#FactCheck - Viral Claim of Highway in J&K Proven Misleading

Recent Incidents:

Recent reports are revealing a significant security threat linked to a new infostealer based malware campaign known to solely target gaming accounts. This attack has affected users of Activision and other gaming websites. The sophisticated software has captured millions of login credentials, notably from the cheats and players. The officials at Activision Blizzard, an American video game holding company, are still investigating the matter and collaborating with cheated developers to minimize the impact and inform the accounts’ residents of appropriate safety measures.

Overview:

Infostealer, also known as information stealer, is a type of malware designed in the form of a Trojan virus for stealing private data from the infected system. It can have a variety of incarnations and collect user data of various types such as browser history, passwords, credit card numbers, and login details and credentials to social media, gaming platforms, bank accounts, and other websites. Bad actors use the log obtained as a result of the collection of personal records to access the victim’s financial accounts, appropriate the victim’s online identity, and perform fraudulent actions on behalf of the victim.

Modus Operandi:

• Infosteale­r is a malicious program created to illegally obtain pe­ople's login details, like use­rnames and passwords. Its goal is to enable cybe­rattacks, sell on dark web markets, or pursue­ malicious aims.

• This malware targets both personal de­vices and corporate systems. It spre­ads through methods like phishing emails, harmful we­bsites, and infected public site­s.

• Once inside a device­, Infostealer secre­tly gathers sensitive data like­ passwords, account details, and personal information. It's designe­d to infiltrate systems being undete­cted. The stolen cre­dentials are compiled into datalogs. The­se logs are then sold ille­gally on dark web marketplaces for profit.

Analysis: 

‍

‍

Basic properties:

• MD5: 06f53d457c530635b34aef0f04c59c7d
• SHA-1: 7e30c3aee2e4398ddd860d962e787e1261be38fb
• SHA-256: aeecc65ac8f0f6e10e95a898b60b43bf6ba9e2c0f92161956b1725d68482721d
• Vhash: 145076655d155515755az4e?z4
• Authentihash: 65b5ecd5bca01a9a4bf60ea4b88727e9e0c16b502221d5565ae8113f9ad2f878
• Imphash: f4a69846ab44cc1bedeea23e3b680256
• Rich PE header hash: ba3da6e3c461234831bf6d4a6d8c8bff 
• SSDEEP: 6144:YcdXHqXTdlR/YXA6eV3E9MsnhMuO7ZStApGJiZcX8aVEKn3js7/FQAMyzSzdyBk8:YIKXd/UgGXS5U+SzdjTnE3V
• TLSH:T1E1B4CF8E679653EAC472823DCC232595E364FB009267875AC25702D3EFBB3D56C29F90
• File type: Win32 DLL executable windows win32 pepe dll
• Magic: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
• File size: 483.50 KB (495104 bytes)

Additional Hash Files:

• 160389696ed7f37f164f1947eda00830
• 229a758e232aeb49196c862655797e12
• 23e4ac5e7db3d5a898ea32d27e8b7661
• 3440cced6ec7ab38c6892a17fd368cf8
• 36d7da7306241979b17ca14a6c060b92
• 38d2264ff74123f3113f8617fabc49f6
• 3c5c693ba9b161fa1c1c67390ff22c96
• 3e0fe537124e6154233aec156652a675
• 4571090142554923f9a248cb9716a1ae
• 4e63f63074eb85e722b7795ec78aeaa3
• 63dd2d927adce034879b114d209b23de
• 642aa70b188eb7e76273130246419f1d
• 6ab9c636fb721e00b00098b476c49d19
• 71b4de8b5a1c5a973d8c23a20469d4ec
• 736ce04f4c8f92bda327c69bb55ed2fc
• 7acfddc5dfd745cc310e6919513a4158
• 7d96d4b8548693077f79bc18b0f9ef21
• 8737c4dc92bd72805b8eaf9f0ddcc696
• 9b9ff0d65523923a70acc5b24de1921f
• 9f7c1fffd565cb475bbe963aafab77ff

Indicators of Compromise:

• Unusual Outbound Network Traffic: An increase in odd or questionable outbound network traffic may be a sign that infostealer malware has accessed more data.

