The good, the bad and the ugly in cybersecurity

The good | Feds Charges Russian Money Launderer, Penalizes Two Illegal Virtual Exchanges Linked to Ransomware Operations

The US government this week handed down a hefty dose of sanctions in a coordinated effort against two illegal virtual currency exchanges and Sergei Sergeyevich Ivanov, an alleged money launderer.

Through the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), a Russian exchange known as PM2BTC and its associated money launderer Ivanov were officially identified in connection with a network of illicit finance. At the same time, the Office of Foreign Assets Control (OFAC) approved Ivanov and Cryptex, a second virtual currency exchange based in St. Vincent and the Grenadines but operating from Russia. PM2BTC, Cryptex, and Ivanov are all linked to ransomware operations and other threat actors, initial access brokers, darknet vendors, and more.

PM2BTC has longstanding ties with Russia and Russian-affiliated financial institutions, many of which are also sanctioned. It offers convertible virtual currency (CVC) to ruble exchange services without anti-money laundering or Know Your Customer (KYC) programs, allowing cybercriminals to process their ill-gotten funds and continue their operations. Cryptex was found to have processed $51.2 million in ransomware-derived funds and handled more than $720 million in suspicious transactions linked to Russian cybercriminals.

Together with FinCEN and OFAC, the State Department has offered a $10 million reward for information leading to Ivanov’s arrest. The Russian has reportedly facilitated hundreds of millions of virtual transactions, using various payment processors to do business with malicious parties for about two decades.

All these recent actions have been carried out in collaboration with Operation Endgame, a multinational cyber operation that dismantles the financial enablers of organized crime syndicates. As Russia continues to act as a safe haven for such criminals and continues to show continued support for high-profile actors like Cyber ​​Army of Russia Reborn and the LockBit group, efforts like Operation Endgame will prove critical in cutting off funding from threat actors at the source.

The bad | Mallox Ransomware affiliate renames Kryptina to Linux

TargetCompany, a subsidiary of Mallox ransomware, has discovered a modified version of the Kryptina ransomware. Based on new research from SentinelLabs, This development draws attention to ever-evolving tactics employed by players within the ransomware ecosystem.

Kryptina launched in late 2023 as a low-cost ransomware-as-a-service (RaaS) platform for Linux and initially failed to gain traction in the dark markets. However, in February 2024, the platform’s alleged operator, ‘Corlys’, leaked the source code for free on hacking forums, leading several ransomware actors, including Mallox affiliates, to reuse Kryptina’s code. Just three months after that, another Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina.

This new version, called ‘Mallox Linux 1.0’, retains Kryptina’s core source code, encryption mechanisms (AES-256-CBC) and command-line functions. The affiliate only changed the appearance, removed the Kryptina branding and simplified the documentation. In addition to the Mallox Linux 1.0 variant, SentinelLabs discovered several tools on the threat actor’s server, including a legitimate Kaspersky password reset tool, a Windows privilege escalation exploit (CVE-2024-21338), privilege PowerShell scripts -escalation, Java-based payload droppers, disk images containing Mallox payloads and data folders linked to 14 potential victims.

Described as a rags to riches story, Mallox went from a freebie on public forums to active attacks on SMEs and corporations in just a few months. While Kryptina is still considered an outlier platform, experts warn that stories like these are an indication that ransomware actors will continue to cross-pollinate toolsets and codebases to commoditize and elevate them..

The ugly | The North Korean opponent Kimsuky uses two new malware variants for targeted attacks

The North Korea-linked threat group Kimsuky (aka Sparkling Pisces, APT43 or ARCHIPELAGO) has introduced two new malware variants called ‘KLogEXE’ and ‘FPSpy’ in their latest campaigns. Although Kimsuky threat actors have been around since 2012, cyber researchers have uncovered their recent evolution, including new capabilities along with the new malware.

Considering how infamous Kimsuky is for social engineering and spoofed emails, KLogEXE and FPSpy are portable executables delivered via highly targeted spearphishing emails designed to look like legitimate communications. The victims are tricked into downloading and unpacking malicious ZIP files, which then initiate the infection chain that deploys KLogEXE and FPSpy.

Written in C++, KLogEXE is a variant of a previously documented PowerShell-based keylogger called ‘InfoKey’. It can monitor running applications, record keystrokes and record mouse clicks. Alternatively, FPSpy is a variant of malware revealed in 2022 that has expanded capabilities including system reconnaissance, command execution, and further payload delivery. It can list files, drives and folders on affected devices. Researchers noticed similarities in the source code of both types, leading to the idea of ​​a common author.

While Kimsuky’s primary targets in these recent campaigns are primarily within Japanese and South Korean organizations, the attacks remain highly targeted and not widespread, focusing mainly on specific industries and regions. Only using both KLogEXE and FPSpy highlights the group’s continued evolution and demonstrates an ongoing effort to improve its malware arsenal and expand its operational reach, posing a persistent threat to select targets in Asia.