GandCrab operators may have shifted to REvil.
Brian Krebs believes that the GandCrab ransomware gang may not have retired after all, and instead moved their efforts behind a new, more exclusive strain of ransomware known as REvil, Sodin, or Sodinokibi. Krebs points to a report from Cisco Talos in April which described a Sodinokibi attack; in the report, the researchers noted that the attackers oddly deployed GandCrab within the same target's network about eight hours after they had distributed Sodinokibi. Security firm Tesorion notes technical similarities between GandCrab and REvil, relating to the way the malware constructs random URLs. Krebs concludes that the rebranded itself to reduce the attention they had garnered behind the helm of GandCrab.
250 million email addresses collected by new TrickBot module.
The notorious banking Trojan TrickBot has a stealthy new module called "TrickBooster" that allows it to harvest email credentials and contacts, according to researchers at Deep Instinct. It can send out emails to a victim's contacts before deleting the emails from the account's sent and trash folders. This functionality is used for at least three purposes: collecting email contacts for use in further campaigns, sending out generic spam, and sending out phishing emails in the hope of infecting more victims. (In a separate report on Thursday, Barracuda described the latter type of behavior "lateral phishing").