As if it was not bad enough to watch crypto valuations tank over the past two weeks, the news out now is that a collective of hackers, known as the “Gorgon Group”, have launched a widespread botnet attack that focuses on crypto investors by creating a backdoor into your personal computer, bouncing around any Microsoft defenses, and then unloading your crypto wallets for good measure.
What has surprised cyber-crime researchers is that this sophisticated attack is using a rather cheap set of software to get the job done. According to Prevailion, a crypto and cyber crime research firm, the bargain basement Trojan malware is called MasterMana Botnet and can be had for as little as $100, if you know where to look on the Dark Web. Once you lease a Virtual Private Server for another $60, you, too, can be off and running this email mass-mailing phishing scheme that relies on a set of malicious code attachments to reel in its victims.
Danny Adamitis, intelligence director at Prevailion, told reporters at CoinDesk that:
Based on what we’ve observed, the MasterMana Botnet had a global impact on organizations across a wide variety of verticals. We assess that the Botnet was interacting with approximately 2,000 machines a week, or 72,000 machines over the course of 2019, based on the snapshot we observed.
Research firms like Prevailion are able to review the “TPPs”, or the “exhibited tactics, techniques, and procedures” to determine the origin of the malware and who might be its distributor. In this case, the clues lead back to a notorious band of professional hackers that have built quite a reputation for themselves over the past three years, due to their exploits in cyber crime. Known as the “Gorgon Group”, this time around their malware specifically attacks Microsoft formats with a “Trojanized” version that seeks out Excel, PowerPoint, Word, and Publisher.
The Gorgon Group has been detected on several occasions over the past few years, attacking government agencies in the United States, Russia, Spain, and the UK, but also leading campaigns on all manner of entities across the globe. They are known for using diverse infrastructure and a host of malware schemes to aid in their attacks. They are believed to hail from Pakistan, but only because their online personas suggest as much. They are also believed to have operated on underground forums since 2016, as well.
According to the experts, this “campaign”, as they call each attack, was still active late in September, primarily because the code was flying beneath the radar for some of the better malware detection programs. The Prevailion report noted that:
Based on the level of sophistication displayed in this campaign, we believe that the threat actors struck a sweet spot.
Typically, once the word gets around within investigative circles, these “bad actor” campaigns will usually back away from the limelight, regroup, and then prepare for their next assault. In this case, the criminal group appears to be brazen enough to ignore the fact that they have been detected, perhaps, again due to the surprise nature of the attack, the fact that it is relatively cheap to operate, and also because of the success rate to date.
Danny Adamitis concludes:
We recommended that cryptocurrency investors need to remain particularly vigilant in protecting their personal computer. Having two factor authentication, such as a hardware token is recommended when that option is available.