CRIL continuously tracks and monitors the propagation of malicious activities across various cybercrime channels to highlight their use towards cybercrime activities. We identified some of these malicious activities recently being discussed by Threat Actors.
Trigona affiliate program
We identified a post inviting forum members to join the Trigona affiliate program. The Trigona ransomware family has been actively tracked since June 2022. Based on past reporting and analysis, the ransomware is written in Delphi programming language and uses 112-bit RSA and 256-bit AES encryption in OFB mode for file encryption. The ransomware operators claimed to perform double extortion attacks by combining data exfiltration with file encryption. Affiliates may be interested in expanding their operations as a result of this program.
The program offers ransomware-as-service (RaaS) and has multiple capabilities:
- Cross-platform build with cryptographically advanced encryption
- Admin panel Tor network, along with end-to-end encryption of data
- Call facilities for countries across the globe
- DDoS capabilities
- Cloud storage for leaked databases
Meduza Stealer
The operators of Meduza stealer posted a thread advertising the functions of the stealer and details about the paid subscription. The build is developed in C++ and is designed to collect data from browsers, cryptocurrency wallets, browser history, bookmarks, Telegram clients, password managers, and cookies. The group formulated a Telegram channel on April 24, 2023, and has actively promoted its software build.
ShadowVault – MacOS Stealer
The threat actors behind this new stealer targeting MacOS users were recently advertising it for subscription to the underground community. While Macs are relatively less bombarded with malware than Windows; however, they’re not immune. The threat actor enunciating its features describe that:
- It can be installed via both PKG & DMG file formats.
- The malware can extract cookie data, usernames, credit card information, crypto wallet ID, and passwords without requiring a separate crypto build.
- It can extract the compromised information and gives the option to select/exclude and extract any file extension. It supports over 50 types of browsers, including Chromium browsers.
- The extraction process is encrypted for stealing data from the keychain database of Apple devices, making it tedious to detect the amount of stolen information and evade detection.
- The stealer supports extraction from Metamask, Coinomi, Binance, Coinbase, Atomic, Exodus, Keplr, Phantom, Trust, Tron Link, Martian, etc.
- It features keylogging, creates multiple logs of the stolen information, and stores them in different locations to still extract the information even if deleted.
- The stolen information automatically gets decrypted on the user’s computer.
The TA also offered custom signatures of legit Apple Developers for an additional fee.
LummaC2 Stealer
LummaC2 was first promoted on cybercrime forums in December 2022. Since then, it has been in consistent development and evolved to become a sophisticated but affordable information stealer malware among the other offerings in malware-as-a-service (MaaS). The malicious build, sized 150 – 200 KBs, was designed to steal data from multiple browsers, including Chrome, Chromium, Mozilla Firefox, Microsoft Edge, and Brave, among others targeting the latest Windows operating systems users from version 7 to 11.
The latest updates on LummaC2 suggested a security redesign, revamping modules for generating malicious builds and receiving stolen logs. It also included a new module with a load balancer.
The developers recently advertised their MaaS on another prominent Russian language forum that has been providing open ground for RaaS operators to advertise their affiliate and partnership programs.
