{"id":19291,"date":"2024-12-07T07:00:00","date_gmt":"2024-12-07T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/cybersecurity-highlights-malware-targets-binance-telegrams-new-tools-and-more\/"},"modified":"2024-12-07T07:00:00","modified_gmt":"2024-12-07T05:00:00","slug":"cybersecurity-highlights-malware-targets-binance-telegrams-new-tools-and-more","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/cybersecurity-highlights-malware-targets-binance-telegrams-new-tools-and-more\/","title":{"rendered":"Cybersecurity Highlights: Malware Targets Binance, Telegram&#8217;s New Tools, and More"},"content":{"rendered":"<p>We have compiled the most significant cybersecurity news of the week.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Turkish hackers developed malware targeting Binance and MetaMask.<\/li>\n<li>Telegram to use IWF tools to combat child pornography.<\/li>\n<li>Fake conferencing software emptied Web3 specialists&#8217; wallets.<\/li>\n<li>A programmer suspected the FSB of installing spyware on his phone.\u00a0<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Turkish Hackers Develop Malware Targeting Binance and MetaMask<\/strong><\/h2>\n<p>Researchers at Cleafy <a href=\"https:\/\/www.cleafy.com\/cleafy-labs\/droidbot-insights-from-a-new-turkish-maas-fraud-operation\">discovered<\/a> Android malware DroidBot, capable of stealing data from 77 cryptocurrency and banking applications. Among the targets:<\/p>\n<ul class=\"wp-block-list\">\n<li>exchanges Binance, KuCoin, Kraken;<\/li>\n<li>wallet MetaMask;<\/li>\n<li>banking services BBVA, Unicredit, Santander, BNP Paribas, and Credit Agricole.<\/li>\n<\/ul>\n<p>Developed by Turkish hackers, the trojan disguises itself as Google Chrome, Google Play Store, or Android Security. Its functionality includes <span data-descr=\"recording keystrokes\" class=\"old_tooltip\">keylogging<\/span>, <span data-descr=\"opening windows over legitimate programs\" class=\"old_tooltip\">overlaying<\/span>, SMS interception, and a <span data-descr=\"Virtual Network Computing\" class=\"old_tooltip\">VNC<\/span> module for remote control of the infected device.<\/p>\n<p>A key aspect of DroidBot&#8217;s operation is the abuse of Android accessibility services to monitor user actions and simulate swipes and taps on behalf of the malware.<\/p>\n<p>The malware has been active since June 2024, offering builders to third-party operators for $3000 a month with customization options for specific targets.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXdMNBM1iOK9ecBscShuys4TUpwCkAy_1srjamjbihCKZdSN_3A69omdcR8eZnyY-sBWnMjPYAhpKidbGts4REFLbdBPql8vIrVKDC_RktAOGa9awwJvxEuMSRvQm9To04xGikJkDw?key=U34cthnCSZNMeFdonvE6xRkK\" alt=\"Cybersecurity Highlights: Malware Targets Binance, Telegram's New Tools, and More\"\/><figcaption class=\"wp-element-caption\">DroidBot builder. Data: Cleafy.\u00a0<\/figcaption><\/figure>\n<p>Analysis of one botnet revealed 776 unique infections in the UK, Italy, France, Turkey, Portugal, and Germany.\u00a0<\/p>\n<p>The malware is in an intensive development stage, expanding its geographical attack range.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Telegram to Use IWF Tools to Combat Child Pornography<\/strong><\/h2>\n<p>The British Internet Watch Foundation (IWF) will provide Telegram with tools for the proactive detection and removal of child sexual abuse images under an agreement.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">.<a href=\"https:\/\/twitter.com\/telegram?ref_src=twsrc%5Etfw\">@telegram<\/a> joins the IWF in cracking down on child sexual abuse imagery on the platform.<\/p>\n<p>Telegram will deploy new tools to proactively prevent child sexual abuse imagery from being spread in public parts of its platform.<a href=\"https:\/\/t.co\/wGEjzGFsee\">https:\/\/t.co\/wGEjzGFsee<\/a><\/p>\n<p>\u2014 Internet Watch Foundation (IWF) (@IWFhotline) <a href=\"https:\/\/twitter.com\/IWFhotline\/status\/1864233278829367347?ref_src=twsrc%5Etfw\">December 4, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This includes the organization&#8217;s databases and a service for collecting &#8220;hashes&#8221;\u2014unique digital fingerprints of known illegal images and videos. Additionally, IWF will directly report criminal content found in public parts of Telegram, including AI-generated material.