Group-IB uncovered a new scam campaign targeting both Instagram and banking users in Indonesia, which aims to gain access to their bank accounts. Our team identified more than 600 hijacked Instagram accounts used to spread phishing links to fake websites disguised as login pages of mobile banking applications for one of Indonesia’s leading financial institutions.
Want to learn how the scheme works and how to avoid falling victim to it? Visit our website to read the full story
#DigitalRiskProtection #scam #phishing
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11❤4
🔍 In January 2023, Group-IB’s Digital Forensics and Incident Response team investigated an attack against an industrial sector company in Europe. Our experts established that the victim had been encrypted with a previously unknown ransomware strain. The strain was codenamed BabLock, because its versions for Linux and ESXi share similarities with the leaked Babuk ransomware. Despite these slight similarities, the group has a very distinct modus operandi and custom sophisticated ransomware for Windows. Additionally, the BabLock gang (also tracked under the name “Rorschach”), unlike most of its “industry peers”, is not using a dedicated leak site and is communicating with its victims via email. Group-IB researchers immediately notified the company’s customers of its discovery.
Check out our new blog post to get a comprehensive description of the BabLock attack: their toolset, the strain’s samples for Windows, ESXi, and Linux as well as TTPs used by the BabLock gang mapped to MITRE ATT&CK®. Read👈
#ransomware #BabLock
Check out our new blog post to get a comprehensive description of the BabLock attack: their toolset, the strain’s samples for Windows, ESXi, and Linux as well as TTPs used by the BabLock gang mapped to MITRE ATT&CK®. Read👈
#ransomware #BabLock
❤9🔥4👍3
Group-IB’s Threat Intelligence team identified new infrastructure used by APT MuddyWater. We also uncovered that this group uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices.
According to our data, MuddyWater used SimpleHelp for the first time on June 30, 2022. At the time of writing, the group has at least eight servers on which they have SimpleHelp installed.
Our new blog post describes MuddyWater’s previously unknown infrastructure and points to links with some of the group’s publicly known IP addresses. Read now👈
#APT #MuddyWater
According to our data, MuddyWater used SimpleHelp for the first time on June 30, 2022. At the time of writing, the group has at least eight servers on which they have SimpleHelp installed.
Our new blog post describes MuddyWater’s previously unknown infrastructure and points to links with some of the group’s publicly known IP addresses. Read now👈
#APT #MuddyWater
🔥10👍4👏2
Group-IB will no longer be present in the Russian market. This comes after Dmitry Volkov, co-founder and CEO, sold his stake in Group-IB’s Russia-based business to the company’s local management. Group-IB’s branding and trademarks will not be permitted in Russia.
This process marks the completion of the second stage of the regional business diversification announced by Group-IB in July 2022, and encompasses changes to the ownership structure, separation of Group-IB’s business and technical units, and the final withdrawal of the Group-IB brand from the Russian market.
More details👈
This process marks the completion of the second stage of the regional business diversification announced by Group-IB in July 2022, and encompasses changes to the ownership structure, separation of Group-IB’s business and technical units, and the final withdrawal of the Group-IB brand from the Russian market.
More details
Please open Telegram to view this post
VIEW IN TELEGRAM
😢13🔥6👏3👍2
🎣 Phishing attacks are becoming ever more sophisticated and their scale is increasing exponentially.
There are a few approaches to investigate a phishing campaign efficiently. In our new blog post, we present a practical guide based on the investigation into a Chinese-speaking phishing campaign that was observed in July 2022. The campaign was carried out by a phishing gang named PostalFurious by Group-IB. PostalFurious targeted users in APAC, specifically in Singapore, Australia, and some other countries by impersonating postal and, to a lesser extent, toll operators.
Read more👈
#phishing #PostalFurious
There are a few approaches to investigate a phishing campaign efficiently. In our new blog post, we present a practical guide based on the investigation into a Chinese-speaking phishing campaign that was observed in July 2022. The campaign was carried out by a phishing gang named PostalFurious by Group-IB. PostalFurious targeted users in APAC, specifically in Singapore, Australia, and some other countries by impersonating postal and, to a lesser extent, toll operators.
Read more👈
#phishing #PostalFurious
🔥8👍3
🎭 What happens when the people who are meant to stop scams spreading on social media are being impersonated by the scammers themselves?
Group-IB Digital Risk Protection experts have discovered a new and still ongoing global phishing campaign launched on Facebook by cybercriminals who impersonate the technical support staff of Meta, Facebook’s parent company. Group-IB researchers identified more than 3,200 Facebook profiles publishing posts purportedly written by Meta technical support staff in a total of 23 languages. The scammers’ ultimate aim is to gain access to the Facebook accounts of public figures, celebrities, businesses, sports teams, as well as individual profiles, to steal sensitive information, and potentially use the same compromised credentials to gain access to other accounts held by the individual. Group-IB’s Computer Emergency Response Team (CERT-GIB) informed Facebook of its findings, in line with the company's responsible disclosure protocol.
Check out our newest blog post to learn more about this phishing campaign as well as to get recommendations on how not to fall victim. Read👈
Group-IB Digital Risk Protection experts have discovered a new and still ongoing global phishing campaign launched on Facebook by cybercriminals who impersonate the technical support staff of Meta, Facebook’s parent company. Group-IB researchers identified more than 3,200 Facebook profiles publishing posts purportedly written by Meta technical support staff in a total of 23 languages. The scammers’ ultimate aim is to gain access to the Facebook accounts of public figures, celebrities, businesses, sports teams, as well as individual profiles, to steal sensitive information, and potentially use the same compromised credentials to gain access to other accounts held by the individual. Group-IB’s Computer Emergency Response Team (CERT-GIB) informed Facebook of its findings, in line with the company's responsible disclosure protocol.
