ESET researchers have recently discovered a previously undocumented botnet named VictoryGate. It has been active since at least May 2019, and is composed mainly of devices in Peru, where over 90% of the infected devices are located. The main activity of the botnet is mining Monero cryptocurrency. The victims include organizations in both public and private sectors, including financial institutions. Thanks to data obtained during this research and shared with the nonprofit Shadowserver Foundation, at least a portion of the botnet operation has been disrupted.
ESET researchers have been “sinkholing” several domain names that control the botnet’s actions, replacing them with machines that do not send the botnet’s slave computers the commands they expect, but simply monitor botnet activity. Based on this data and ESET telemetry, ESET estimates that at least 35,000 devices became infected with VictoryGate at one point or another during this campaign.
The only infection vector used for spreading VictoryGate is via removable devices. “The victim receives a USB drive that at some point was connected to an infected machine. It seemingly has all the files with the same names and icons that it contained before being infected. Because of this, the content will look almost identical at first glance. However, all the original files were replaced by a copy of the malware,” says ESET researcher Alan Warburton, who investigated the botnet. “When an unsuspecting user attempts to open one of these files, the script will open both the file that was intended and the malicious payload.”
Warburton also warns about the impact on victims’ machines: “There is very high resource usage by the botnet, resulting in a constant 90% to 99% CPU load. This slows down the device and can cause overheating and possible damage.”
According to ESET research, VictoryGate has made a much greater effort to avoid detection than in previous, similar campaigns observed in the Latam region. And, given the fact that the botmaster can update functionality of the payloads that are downloaded and executed on the infected devices from cryptomining to any other malicious activities at any given time, this poses a considerable risk. This is particularly true since many of the victims identified were in either the public sector or in financial institutions.
Nvidia May Restart Cryptomining GPU Production
Nvidia is thinking about beginning production of crypto-mining specific Ampere graphics cards that come without display outputs, but first, it needs to find out whether there’s enough mining demand for the latest graphics processors.
“If crypto demand begins or if we see a meaningful amount, we can also use that opportunity to restart the CMP [mining-specific GPUs] product line to address ongoing mining demand,” said Colette Kress, chief financial officer at Nvidia, at the 19th Annual J.P. Morgan Tech/Auto Forum Conference.
Demand for gaming graphics cards, high-performance processors, and game consoles has exceeded supply for months as people spend more time at home and entertain themselves playing the latest game titles. Cryptocurrency valuations have skyrocketed recently, reactivating miners who rushed to get graphics cards, further increasing demand for GPUs. Nvidia has had a hard time understanding how demand from cryptominers affects its current sales, but it is mulling restarting the production of mining-specific graphics cards.
“We don’t have visibility on how much of the GeForce RTX 30-series end demand comes from mining,” said Kress. “So, we don’t believe it’s a big part of our business today. Gaming demand is very strong, and we think that’s larger than our current supply.”
It doesn’t always make a lot of sense to mine Bitcoins using Nvidia’s latest GPUs, which tend to be pretty expensive. There are special accelerators designed for Bitcoin mining, and those ASICs tend to be considerably more efficient than graphics processors. In contrast, GPUs are used to mine Ethereum, which has been gaining price in recent weeks, just like Bitcoin.
Since demand for Nvidia’s products has generally been high in recent months, it isn’t easy for Nvidia to understand how significantly cryptominers affect this demand, especially keeping in mind the fact that select makers of graphics boards have mined cryptocurrency at their own facilities before releasing these cards to the market.
It is beneficial for Nvidia to clearly understand how many of its GPUs are needed by cryptominers. Since miners only need compute capabilities of a GPU, they do not need display outputs, and they do not care if the GPU they use comes with disabled texture mapping units or lacks video processing capabilities. As a result, Nvidia can sell them graphics processors that would otherwise go to waste. Those come in the form of the aforementioned CMP GPUs.
But before making such chips available to add-in-board (AIB) manufacturers, GPU designers need to figure out the total available market that they are trying to address so they don’t bin chips that aren’t needed. Before that happens, GPU developers may just enjoy additional demand for their products.
