Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,200
- Points
- 113
The recent massive failure of Windows served as a good cover for cyber bandits.
On July 26, 2024, the hacker group Handala Hacking Team launched an attack on Israeli targets, spreading malware through phishing emails exploiting the topic of fixing the Falcon Sensor bug from CrowdStrike, which caused massive computer crashes around the world.
The Handala Hacking Team first made a name for itself in December last year, when in its first post on the X * platform, it mentioned the Israeli National Cyber Defense Authority (INCD), which attracted the attention of cyber specialists. Official Israeli sources link the group to Iran, although other organizations such as Cyberint and Intezer define it as a " pro-Palestinian activist group."
Last week, cybersecurity firm Trellix confirmed the mass mailing of malicious emails to a group of Israeli customers. These emails were blocked before reaching the recipients ' mailboxes, which helped avoid significant damage. However, it is still worth mentioning the attack due to its interesting features.
It all starts with a fake email on behalf of CrowdStrike offering a "fix" to fix issues caused by recent crashes. The email contains a link to the archive " update.zip", which contains the installation file "CrowdStrike.exe". This file, being the Nullsoft Scriptable Install System (NSIS) installer, expands and executes malicious code that bypasses antivirus checks.
Once launched, the malware collects system information and sends it via the Telegram API, which allows hackers to monitor the activity of the virus and victims of attacks. Then the virus starts destroying files on infected computers, using the method of overwriting data with random bytes.
To perform an attack, the script first checks for antivirus programs on the computer, such as Webroot, Avast, AVG, and others. If such programs are detected, the malware temporarily suspends its activity to avoid detection. This happens using a script that sends 186 ping commands to localhost, creating a three-minute delay.
The malicious code used in the attack includes obfuscated strings and complex checks to bypass sandboxes and antivirus programs. The main purpose of the virus is to destroy files on infected computers. However, before that, all valuable data is sent to the attackers ' servers.
The use of the same code in multiple attacks indicates that the group is reusing the Handala malware. This is confirmed by the same TypeLib ID in the old and new malware versions, which indicates a high probability that the group uses the same Visual Studio project to create its own viruses.
The process of deleting files involves checking whether the file is being used by other processes. If the file is used, the virus terminates the obstructing process and then deletes the file. All information about the deletion process and the attack is sent to a Telegram channel managed by hackers, which allows them to monitor the success of their actions and receive information about victims.
Handala Hacking Team is known for its aggressive and public actions. Their previous attacks have also targeted Israeli targets, and they often publish reports and statements about their actions, highlighting their hacktivist nature and desire for publicity.
To prevent such incidents, organizations are encouraged to strengthen employee cybersecurity training, implement multi-factor authentication, and regularly update their security software. Continuous monitoring and timely response to suspicious activity will help minimize risks and protect important data.
Source
On July 26, 2024, the hacker group Handala Hacking Team launched an attack on Israeli targets, spreading malware through phishing emails exploiting the topic of fixing the Falcon Sensor bug from CrowdStrike, which caused massive computer crashes around the world.
The Handala Hacking Team first made a name for itself in December last year, when in its first post on the X * platform, it mentioned the Israeli National Cyber Defense Authority (INCD), which attracted the attention of cyber specialists. Official Israeli sources link the group to Iran, although other organizations such as Cyberint and Intezer define it as a " pro-Palestinian activist group."
Last week, cybersecurity firm Trellix confirmed the mass mailing of malicious emails to a group of Israeli customers. These emails were blocked before reaching the recipients ' mailboxes, which helped avoid significant damage. However, it is still worth mentioning the attack due to its interesting features.
It all starts with a fake email on behalf of CrowdStrike offering a "fix" to fix issues caused by recent crashes. The email contains a link to the archive " update.zip", which contains the installation file "CrowdStrike.exe". This file, being the Nullsoft Scriptable Install System (NSIS) installer, expands and executes malicious code that bypasses antivirus checks.
Once launched, the malware collects system information and sends it via the Telegram API, which allows hackers to monitor the activity of the virus and victims of attacks. Then the virus starts destroying files on infected computers, using the method of overwriting data with random bytes.
To perform an attack, the script first checks for antivirus programs on the computer, such as Webroot, Avast, AVG, and others. If such programs are detected, the malware temporarily suspends its activity to avoid detection. This happens using a script that sends 186 ping commands to localhost, creating a three-minute delay.
The malicious code used in the attack includes obfuscated strings and complex checks to bypass sandboxes and antivirus programs. The main purpose of the virus is to destroy files on infected computers. However, before that, all valuable data is sent to the attackers ' servers.
The use of the same code in multiple attacks indicates that the group is reusing the Handala malware. This is confirmed by the same TypeLib ID in the old and new malware versions, which indicates a high probability that the group uses the same Visual Studio project to create its own viruses.
The process of deleting files involves checking whether the file is being used by other processes. If the file is used, the virus terminates the obstructing process and then deletes the file. All information about the deletion process and the attack is sent to a Telegram channel managed by hackers, which allows them to monitor the success of their actions and receive information about victims.
Handala Hacking Team is known for its aggressive and public actions. Their previous attacks have also targeted Israeli targets, and they often publish reports and statements about their actions, highlighting their hacktivist nature and desire for publicity.
To prevent such incidents, organizations are encouraged to strengthen employee cybersecurity training, implement multi-factor authentication, and regularly update their security software. Continuous monitoring and timely response to suspicious activity will help minimize risks and protect important data.
Source