• Anomalies in Privileged User Account Activity: Unusual behavior or illegal access are two examples of irregular actions that might indicate a breach in privileged user accounts.

• Suspicious Registry or System File Changes: Infostealer malware may be trying to alter system settings if there are any unexpected changes to system files, registry settings, or configurations.

• Unusual  DNS queries: When communicating with command and control servers or rerouting traffic, infostealer malware may produce strange DNS queries.

• Unexpected System Patching: Unexpected or unauthorized system patching by unidentified parties may indicate that infostealer malware has compromised the system and is trying to hide its footprint or become persistent. 

• Phishing emails and social engineering attempts:  It is a  popular strategy employed by cybercriminals to get confidential data or implant malicious software. To avoid compromise, it is crucial to be wary of dubious communications and attempts of social engineering.

Recommendations:

• Be Vigilant: In today's digital world, many cybercrime­s threaten online safe­ty, Phishing tricks, fake web pages, and bad links pose­ real dangers. Carefully che­ck email sources. Examine we­bsites closely. Use top se­curity programs. Follow safe browsing rules. Update software­ often. Share safety tips. The­se steps reduce­ risks. They help kee­p your online presence­ secure.

• Regular use of Anti-Virus Software to detect the threats: Antivirus tools are vital for finding and stopping cybe­r threats. These programs use­ signature detection and be­havior analysis to identify known malicious code and suspicious activities. Updating virus de­finitions and software-patches regularly, improve­s their ability to detect ne­w threats. This helps maintain system se­curity and data integrity.

• Provide security related training to the employees and common employees: One should learn Cybe­rsecurity and the best practice­s in order to keep the­ office safe. Common workers will ge­t lessons on spotting risks and responding well, cre­ating an environment of caution.

• Keep changing passwords: Passwords should be changed fre­quently for better se­curity. Rotating passwords often makes it harder for cybe­r criminals to compromise and make it happen or confidential data to be­ stolen. This practice keeps intruders out and shie­lds sensitive intel.

Conclusion:

To conclude, to reduce the impact and including the safety measures, further investigations and collaboration are already in the pipeline regarding the recent malicious software that takes advantage of gamers and has stated that about millions of credentials users have been compromised. To protect sensitive data, continued usage of antivirus software, use of trusted materials  and password changes are the key elements. The ways to decrease risks and safely protect sensitive information are to develop improved Cybersecurity methods such as multi-factor authentication and the conduct of security audits frequently. Be safe and be vigilant.

Reference:

• https://techcrunch.com/2024/03/28/activision-says-its-investigating-password-stealing-malware-targeting-game-players/
• https://www.bleepingcomputer.com/news/security/activision-enable-2fa-to-secure-accounts-recently-stolen-by-malware/
• https://cyber.vumetric.com/security-news/2024/03/29/activision-enable-2fa-to-secure-accounts-recently-stolen-by-malware/
• https://www.virustotal.com/
• https://otx.alienvault.com/

‍

Introduction

Google India announced sachet loans on the Google Pay application to help small businesses in the country. Google India said that merchants in India often need smaller loans, hence, the tech giant launched sachet loans on the Gpay application. The company will provide loans to small businesses, which can be repaid in easier repayment instalments. To provide the load services, Google Pay has partnered with DMI Finance. This move comes at the Google for India, 2023, the flagship event to launch the Indian interventions planned by the big tech. 

What is a Sachet Loan? 

