Tag: threat actor

Cloud Talk, Programming, Security, Tech

The M.S. You Didn’t Know About

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

I might not be able to magic money into your bank account but subbing to Scriptingthewhy can help keep it there.
Photo by Viniclus Vieira ft, please support by following @pexel.com

Threat actors have been trying to find ways into your wallet and it seems like they might have found the perfect product to do so. It is fairly known that threat actors want what’s in your wallet and they have attempted through numerous means to reap the benefits of your hard labor.

Although this time, they might have found the perfect product to do just that with the dark web market best-seller. We are going to look at what kind of attack this is, who is using it, its functionality and effects upon release, and some ways you could prevent all the precious items in your wallet from mystically disappearing.  

The dark web isn’t as dark as you think, shady business is done in the light too.
Photo by Elti Meshau, please support by following @pexel.com

The Attack

If you are unfamiliar with the dark web, this is the digital underground nightclub for threat actors and others of the like. Here you can link up with like-minded individuals and purchase items anonymously.

Whether it’s legal or not depends on its nature and its intended use. Now with the addition of Mystical Stealer (MS) being the latest malware product on the market, that nightclub just turned up the bass.

No, this isn’t a play on Mac Stealer and it’s more of a problem as you’ll come to find.

I’m cranking up music like rising gas prices.
Photo by Gaby Tenda, please support by following @pexel.com

Who Can It Be Now

While this Digital Underground nightclub is currently popping, hackers are doing the Humpty dance in their victim’s bank accounts. MS is considered to be a malware-as-a-service due to being priced at USD 150 a month with the option of opting for a tri-monthly payment of USD 390. But like with inflation, gas prices, and MSs popularity the creator is looking to raise those price tags. It’s mind-blowing how criminals have a budget in mind for mucking up the budget of others. Never meet your hero kids.

The creator of MS, who still hasn’t been named, is receiving praise for his product. So much so that the creator has opened the floor on forums requesting any suggestions to improve the product. This raises concern because a threat actor is a developing problem but threat actors working together in numbers can be a developing nightmare.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

Don’t judge a book by its cover, I’m actually monitoring your network and before you ask, no, I don’t get paid enough for this.
Photo by Tima Miroshnichenko, please support by following @pexel.com

The Sinking Feeling

Speaking of developing nightmares, MS can find its way onto many versions of the Windows OS (Operating System). This ranges from Windows XP to 11 and it doesn’t need any dependencies so tracking its whereabouts is difficult.

MS also checks the environment to ensure it’s not in a sandbox—this is an environment that simulates another computer and other OS can be used within the environment, MS checks for this before it begins its infiltration.

It does this by checking the CPUID, the CPUID is what it sounds like when you break it down. CPU is the Central Processing Unit; ID is the Identification so in a nutshell this malware is checking under the hood to see what you’re running baby. It’s a little checking up the skirt action being done here.

Once in, it begins its operation by inserting itself into the memory to avoid detection and begins to make use of system calls for compromising targets. This is done to ensure that no trace is left on the hard disk during the exfiltration process.

After a target is chosen, malware is released for it to encrypt and transmit. The data is transmitted all the while client authentication is never needed. The malware has the bonus of being created without the need to use third-party libraries and has the enhanced functionality to parser from a self-written browser. It’s almost like the Tesla of malware, except it doesn’t crash on auto-drive.

Malware! We know you’re here!
Photo by Faruk Tokluoglu, please support by following @pexel.com

The Prevention

Now, while threat actors need money, we’re sure you do too. There are some ways to help prevent MS from two-stepping its way into your system. Ensuring your antivirus software is up to date as this will be patched regularly to reduce the risk of infection.

For business owners who have employees. providing awareness training for your employees can help lower the risk of systems becoming infected. Incorporating an incident and response plan as part of your playbook will help as this prepares for an “in case” scenario.

Mystical Stealer has already proven to be a threat so treating it lightly may see things go up in thin air and as times are getting harder, it’s clear that no one wants that.

Prisoner: How’d you know I was going to be there?
Guard: We read a few scripts.
Prisoner: Curse that meddling Scriptingthewhy.
Photo by Ron Lach, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on Mystical Stealer? Script a comment below.