Twitter Hack Targets High-Profile Accounts
Joe Biden, Elon Musk, Jeff Bezos and other high-profile Twitter account holders were the targets of a widespread hack to offer fake bitcoin deals on Wednesday in one of the most pronounced security breaches on a social media site. Accounts for former US president Barack Obama, Microsoft co-founder Bill Gates, musician Kanye West and both Uber and Apple also posted similar tweets, all instructing people to send cryptocurrency to the same bitcoin address. The tweets were removed throughout the afternoon, shortly after being posted.
“The hackers ask users to send anywhere between 0.1 BTC to 20 BTC to a designated Bitcoin address and that they’ll double victims’ money,” explained Satnam Narang, Staff Research Engineer, Tenable. “This is a common scam that has persisted for a few years now, where scammers will impersonate notable cryptocurrency figures or individuals. What makes this incident most notable, however, is that the scammers have managed to compromise the legitimate, notable Twitter accounts to launch their scams. Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater.”
Narang further added that this is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon and Bill Gates’ tweets. “We strongly advise users never to participate in so-called giveaways or opportunities that claim to double your cryptocurrency because they’re almost always guaranteed to be a scam,” Narang said.
There have been hacks of high-profile individual accounts on Twitter before, including Twitter chief executive Jack Dorsey last year. But the widespread nature of this attack suggested an unusually broad access to internal controls. While it was unclear how the attacks originated or why they went on for hours, some cybersecurity experts speculated that someone may have gained access to internal Twitter controls that allowed them to take over and post on the accounts.
“While the origins and scope of this pervasive attack are under investigation, the coordinated Bitcoin giveaway scam itself was designed to convince millions of Twitter followers to believe the fraudulent tweets, click the link, and pay Bitcoin,” said Loïc Guézo, Senior Director of Cybersecurity Strategy, EMEA at Proofpoint. “People are still a main focus for threat actors, even in scenarios where a system is possibly compromised. The social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money. To make the scam seem more authentic, they even set a time limit and an easy payment option to drive a swift response. Threat actors understand human nature and are unrelentingly focused on taking advantage of our society’s trust in digital channels.”
The attack also partially shut down the network. Twitter said in a tweet that some users weren’t able to tweet while it was addressing the incident. Users with the check mark indicating that their accounts were verified by Twitter reported that they weren’t able to tweet. Twitter started letting verified accounts tweet again yesterday night but warned the “functionality may come and go” as it worked on a fix to the breach. Later the same night, Dorsey tweeted that the company was “diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.” He called it a “tough day” at Twitter.
“Until we know exactly how these scam tweets were sent, it’s difficult to suggest what actions you might take, particularly given that access to services such as password changes (and presumably also changing details such as two-factor authnetication numbers) is being restricted,” explained Paul Ducklin, principal research scientist, Sophos. “However, these scammers will only succeed if people fall for their unlikely messages – which rely on people suspending their disbelief simply because the tweet comes from a celebrity or someone they are inclined to trust.”
Twitter said in a later tweet that it “detected a coordinated attack by people who successfully targeted some of our employees with access to internal systems and tools.” The hackers used that access to take over the accounts. The breach will create major optics challenges for Twitter, and it will make it more challenging moving forward to verify the authenticity of messages on the service, cybersecurity experts warned. That could have wide-reaching implications for politicians, celebrities and brands that use Twitter as an essential channel for communication.
Some of the people who were hacked indicated that they had turned on two-factor authentication and were using strong passwords, which typically makes unauthorized account access much more difficult. Meanwhile, Uber’s corporate account posted a tweet that read, “Due to Covid-19, we are giving back over $10,000,000 in Bitcoin! All payments sent to our address below will be sent back doubled.”
Uber confirmed in a tweet that its account had been hacked. “Like many others, our @Uber account was hit by a scammer today. The tweet has been deleted and we’re working directly with @Twitter to figure out what happened,” the company’s communication team tweeted. Then came a tweet from Amazon CEO and Washington Post owner Bezos’s account. “I have decided to give back to my community.” The tweet said it would be limited to $50 million.
