The cybersecurity community is abuzz with revelations from Palo Alto Networks Unit 42 and Symantec about a newly identified threat in the form of JinxLoader, a Go-based malware loader.
Threat actors employ this sophisticated tool to facilitate the delivery of subsequent payloads, Formbook, and its successor, XLoader.
Technical Insights Into JinxLoader
JinxLoader, aptly named after a character from League of Legends, distinguishes itself by incorporating the character on its promotional materials and command-and-control login panel.
Symantec emphasized that the primary function of JinxLoader is relatively straightforward—it serves as a loader for additional malware.
Unit 42 uncovered that the malware service was initially advertised on hackforums[.]net back on April 30, 2023, offering subscription plans at $60 per month, $120 annually, or a lifetime fee of $200.
The accessibility and affordability of such services on underground forums pose a considerable threat to cybersecurity.
Infiltration Tactics
The attack vectors associated with JinxLoader involve multi-step sequences initiated through phishing attacks. The threat actors initiate their campaigns by impersonating the Abu Dhabi National Oil Company (ADNOC) in phishing emails.
These emails coax recipients into opening password-protected RAR archive attachments. Once opened, these attachments deploy the JinxLoader executable, creating a gateway for the subsequent introduction of Formbook or XLoader.
The Evolution of Malware Services
Security researchers and analysts point out that the dynamics of cyber threats are evolving rapidly. The strategic homage paid to popular culture, as seen in JinxLoader’s association with a gaming character, adds a layer of social engineering to the malicious campaign.
Driven by financial motivations, malware-as-a-service offerings on underground forums continue to pose severe challenges to cybersecurity efforts.
Phishing Attacks Targeting Cryptocurrency Wallets
Cybersecurity researchers are sounding the alarm on an uptick in phishing attacks with the potential to deplete cryptocurrency wallets across various blockchain networks.
Check Point researchers have identified a unique threat that utilizes an innovative crypto wallet-draining technique to extend its reach to prominent networks like Ethereum, Binance Smart Chain, Polygon, Avalanche, and nearly 20 others.
Expert Opinion
Experts weigh in on the evolving tactics observed in these attacks. The adaptability of threat actors to target a diverse range of blockchain networks reflects a heightened level of sophistication.
Using a wallet-draining technique signifies a strategic shift in the modus operandi of phishing groups.
Angel Drainer
The phishing group known as Angel Drainer is at the forefront of this concerning trend. This group operates under a unique “scam-as-a-service” model, charging collaborators a percentage—typically 20% or 30%—of the amount. In return, they provide wallet-draining scripts and other supporting services.
Rise of Scam-as-a-Service
Security analysts delve into the rise of scam-as-a-service offerings, emphasizing the business-like approach threat actors adopt.
The collaboration between phishing groups and collaborators, facilitated by a percentage-based fee structure, adds a layer of organization and sophistication to these illicit operations.
Crypto-Draining Kits: Tools of the Trade
At the core of these services is a crypto-draining kit meticulously made to facilitate cyber theft. This kit enables the unauthorized transfer of cryptocurrency from victims’ wallets, often accomplished through airdrop or phishing scams.
Targets are lured into connecting their wallets on counterfeit websites distributed through malvertising schemes, unsolicited emails, and social media messages.
New Techniques to Scam You!
Malware and Scam-as-a-Service are on the surge.
The ease has to stop to make this crime a convenient solution for monetary benefits.
Easy money with these kits could lead to a rise in cyber crimes.
Agencies must collaborate, and we must employ the first line of defense to stay secure.
Marrium Akhtar
January 9, 2024
4 months ago
