The Good, the Bad and the Ugly in Cybersecurity – Week 37

The Good | Cybercrime Syndicate Members Arrested In Singapore & Dark Market Admins Indicted for Fraud

Singaporean authorities conducted an island-wide raid on various suspects that were being monitored for their links to a global cybercrime syndicate. As a result of the operation, 160 officials from various law enforcement departments joined up to arrest five Chinese nationals and one Singaporean individual.

The suspects were found in possession of hacking tools and devices, a specialized backdoor called PlugX that was primed to control malware, stolen personally identifiable information (PII), credentials to cybercriminal-controlled servers, and a substantial amount of cash and cryptocurrency. Currently, the operation is part of ongoing investigations into the greater syndicate’s activities. PlugX is a remote access trojan (RAT) largely associated with PRC state-sponsored threat groups such as APT10, APT41, and Earth Preta.

Electronic devices containing stolen data, hacking tools, and PlugX (Source: Singapore Police Force)

In a related development, two individuals have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace known as WWH Club (wwh-club[.]ws). The platform specialized in the sale of sensitive personal and financial information. WWH Club also offered online courses on cybercrime techniques to over 353,000 aspiring cybercriminals, evening allowing buyers to pay extra for training materials.

The accused, identified as Alex Khodyrev (a Kazakhstan national) and Pavel Kublitskii (a Russian national), face charges of conspiracy to commit access device fraud and conspiracy to commit wire fraud. Khodyrev and Kublitskii are said to have acted as the main administrators of, not only WWH Club, but also its various sister sites that all functioned as dark markets, forums, and cybercrime training centers. If convicted, the defendants could face up to 20 years in federal prison. The case highlights ongoing efforts by law enforcement agencies to tackle cybercrime at its roots.

The Bad | Cryptocurrency Industry Reached $5.6 Billion in Losses in 2023, FBI Reports

Crypto took a major hit last year with losses exceeding $5.6 billion, mainly driven by investment fraud, tech support scams, and social engineering via government impersonation. Latest findings published by the FBI’s Internet Crime Complaint Center (IC3), the product of almost 70,000 reports, marks this 45% rise as a new record high for the industry. The U.S. alone accounts for $4.8 billion of these reported cases, followed by the Cayman Islands, Mexico, Canada, the U.K., India, and Australia.

(Source: FBI)

The report laid out several fraud and scam trends, ranging from fake investment sites, pig butchering schemes linked to dating apps and professional networking platforms, and liquidity mining scams that offer high returns for staking assets. Another popular method saw criminals launching fake blockchain-based gaming apps to trick users into connecting their cryptocurrency wallets. Scammers also showed no mercy in their tactics, reportedly targeting victims of previous frauds in secondary scams by offering fake cryptocurrency recovery services to charge upfront fees for retrieving stolen assets.

Cybercriminals continue their attacks on the cryptocurrency industry, taking advantage of its decentralized nature. With no central authority oversight in place, fraudulent transactions and illicit financial activities are very difficult to trace or reverse. Cryptocurrency also offers anonymity and easy ways to obscure money trails – both attractive qualities sought out by online attackers and scammers.

The FBI’s findings is followed closely by reports of misconfigured, Internet-exposed Selenium Grid instances being targeted by malicious actors for illicit cryptocurrency mining and proxyjacking. Exploiting these public systems, threat actors leverage their victim’s Internet bandwidth to inject malicious scripts, drop cryptocurrency miners, and more.

The Ugly | New Malware Launched in Iranian-Backed Campaign Against Iraqi Government Entities

Iraqi government entities have been targeted in a sophisticated campaign led by OilRig (aka APT34), an Iranian state-sponsored threat group. In a new report released this week, security researchers identified the Iraqi Prime Minister’s Office and the nation’s Ministry of Foreign Affairs as key victims in this campaign featuring a novel set of malware families.

OilRig has been active in the threat scene since 2014 and is specialized in leveraging phishing techniques to infiltrate Middle Eastern networks. Often, OilRig deploys custom backdoors to steal sensitive data. In this recent operation, the group introduced two new malware strains, Veaty and Spearal, designed to execute PowerShell commands and extract sensitive files. Researchers noted that the strains were observed employing unique command and control (C2) mechanisms consisting of a custom DNS tunneling protocol and email-based C2 channel tailor-made for the campaign.

Specifically, Spearal, a .NET backdoor, uses DNS tunneling for communication, while Veaty relies on compromised email accounts for its command-and-control (C2) operations. OilRig then leverages social engineering tactics and phishing emails containing deceptive files, such as Avamer.pdf.exe or IraqiDoc.docx.rar, to deliver these malware tools.

Installer deploying Spearal malware showing logo of the Iraqi General Secretariat of the Council of Ministers (Source: Check Point)

According to the report, OilRig’s attack methods consistently exploit previously compromised email accounts and utilize custom DNS tunneling protocols. The campaign targeting Iraqi government infrastructure also involved the discovery of additional backdoors, such as CacheHttp.dll, that targets Microsoft’s Internet Information Services (IIS) servers. Advanced persistent threats (APTs) like OilRig continue to develop specialized techniques in maintaining C2 channels to further develop elaborate cyber-espionage campaigns against high-value adversarial targets. Learn more about the mechanisms behind OilRig’s C2 communications and the group’s TTPs in this LABScon Replay presentation.

Leave a Comment

Your email address will not be published. Required fields are marked *