430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS). The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile […]

iron cybercrime group backdoor extension

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).

The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (AppleAndroid, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.

The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.

The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.

iron cybercrime group backdoor extension

The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.

The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.

The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.

The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.

The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.

Further details, including the IoCs are reported in the blog post published by the researchers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Hacking Team, Surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]