Programming, Security, Tech

Wedded with A Shell of Problems

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

Kim: I’m leaving, it’s time to read another script anyway.
Brian: What!? I told you, them scripts are nonsense.
Kim: Then why do we still have money in our bank account?
Photo by Keira Burton, please support by following @pexel.com

No wait, you don’t have to twist our arm! We can talk about payment options. It should be common knowledge by now that clicking on links sent to you by “someone you may know” could land you in hot water with your computer, household, work, and bank.

But you’re not the only one who has to keep an eye out for phishing emails, big name companies are getting hit and are paying the price for it… well not only paying with money but with time. 

We’re going to look at what kind of attack this is, who may have used it, what’s the functionality and effects upon its release, and some ways you can prevent this… well, at least try.

Ransomes are like this, except at the time of demand you have less money.
Photo by Tima Miroshnichenko, please support by following @pexel.com

The Attack

For those who are not familiar with ransomware attacks, we’ll quickly explain. With some phishing email attempts, sometimes depending on the threat actor’s goal, a link will be provided for you to click on.

Once you interact with the link and let’s say you downloaded a file, the malicious file can then run in the background and collect all of your data and encrypt it.

Afterward, a prompt will come up saying “We’ve collected your data and encrypted it, if you want it back then pay this amount through Bitcoin.” Usually, there is a timeframe accompanied by the prompt.

While the average person comes across this kind of attack, companies have been experiencing ransomware attacks lately and it doesn’t show any signs of stopping.

Lord, hackers get clever day by day. I’m tired.
Photo by Andrea Piacquadio, please support by following @pexel.com

Who Can It Be Now

Clop, a ransomware gang affiliate of Russia is one among many requesting payments in the highest form and has been named for using this tactic. Clop has been known to request payment in, not only hundreds, thousands, but also in the millions for companies to get their information back and kept from being released.

Clop has recently launched a ransomware campaign against a few companies claiming to have collected their data and threatening to leak it to other threat actors but the biggest among them is the gas and oil company known as Shell.

However, in most if not all cases, paying the ransom only fuels the threat actors to commit more ransomware attacks.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

Kate: Who is that lady coming up behind us? Is she on the list?
Marshall: Look ahead of us, not behind us. Those days are over.
Photo by Carsten Vollrath, please support by following @pexel.com

The Sinking Feeling

Like an affair being exposed at a wedding, there are many factors that lead up to this event. A complex approach is becoming a part of the organization, working hard to rise in the ranks and gain a high enough level of privilege to access where sensitive data is being kept and installing malicious malware onto their systems.

The other and least complex is spear-phishing or even whale-phishing. Whale-phishing is aimed for someone like the CEO of the organization while spear-phishing is aimed for certain personnel who may have the level of privilege needed to fall victim to the ransomware attack.

Once a target has been chosen and unfortunate enough to not pay attention to the ongoings of clicking on the provided link, a number of actions are set in motion.

A file or folder holding the malware is downloaded onto the machine. That malware is then released and depending on its program it could either collect the data and encrypt it or copy the collected data, encrypt it, and delete the files leaving behind empty files and directories.

Once information aggregation is complete, whatever is collected is sent back to a command and control (C2C) server for the threat actor to decide what is important and what they would like to do with the information.

So, yeah, this is like having the side chick show up on your wedding day when you’re just trying to get married. The moral of the story is; don’t have a side chick if you care about keeping your information secret.

You’d be surprised, a good chunk of time hacking takes place in a GUI rather than the command line.
Photo by Sora Shimazaki, please support by following @pexel.com

The Prevention

Now, don’t panic, there are some ways you can prevent this. Since most of the time this is done by phishing attempts, practicing examining emails, and looking for things like questionable grammar, grammar Nazis this is where you can shine with your superpower and people will love you.

The option for you to hover your mouse over the link and see where it would take you is there although I won’t really suggest this as some people may be heavy-handed and accidentally click on the link.

Copying and pasting the link into Google’s search engine could also help id if the link is legit or not. If you do click on the link and are redirected to a website, leave immediately and pay attention to your downloads as visiting the website may have a drive-by download—this is where a download happens without your interaction, if this happens delete the files immediately and scan the computer. Keeping the antivirus software, OS (Operating System), and employee awareness training up to date will help ensure ransomware attacks are kept at bay.

Security isn’t a hundred percent guaranteed but not having something in place guarantees a hundred percent chance of an infection.

A little security is better than no security at all.
Photo by Travis Saylor, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on ransomware attacks? Script a comment below.

