Malware Activity
BingoMod Banking Trojan Initiates Fraudulent Transactions on Infected Devices
BingoMod is a newly discovered and actively developed Android remote access trojan (RAT) that targets users through SMS phishing, posing as legitimate security tools like antivirus apps or Chrome updates. Attributed to a likely Romanian-speaking threat actor, BingoMod is capable of performing on-device fraud (ODF) by taking over accounts and initiating fraudulent money transfers of up to €15,000 per transaction directly from compromised devices. It requests permissions for Accessibility Services, allowing it to steal sensitive information such as login credentials and bank account details, intercept SMS messages, and take screenshots. The malware establishes a socket-based channel for remote commands and an HTTP-based channel for transmitting real-time screen content to the attackers. Notably, BingoMod employs advanced evasion techniques, including code obfuscation, the ability to uninstall security apps, and a self-destruction mechanism to wipe evidence. This self-destructive capability and real-time operator involvement distinguishes BingoMod from other Android banking trojans, highlighting a focus on simplicity and effective evasion. CTIX analysts will continue to report on novel malware and attack techniques.
Threat Actor Activity
Black Basta Growing Threat with Adaptation of New Custom Tools and Tactics
The Black Basta ransomware gang continues to adapt and evolve, employing new custom tools and tactics to evade detection and spread through networks. Active since April 2022, Black Basta has executed over 500 successful attacks worldwide, using a double-extortion strategy that combines data theft and encryption to demand multimillion-dollar ransoms. After their initial access partner was disrupted by law enforcement in late 2023, Black Basta formed new alliances with other initial access distribution clusters that use different malware, such as DarkGate and SilentNight, to gain access to corporate networks. Mandiant, tracking the group as UNC4393, has observed Black Basta's transition from publicly available tools to custom-developed malware. Notable tools include a memory-only dropper called DawnCry and a .NET reconnaissance tool named CogScan. The group also leverages sophisticated zero-day exploits, including Windows privilege elevation (CVE-2024-26169) and VMware ESXi authentication bypass flaws (CVE-2024-37085). In tangent, Black Basta continues to use "living off the land" techniques, employing legitimate system tools like Windows certutil and rclone for their malicious activities. Despite increased security measures, Black Basta has successfully targeted high-profile entities in 2024 such as Veolia North America, Hyundai Motor Europe, and Keytronic. Their ability to quickly adapt and develop new methods underscores their position as a significant global threat in the ransomware landscape. CTIX analysts will continue monitoring global threat actor activity.
Vulnerabilities
CISA Mandates Organizations Patch VMware ESXi Authentication Bypass Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their systems against a VMware ESXi authentication bypass vulnerability which ransomware operators have been exploiting to gain full administrative access and encrypt file systems. Discovered by Microsoft and fixed by Broadcom's VMware on June 25, 2024, the vulnerability, tracked as CVE-2024-37085, allows attackers to create or rename a group to "ESX Admins," granting administrative privileges on the ESXi hypervisor. Despite being rated medium-severity and requiring high privileges for exploitation, ransomware groups like Storm-0506 and others have used it to exfiltrate data and disrupt operations by encrypting multiple virtual machines (VMs) simultaneously. Following Microsoft's report, CISA added the flaw to its 'Known Exploited Vulnerabilities (KEV) catalog, giving FCEB agencies until August 20, 2024, to secure their systems. While the directive specifically targets federal agencies, CISA advises all organizations to address this vulnerability. CTIX analysts strongly urge administrators to upgrade to ESXi 8.0 Update 3 and monitor for unauthorized changes to the ESX Admins group to prevent future ransomware attacks targeting their networks.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