Twitter said in tweets Wednesday night that it had “locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.” Meanwhile, the company is internally limiting access to tools while it investigates what happened.
New AZORult Campaign Abuses Popular VPN Service to Steal Crypto
Kaspersky researchers have detected an unusual malicious campaign that uses a phishing copy of a popular VPN service’s website to spread AZORult, a Trojan stealer, under the guise of installers for Windows. In 2019 this malware targeted more than 40,000 users in the Middle East. The campaign, which kicked off at the end of November 2019 with the registration of a fake website, is currently active and focused on stealing personal information and cryptocurrency from infected users. This shows that cybercriminals are still hunting for cryptocurrency, despite reports that interest in the currency has died down.
AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. This Trojan poses a serious threat to those whose computers may have been infected as it is capable of collecting various data, including browser history, login credentials, cookies, files from folders, cryptowallet files and can also be used as a loader to download other malware.
In a world where privacy is heavily fought for, VPN services play an important role by enabling additional data protection and safe internet browsing. Yet cybercriminals try to abuse the growing popularity of VPNs by impersonating them, as is the case in this AZORult campaign. In the most recent campaign, the attackers created a copy a VPN service’s website, which looks exactly the same as the original with the only exception being a different domain name.
Links to the domain are spread through advertisements via different banner networks, a practice that is also called ‘malvertizing’. The victim visits the phishing website and is prompted to download a free VPN installer. Once a victim downloads a fake VPN installer for Windows, it drops a copy of AZORult botnet implant. As soon as the implant is ran, it collects the infected device’s environment information and reports it to the server.
Finally, the attacker steals cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, and others), FTP logins, and its passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others. Upon the discovery of the campaign, Kaspersky immediately informed the VPN service in question about the issue and blocked the fake website.
“This campaign is a good example of how vulnerable our personal data is nowadays. In order to protect it, users need to be cautious and be especially careful when surfing online. This case also shows why cybersecurity solutions are needed on every device. When it comes to phishing copies of websites, it is very difficult for the user to differentiate between a real and a fake version. Cybercriminals often capitalize on popular brands and this trend is not likely to die down”, comments Dmitry Bestuzhev, head of GReAT in Latin America. “We strongly recommend using a VPN for protection of data exchange on the web, but it is also important to closely study where the VPN software is downloaded from.”
Kaspersky detects this threat as HEUR: Trojan-PSW.Win32.Azorult.gen. To reduce the risk of infection with Trojan stealers such as AZORult, Kaspersky recommends users to:
- Check if the website is authentic. Do not visit websites until you are sure that they are legitimate and start with ‘https’. Confirm that the website is genuine by double-checking the format of the URL or the spelling of the company name, reading reviews about it and checking the domain’s registration data before starting downloads
- Store cryptocurrencies in cold wallets (ones that are not connected to the internet) to minimize risks of funds being stolen
- Try to keep your passwords and other personal information, including a wallet’s private key, in a password manager.
- Use a reliable security solution that protects devices from a wide range of threats, including phishing activity.
Long Term Review: Huawei nova 8
Huawei’s new nova 8 was launched in the UAE in August 2021 and the company promptly sent us a device...
Review: Sennheiser CX True Wireless Earbuds
Sennheiser has entered into the affordable wireless earbuds category with the launch of the new CX True Wireless earbuds. This...
Review: Corsair SABRE PRO CHAMPION SERIES Optical Gaming Mouse
The name of this gaming mouse may be quite a mouthful. However, the performance it offers is incredible. The new...
Review: WD Elements SE SSD (480GB)
WD has launched one of the cheapest portable SSD drives on the market under the moniker Western Digital Elements SE...
Review: Corsair M65 RGB Ultra Wireless
A few days ago, gaming accessories major Corsair, announced the new M65 RGB Ultra Wireless gaming mouse on the market....