Carding 4 Carders
Professional
Positive Technologies: Using MaxPatrol SIEM, the company's specialists identified HPE affecting hundreds of thousands of users.
Positive Technologies specialists used the MaxPatrol SIEM information security event monitoring and incident management system to detect abnormal activity in the network, indicating a large-scale distribution of malicious software. The study found that the attack affected more than 250,000 users in 164 countries, of which the majority of victims are located in Russia, Ukraine, Belarus and Uzbekistan.
In search of the necessary software, users often go to torrent resources, not suspecting the danger of such data exchange. However, by downloading and installing such software, the user gives attackers access to their personal information and bank accounts, and in case of infection of a corporate computer, fraudsters gain control over the device and use it to organize an intermediate node in the chain of attacks on the employer company.
In August 2023, SOC experts from Positive Technologies recorded abnormal activity in one of the Russian companies. The incident required the intervention of the PT CSIRT incident monitoring and response team (a division of the PT Expert Security Center). Experts found that the user of the company under investigation was a victim of a previously unknown VPO.
During a detailed and comprehensive investigation, Positive Technologies experts identified victims in 164 countries. The vast majority (more than 200 thousand) are located in Russia, Ukraine, Belarus, and Uzbekistan. Users from India, the Philippines, Brazil, Poland, and Germany were also among the victims.
According to CSIRT, the attack mostly affected unincorporated users downloading illegal software, but government agencies, educational organizations, oil and gas companies, medical and construction institutions, retail and IT companies were also among the victims. All of them were notified about the detected threat.
"After installation, such a VPO behaves quite noisily: it collects information about the victim's computer, installs the RMS program (for remote management) and the XMRig miner, archives the contents of the Telegram user folder (tdata) — and these are only the most active actions during the short period of observation," comments Denis Kuvshinov, head of the cyber threat research department at the expert security center Positive Technologies. — In a specific case that we observed, the malware sent the collected information from the user's corporate laptop to the telegram bot, and it acted as a control server in this chain. This activity was recorded by our MaxPatrol SIEM product."
The expert noted that the attacker, having gained access to the Telegram folder, enters the user's telegram session and monitors the correspondence, extracting data from the account, while remaining invisible. Even if the user has set up two-factor authentication, a hacker can successfully bypass it by brute-forcing the password. Telegram users are advised to end the current session after detecting signs of hacking and log in to the messenger again.
According to the investigation, the VPO used in the attack is not difficult to analyze, and after studying only one attack using it, experts received information about more than 250 thousand victims around the world. Positive Technologies is confident that the real number of victims exceeds this figure, and with the growing number of attacks using this HPE, the number of victims will only increase.
Positive Technologies specialists used the MaxPatrol SIEM information security event monitoring and incident management system to detect abnormal activity in the network, indicating a large-scale distribution of malicious software. The study found that the attack affected more than 250,000 users in 164 countries, of which the majority of victims are located in Russia, Ukraine, Belarus and Uzbekistan.
In search of the necessary software, users often go to torrent resources, not suspecting the danger of such data exchange. However, by downloading and installing such software, the user gives attackers access to their personal information and bank accounts, and in case of infection of a corporate computer, fraudsters gain control over the device and use it to organize an intermediate node in the chain of attacks on the employer company.
In August 2023, SOC experts from Positive Technologies recorded abnormal activity in one of the Russian companies. The incident required the intervention of the PT CSIRT incident monitoring and response team (a division of the PT Expert Security Center). Experts found that the user of the company under investigation was a victim of a previously unknown VPO.
During a detailed and comprehensive investigation, Positive Technologies experts identified victims in 164 countries. The vast majority (more than 200 thousand) are located in Russia, Ukraine, Belarus, and Uzbekistan. Users from India, the Philippines, Brazil, Poland, and Germany were also among the victims.
According to CSIRT, the attack mostly affected unincorporated users downloading illegal software, but government agencies, educational organizations, oil and gas companies, medical and construction institutions, retail and IT companies were also among the victims. All of them were notified about the detected threat.
"After installation, such a VPO behaves quite noisily: it collects information about the victim's computer, installs the RMS program (for remote management) and the XMRig miner, archives the contents of the Telegram user folder (tdata) — and these are only the most active actions during the short period of observation," comments Denis Kuvshinov, head of the cyber threat research department at the expert security center Positive Technologies. — In a specific case that we observed, the malware sent the collected information from the user's corporate laptop to the telegram bot, and it acted as a control server in this chain. This activity was recorded by our MaxPatrol SIEM product."
The expert noted that the attacker, having gained access to the Telegram folder, enters the user's telegram session and monitors the correspondence, extracting data from the account, while remaining invisible. Even if the user has set up two-factor authentication, a hacker can successfully bypass it by brute-forcing the password. Telegram users are advised to end the current session after detecting signs of hacking and log in to the messenger again.
According to the investigation, the VPO used in the attack is not difficult to analyze, and after studying only one attack using it, experts received information about more than 250 thousand victims around the world. Positive Technologies is confident that the real number of victims exceeds this figure, and with the growing number of attacks using this HPE, the number of victims will only increase.
