Week 50 Cyberattack Digest 2018 – Bugat Malware, GandCrab Ransomware, Save the Children and others

We hope you like our tradition of posting our weekly cyberattack digests on Mondays, and today we have a new portion of hot cyber news for you.

Moldovian arrested for spreading Bugat malware

by SC Media – 10 December 2018

Andrey Ghinkul, a Moldovian man, was sentenced by a federal court for the crime of conspiracy and damaging a computer.

The man who is also known as Andrei Ghincul and Smilex, was arrested in Cyprus back in August 2015. After that, he was extradited to the United States in February 2016. The criminal faced up to 108 months in prison. However, the man cut a deal with prosecutors, the details of which remain unknown.

Law enforcement officials commented that Ghinkulwas part of a cyber gang that was famous for spreading the Bugat malware, also known as Cridex and Dridex and aiming to steal banking credentials. After that, malefactors would use the stolen credentials in order to illegally conduct unauthorized money transfers. This gave attackers an opportunity to steal millions of dollars from the victims.

The Department of Justice said:

It is specifically designed to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of keystroke logging and web injects.

A sextortion campaign gathered  $600,000

by Threatpost – 10 December 2018

A sextortion campaign has already targeted thousands of people around the United States and infected its victims with theGandCrab ransomware. The malicious software demands $500 to decrypt the affected systems.

Typically, such sextortion emails ask for money in order to keep silent about compromising adult websites that they presumably visited. On the opposite, in this very campaign, malefactors decided to change the classic plot and send victims a link which when clicked installs the GandCrab ransomware.

Proofpoint researchers commented:

In general, [sextortion] emails simply demand payment to avoid publication of the purported evidence of compromising information. However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking toAZORult stealer that ultimately led to infection with GandCrab ransomware.

The campaign was first spotted on Dec. 5. The researchers said that thousands of messages had already been sent to victims primarily in the U.S.

Users received email messages from hackers who claimed to have compromising details about the victims’ activities on adult websites. Further, the message threatened to expose supposedly observed illicit activities, and also had a link. Clicking on it, victims could see a “video presentation” of the screenshots of themselves. Malefactors claimed to have taken via the camera on the victims’ device. The cyber gang is believed to have gathered over $600,000. 

Researchers said:

This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity.

Save the Children lost $112,000

by ZDNet – 14 December 2018

Save the Children Foundation was targeted by fraudsters last year as a result of which the foundation lost $1million.

The hackers managed to compromise an employee’s email account and masqueraded as the staff member in question. After that, they created a number of false invoices and related documents telling about a need to purchase solar panels for health centers located in Pakistan. After that, the Connecticut-based charity organization approved the transfer that was close to $1 million and sent it to an entity in Japan used as a front to rake in the proceeds. When the foundation realized the invoice was false, it was too late to make any actions. As a result, the foundation lost $112,000 in total.


Stacy Brandom, the chief financial officer of Save the Children revealed:

We have improved our security measures to help ensure this does not happen again. Fortunately, through insurance, we were ultimately reimbursed for most of the funds.

Another global phishing campaign

By SC Media – 13 December 2018

Recently, another global phishing campaign has been discovered. The campaign is called Operation Sharpshooterusing fake job recruitment documents to infect defense, government, and critical infrastructure organizations with a malicious backdoor implant. The malware was presumably created for cyber espionage purposes. The implant itself was nicknamed Rising Sun and was observed in 87 affected organizations over October and November. Among other targeted sectors, there are finance, government, healthcare, and telecommunications. The implant was described by McAfee as a “fully functional modular backdoor” able to communicate with its C2 server via HTTP POST requests. It possesses 14 backdoor capabilities, including gathering, encrypting and exfiltrating host data, terminating processes, reading, writing and deleting files and connecting to an IP address and changing file attributes.

McAfee explains:

The documents contained a malicious macro that leveraged embedded shellcode to inject the Sharpshooter downloader into the memory of Word. Once the Word process was infected, the downloader retrieved the second-stage implant Rising Sun.

We hope you know how to protect yourself from phishing. In any case, don’t forget to follow us on Twitter, Facebook, and LinkedIn.

Do you want more?

Subscribe me to your mailing list