The loan system is the primary backbone of the global banking system. Since we have seen a massive transition towards the digital mode of transactions and banking operations, many online platforms have emerged. With the advent of QR codes, the Unified Payment Interface (UPI) has been rampantly used by Indians for making small or petty payments. Seeing this, Sachet loans made an advent as well, Sachet loans are essentially small-ticket loans ranging from Rs 10,000 to Rs 1 lakh, with repayment tenures between 7 days and 12 months. This nano-credit addresses immediate financial needs and is designed for swift approval and disbursement. Satchel loans are one of the most sought-after loan forms in the Western world. The ease of accessibility and easy repayment options have made it a successful form of money lending, which in turn has sparked the interest of the tech giant Google to execute similar operations in India. 

Google Pay

Pertaining to the fact that UPI payments are the most preferred form of online payment, google came out with GPay in 2013 and now enjoys a user base of 67 million Indians. Google Pay has a 36.10% mobile application market share in India, and 26% of the UPI payments made have been through Google Pay. Google Pay adoption for in-store payments in India was higher in 2023 than it was in early 2019, signalling a growing use among consumers. The numbers shown here refer to the share of respondents who indicated they used Google Pay in the last 12 months, either for POS transactions with a mobile device in stores and restaurants or for online shopping. Eight out of 10 respondents from India indicated they had used Google Pay in a POS setting between April 2022 and March 2023, with an additional seven out of 10 saying they used Google Pay during this same time for online payments.

Pertaining to the Indian spectrum, the following aspects should be kept into consideration: 

• PhonePe, Google Pay and Paytm accounted for nearly 96% of all UPI transactions by value in March
• PhonePe remained the top UPI app, processing 407.63 Cr transactions worth INR 7.07 Lakh Cr
• While Google Pay and Paytm retained second and third positions, respectively, Amazon Pay pushed CRED to the fifth spot in terms of the number of transactions
• Walmart-owned PhonePe, Google Pay and Paytm continued their dominance in India’s UPI payments space, together processing 94% of payments in March 2023.
• According to data from the National Payments Corporation of India (NPCI), the top three apps accounted for nearly 96% of all UPI transactions by value. This translates to about 841.91 Cr transactions worth INR 13.44 Lakh Cr between the three apps.

Conclusion

The big tech giant Google.org has been fundamental in creating and provisioning best-in-class services which are easily accessible to all the netizens. Satchel loans are the new services introduced by the platform and the widespread access of Gpay will go a long way in providing financial services and ease to the deprived and needy lot of the Indian population. This transition can also be seen by other payment portals like Paypal and Paytm, which clearly shows India's massive potential in leading the world of online banking and UPI transactions. As per stats, 40% of global online banking transactions take place in India. These aspects, coupled with the cores of Digital India and Make in India, clearly show how India is the global destination for investment in the current era.  

References

• https://www.livemint.com/companies/news/google-enters-retail-loan-business-in-india-11697697999246.html
• https://www.statista.com/statistics/1389649/google-pay-adoption-in-india/#:~:text=Eight%20out%20of%2010%20respondents,same%20time%20for%20online%20payments
• https://playtoday.co/blog/stats/google-pay-statistics/#:~:text=67%20million%20active%20users%20of%20Google%20Pay%20are%20in%20India.&text=Google%20Pay%20users%20in%20India,in%2Dstore%20and%20online%20purchases.
• https://inc42.com/buzz/phonepe-google-pay-paytm-process-94-of-upi-transactions-march-2023/

‍

‍

Overview:

A recent addition to the  list of cybercrime  is SharpRhino, a RAT (Remote Access Trojan) actively used by Hunters International ransomware group. SharpRhino is highly developed and penetrates into the network mask of IT specialists, primarily due to the belief in the tools’ legitimacy. Going under the genuine software installer, SharpRhino started functioning in mid-June 2024. However, Quorum Cyber discovered it in early August 2024 while investigating ransomware.

About Hunters International Group:

Hunters International emerged as one of the most notorious groups focused on ransomware attacks, having compromised over 134 targets worldwide in the first seven months of 2024. It is believed that the group is the rebranding of Hive ransomware group that was previously active, and there are considerable similarities in the code. Its focus on IT employees in particular demonstrates the fact that they move tactically in gaining access to the organizations’ networks.

