are targeted include “pass”, “account”, “auth”, “2fa”, “wallet”, “seedphrase”, “recovery”, “keepass”, “secret”, and many others.
Let’s take item 3. We talk about password managers. I wonder if it takes the data even if you were logged out? By default, Lastpass will log you out if you don’t check the stay logged in box. I’m not saying the others are not as bad, they are.
ryptHub breaches 618 orgs to deploy infostealers, ransomware?
l is the article.. I think we need to read this, understand what it is doing, and learn what we can do not to get infected with this thing.Happy reading!
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.