At a glance.
- WormGPT, an "ethics-free" AI model.
- FIN8 deploys new version of the Sardonic backdoor.
- Blackmoon Trojan campaign.
- RedDriver targets Chinese language browsers.
- QuickBlox vulnerabilities expose data.
WormGPT, an "ethics-free" AI model.
Researchers at SlashNext describe a generative AI cybercrime tool called "WormGPT," which is being advertised on underground forums as "a blackhat alternative to GPT models, designed specifically for malicious activities.”"The tool can generate output that legitimate AI models try to prevent, such as malware code or phishing templates.
SlashNext asked WormGPT to write an email "intended to pressure an unsuspecting account manager into paying a fraudulent invoice." The researchers state, "The results were unsettling. WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks. In summary, it’s similar to ChatGPT but has no ethical boundaries or limitations. This experiment underscores the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals."
FIN8 deploys new version of the Sardonic backdoor.
The cybercriminal group FIN8 (also known as "Syssphinx") is using a new version of the Sardonic backdoor to deliver the Noberus ransomware, according to researchers at Broadcom's Symantec: "In December 2022, Symantec observed the group attempting to deploy the Noberus (aka ALPHV, BlackCat) ransomware in attacks. Noberus is operated by a financially motivated cyber-crime group Symantec calls Coreid (aka Blackmatter, Carbon Spider, FIN7). The Syssphinx group’s move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations."
Blackmoon Trojan campaign.
Rapid7 is tracking a sophisticated Blackmoon Trojan campaign that began in November 2022: "The campaign is actively targeting various businesses primarily in the USA and Canada. However, it is not used to steal credentials, instead, it implements different evasion and persistence techniques to drop several unwanted programs and stay in victims’ environment for as long as possible."
RedDriver targets Chinese language browsers.
Cisco Talos describes a newly discovered driver-based browser hijacker called "RedDriver" that's targeting Chinese language browsers. The developers of the hijacker are also likely native Chinese speakers. RedDriver has been active since at least 2021, and "uses the Windows Filtering Platform (WFP) to intercept browser traffic."
The researchers state, "RedDriver was likely developed by highly skilled threat actors as the learning curve for developing malicious drivers is steep. Writing Windows drivers requires a very specific skill set and deep knowledge of the Windows operating system. For example, drivers are highly prone to crashing. However, during our analysis, we did not encounter any crashes or “blue screens of death” (BSOD), which speaks to the authors’ skill. An incorrectly written driver can cause damage to or crash a system even if no malicious intent is present. Furthermore, WFP is a complex platform to implement and generally requires significant driver development experience to fully understand it."
QuickBlox vulnerabilities expose data.
Check Point Research, in collaboration with Claroty Team82, discovered security vulnerabilities affecting the QuickBlox chat and video messaging framework. Check Point says the vulnerabilities “could allow threat actors to access tens of thousands of applications’ user databases and put millions of user records at risk.” The researchers stated, “Team82 and CPR worked closely with QuickBlox to resolve all of the uncovered vulnerabilities. After acknowledging the findings, QuickBlox committed to apply fixes by designing a new, secure architecture and API, and urging its customers to migrate to the latest version. We would like to express our gratitude and appreciation for their effort.”