Modus Operandi:

1. Typosquatting Technique 

SharpRhino is mainly distributed by a domain that looks like the genuine Angry IP Scanner, which is a popular network discovery tool. The malware installer, labeled as ipscan-3.9.1-setup. It is a 32-bit Nullsoft installer which embeds a password protected 7z archive in it. 

2. Installation Process 

• Execution of Installer: When the victim downloads and executes the installer and changes the windows registry in order to attain persistence. This is done by generating a registry entry that starts a harmful file, Microsoft. AnyKey. exe, are fakes originating from fake versions of true legitimate Microsoft Visual Studio tools. 

• Creation of Batch File: This drops a batch file qualified as LogUpdate at the installer.bat, that runs the PowerShell scripts on the device. These scripts are to compile C# code into memory to serve as a means of making the malware covert in its operation. 

• Directory Creation: The installer establishes two directories that allow the C2 communication – C:\ProgramData\Microsoft: WindowsUpdater24 and LogUpdateWindows. 

3. Execution and Functionality: 

• Command Execution: The malware can execute PowerShell commands on the infected system, these actions may involve privilege escalation and other extended actions such as lateral movement. 

• C2 Communication: SharpRhino interacts with command and control servers located on domains from platforms such as Cloudflare. This communication is necessary for receiving commands from the attackers and for returning any data of interest to the attackers. 

• Data Exfiltration and Ransomware Deployment: Once SharpRhino has gained control, it can steal information and then proceed to encrypt it with a .locked extension. The procedure generally concludes with a ransom message, which informs users on how to purchase the decryption key. 

4. Propagation Techniques: 

Also, SharpRhino can spread through the self-copying method, this is the virus may copy itself to other computers using the network account of the victim and pretending to be trustworthy senders such as emails or network-shared files. Moreover, the victim’s machine may then proceed to propagate the malware to other systems like sharing in the company with other employees.

Indicators of Compromise (IOCs):

• LogUpdate.bat
• Wiaphoh7um.t
• ipscan-3.9.1-setup.exe
• kautix2aeX.t
• WindowsUpdate.bat

Command and Control Servers:

• cdn-server-1.xiren77418.workers.dev
• cdn-server-2.wesoc40288.workers.dev
• Angryipo.org
• Angryipsca.com

Analysis:

‍

‍

Graph:

Precautionary measures to be taken:

To mitigate the risks posed by SharpRhino and similar malware, organizations should implement the following measures:

• Implement Security Best Practices: It is important only to download software from official sites and avoid similar sites to confuse the user by changing a few letters.

• Enhance Detection Capabilities: Use technology in detection that can detect the IOCs linked to Sharp Rhino.

• Educate Employees: Educate IT people and employees on phishing scams and the requirement to check the origin of the application.

• Regular Backups: It is also important to back up important files from systems and networks in order to minimize the effects of ransomware attacks on a business.

Conclusion:

SharpRhino could be deemed as the evolution of the strategies used by organizations like Hunters International and others involved in the distribution of ransomware. SharpRhino primarily focuses on the audience of IT professionals and employs complex delivery and execution schemes, which makes it an extremely serious threat for corporate networks. To do so it is imperative that organizations have an understanding of its inner workings in order to fortify their security measures against this relatively new threat. Through the enforcement of proper security measures and constant enlightenment of organizations on the importance of cybersecurity, firms can prevent the various risks associated with SharpRhino and related malware. Be safe, be knowledgeable, and most importantly, be secure when it comes to cyber security for your investments.

Reference: 

https://cybersecuritynews.com/sharprhino-ransomware-alert/

https://cybersecsentinel.com/sharprhino-explained-key-facts-and-how-to-protect-your-data/

https://www.dataprivacyandsecurityinsider.com/2024/08/sharprhino-malware-targeting-it-professionals/

‍