Security, Tech

Owls Up There with Fed Banking

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

To be or not to be…poor. That is the question. WAIT, WHY IS THAT EVEN A QUESTION!?
Photo by Andrea Piacquadio, please support by following @pexel.com

Let’s start this off by asking a simple question and this is something that many of you can relate to. How many of you enjoy having a bank account full of money? It’s safe to assume that almost everyone reading this script enjoys having a decent sum of money in their bank account.

I know that there may have been a very, very, very small few that might have said, “Money isn’t real, the real value of you isn’t in the form of numbers.” To them, I ask, if that is true then why is it that every time I get a bill, I spiral into a panic attack? Explain that one, however, you’re not wrong, that’s not the point being made here, so hush.

Suppose like in many situations, you check your account before going to sleep to confirm you have a decent amount, but when waking up you get an alert sounding like the accountant bit from South Park talking about your bank account, “Annnd, it’s gone. Your money, it’s all gone.” Let me script for you how this may have happened.

Dear sweet Satan’s cornhole…Z-Daddy was right. My accounts are at zero.
Photo by Andrea Piacquadio, please support by following @pexel.com

Halloween Gone Mobile

So, the numbers in your bank account are gone with the wind and you’re probably wondering how you got to this junction. Well, let me inform you that you may have been infected with a virus called SOVA.

SOVA is a virus designed for mobile phones, as you can predict this is mainly for Android phones, but iPhone users don’t think you’re safe. Your sweet saucy phone jack is just not on the menu for now.

SOVA, in case you were wondering means owl in Russian, the name was given because owls are nocturnal birds of prey, they’re silent, and like a slow jam from the 80s, they stalk and capture their prey. As you could have already guessed, this is Michael Myers of the animal kingdom, and it very well could be on your mobile device.

I don’t stalk my prey; they just don’t see me coming. Stop making a big woot…oh I saw what you did there.
Photo by Pixabay, please support by following @pexel.com

Night-time Owls, Day-time Collection

Outside of SOVA being given a cute name by the threat actor, the first version made its first appearance on the underground markets back in September of 2021. For those who don’t know what the underground markets are, they’re the “dark web” or may also be called the “dark net”. And before you ask, no, there is not an underground store in either of those areas.

SOVA was shown that it not only had the ability to collect usernames, passwords, and other information, but it also has an interesting function that will be brought up later. Trust me, you’re not going to like this. If you suffer from having trust issues with people, you’re really going to have it with your phone after reading this script.

No, no, no, annnnnnd now it’s gone. All of my money, it’s all gone.
Photo by Karolina Grabowska, please support by following @pexel.com

Intruder at Hand

Right now, you’re probably looking at your phone and thinking “I don’t trust you.” And you would be right since your phone is the main attack vector for this malware/virus/trojan. That’s right, viruses have pronouns too.

SOVA is distributed by a smishing attack, which is another form of phishing where the attacker is trying to bait you into clicking on a link for further malicious intent via text messaging.

Once the fake application is installed on the phone, it then sends the list of all applications installed on your device back to the command-and-control server (C2C), this is done with the intent for the attacker to then choose which app to target.

The attacker fires back the malware that can perform collecting keystrokes, steal cookies, intercept multi-factor authentication tokens, copy and paste, and add fake overlays for a range of apps.

But are you ready to have some major trust issues? This malware can perform actions like clicking, swiping, and pretty much interacting the same way as if you were using it. This is all done via the accessibility service, guessing this is the last time you’ll trust a handicap sign.

All of our accounts are wiped clean, if only we kept reading Scriptingthewhy.
Photo by energepic.com, please support by following @pexel.com

Panic, Pause, and Simple Steps

While this seems like the sky is falling and you’re never going to dance again because empty words have no rhythm. Though it’s easy to pretend, knowing this information will not make you a fool. Always be very careful when you download from a friend as this could be potential harm that you have been given.

A few other ways of preventing from downloading such malware are to make sure you check all of the details of the application such as reviews and how often the application is downloaded. Make sure you download from only trusted sources like the manufacturer’s store or from the app store.

Other practices are making sure your OS (Operating System), applications, and anti-virus software are up to date. Most of the ways to keep your devices and information safe are to follow simple best practices but most of the time the combination of “It’s our app and we want it now” and reading takes too much effort that exposes us to possible threats.

This is my third time this month getting a spa treatment, and it’s all thanks to those cursed scripts. Bless you Z-Daddy.
Photo by John Tekeridis, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like I may have missed something about SOVA? Script a comment below.