Check out our newest blog post to learn more about this phishing campaign as well as to get recommendations on how not to fall victim. Read👈
🔥12👍3❤1
This media is not supported in your browser
VIEW IN TELEGRAM
Malware detonation is Group-IB's core technology used for automated malware analysis and natively embedded in Managed XDR and Business Email Protection. To keep-up with the evolving threat landscape, Group-IB constantly updates and evolves its Malware Detonation Platform.
One of the new features added to the Malware Detonation Platform allows analysts to access all artifacts related to malware detonation, including files from the file structure, files created during malware detonation, registry keys, mutexes, network indicators, as well as memory fragments. End-to-end search and related processes mapping options are available. This data can be exported via API and used in external systems for threat hunting and automated response processes.
A picture is worth a thousand words, so let's look at the gif above. A sample of Loki PWS malware was successfully detonated, and the system automatically extracted a number of artifacts, including the malware’s configuration and its predefined commands, along with a C&C servers list.
Want to learn more about the new features in Group-IB's Malware Detonation Platform? Check out our new blog👈
#MXDR #BEP
One of the new features added to the Malware Detonation Platform allows analysts to access all artifacts related to malware detonation, including files from the file structure, files created during malware detonation, registry keys, mutexes, network indicators, as well as memory fragments. End-to-end search and related processes mapping options are available. This data can be exported via API and used in external systems for threat hunting and automated response processes.
A picture is worth a thousand words, so let's look at the gif above. A sample of Loki PWS malware was successfully detonated, and the system automatically extracted a number of artifacts, including the malware’s configuration and its predefined commands, along with a C&C servers list.
Want to learn more about the new features in Group-IB's Malware Detonation Platform? Check out our new blog👈
#MXDR #BEP
👍12🔥2
In March 2023, Group-IB’s Threat Intelligence team infiltrated the Qilin ransomware group and now can reveal inside information about this RaaS program.
Qilin is a Ransomware-as-a-Service affiliate program that now uses a Rust-based ransomware to target its victims. Many Qilin ransomware attacks are customized for each victim to maximize their impact. Qilin’s targets are primarily critical sector companies.
Group-IB’s Threat Intelligence team was able to get information about Qilin’s payment structure as a result of entering a private conversation with one of the users (Haise) on Tox (an open-end messaging app that offers end-to-end encryption), who was identified on the underground forum RAMP. According to the information provided by the owner of the Qilin RaaS program, for payments totaling $3M or less, affiliates earned 80% of the payment; for payments of more than $3M, they earned 85% of the payment.
Read our new blog post to get a detailed breakdown of the group, as well as recommendations on how to prevent Qilin’s attacks👈
#ransomware #Qilin
Qilin is a Ransomware-as-a-Service affiliate program that now uses a Rust-based ransomware to target its victims. Many Qilin ransomware attacks are customized for each victim to maximize their impact. Qilin’s targets are primarily critical sector companies.
Group-IB’s Threat Intelligence team was able to get information about Qilin’s payment structure as a result of entering a private conversation with one of the users (Haise) on Tox (an open-end messaging app that offers end-to-end encryption), who was identified on the underground forum RAMP. According to the information provided by the owner of the Qilin RaaS program, for payments totaling $3M or less, affiliates earned 80% of the payment; for payments of more than $3M, they earned 85% of the payment.
Read our new blog post to get a detailed breakdown of the group, as well as recommendations on how to prevent Qilin’s attacks👈
#ransomware #Qilin
🔥5❤4👍1
When cybersecurity researchers work together, they make the world safer🤝 Group-IB and Bridewell are proud to share the joint blog post about previously unknown infrastructure belonging to APT SideWinder.
While investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists identified and attributed a large part of the group’s infrastructure, namely 55 domains and IP addresses. The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors.
Curious to know more? Read our fresh blog post👈
#APT #SideWinder
While investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists identified and attributed a large part of the group’s infrastructure, namely 55 domains and IP addresses. The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors.
Curious to know more? Read our fresh blog post👈
#APT #SideWinder
👍11
🔍Group-IB has recorded a 25% increase in the use of phishing kits in 2022.
The key trends, based on the analysis of more than 6,000 phishing kits extracted in 2021 and 2022, are the increasing use of access control and advanced detection evasion techniques. What else Group-IB’s Computer Emergency Response Team found out:
📌 In total, just under half of the phishing kits from 2022 seen by CERT-GIB relied on email to handle stolen information.
📌 The number of phishing kits that use Telegram to collect stolen data almost doubled in 2022 compared to the preceding year.
📌 In 2022, 1,824 phishing kits used simple access control mechanisms. Hypertext access (.htaccess) became the most popular access control strategy.
📌 2,060 phishing kits used advanced detection evasion techniques - 26% more than a year earlier.
More details👈
Want to learn how Group-IB protects companies from phishing and scams? Visit our website👈
#phishing #CERT
The key trends, based on the analysis of more than 6,000 phishing kits extracted in 2021 and 2022, are the increasing use of access control and advanced detection evasion techniques. What else Group-IB’s Computer Emergency Response Team found out:
📌 In total, just under half of the phishing kits from 2022 seen by CERT-GIB relied on email to handle stolen information.
📌 The number of phishing kits that use Telegram to collect stolen data almost doubled in 2022 compared to the preceding year.
📌 In 2022, 1,824 phishing kits used simple access control mechanisms. Hypertext access (.htaccess) became the most popular access control strategy.
📌 2,060 phishing kits used advanced detection evasion techniques - 26% more than a year earlier.
More details👈
Want to learn how Group-IB protects companies from phishing and scams? Visit our website👈
#phishing #CERT
👍6🔥5❤2