<\/p>\n<p>The foundation combats the spread of child sexual abuse images online through partnerships with law enforcement, governments, the public, and internet companies worldwide. It often faces criticism for generating excessive false complaints, secrecy, and ineffective technical solutions.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>Fake Conferencing Software Emptied Web3 Specialists&#8217; Wallets<\/strong><\/h2>\n<p>Researchers at Cado Security Labs discovered the Meeten malware for stealing cryptocurrency, disguised as a conferencing application. The attacks target Web3 sector workers.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Cado Security Labs has discovered a new malware campaign targeting Web3 workers with a sophisticated scam using AI-generated content to appear legitimate. <\/p>\n<p>Read more in our latest blog post: <a href=\"https:\/\/t.co\/Pj8Y82kaKY\">https:\/\/t.co\/Pj8Y82kaKY<\/a><\/p>\n<p>\u2014 Cado (@CadoSecurity) <a href=\"https:\/\/twitter.com\/CadoSecurity\/status\/1865026404762460318?ref_src=twsrc%5Etfw\">December 6, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The campaign began in September 2024. The brand name of the fake application changed multiple times, but for each, hackers created official websites and social media accounts filled with AI-generated content.\u00a0<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXd61OJ4fLGXd33z5dEazBCmOsrQfssgxV2zhiBTuF0PCZApYhpsV57HOVDS58dy1fjh5l2sXP0PkZH6RQWpG8IrhlJwLaYla2ZKSxepDUbkiXCd9CAOlMVXyOLd2LZe6Ot8Ii3Umw?key=U34cthnCSZNMeFdonvE6xRkK\" alt=\"Cybersecurity Highlights: Malware Targets Binance, Telegram's New Tools, and More\"\/><figcaption class=\"wp-element-caption\">Data: Cado Security Labs.<\/figcaption><\/figure>\n<p>The malware has Windows and macOS versions. Once on a computer, it transmits to hackers:<\/p>\n<ul class=\"wp-block-list\">\n<li>Telegram credentials;<\/li>\n<li>bank card details;<\/li>\n<li>cookies, history, and autofill data from browsers like Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc, and Vivaldi;<\/li>\n<li>information about Ledger, Trezor, Phantom, and Binance wallets;<\/li>\n<li>system information.<\/li>\n<\/ul>\n<p>Moreover, the sites are equipped with a script requesting a crypto wallet connection, allowing asset theft before the software is actually downloaded.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Germany Shuts Down Two Darknet Marketplaces and Encrypted Messenger<\/strong><\/h2>\n<p>German authorities <a href=\"https:\/\/www.bka.de\/DE\/Presse\/Listenseite_Pressemitteilungen\/2024\/Presse2024\/241203_PM_ZIT_Crimenetwork.html\">shut down<\/a> the servers of the country&#8217;s largest darknet marketplace, <strong>Crimenetwork<\/strong>, and arrested its technical administrator. Since 2012, the platform traded in stolen data, drugs, and forged documents. It had over 100,000 users and more than a hundred sellers.<\/p>\n<p>According to law enforcement, from 2018 to 2024, transactions on Crimenetwork exceeded 1000 BTC and 20,000 Monero (\u20ac93 million or ~$98 million at the time of writing). The operators&#8217; commission profit was at least $5 million.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXfhogQsQ13tqzBxlYOpyuN-F47YVLwAnMIHFNxPxCpHNN5k2Wf7ieIb4jfBZtXnjzXgADt4SCBZ1cNvIt5vPyy-GS1fSkFrz1-HiP4RFn4s9R6xkoNJYxi_GWjJaMrnVW2zneA6Bw?key=U34cthnCSZNMeFdonvE6xRkK\" alt=\"Cybersecurity Highlights: Malware Targets Binance, Telegram's New Tools, and More\"\/><figcaption class=\"wp-element-caption\">Data: BKA.<\/figcaption><\/figure>\n<p>The 29-year-old admin of Crimenetwork was arrested, charged with running a criminal platform and drug trafficking. Authorities seized luxury cars and cryptocurrencies worth about \u20ac1 million.<\/p>\n<p>Additionally, Germany halted the operations of the darknet marketplace <strong>Manson Market<\/strong>, which sold stolen account and payment data, as well as personal information. These details were obtained through a network of phishing online stores. At least 57 victims suffered losses exceeding \u20ac250,000.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Cybercrime network dismantled in ????????!<\/p>\n<p>? 50+ servers seized<br \/>? 200 terabytes of digital evidence secured<br \/>? 2 suspects arrested<\/p>\n<p>An effort coordinated by Europol.<\/p>\n<p>? <a href=\"https:\/\/t.co\/aqfi2tPOCg\">https:\/\/t.co\/aqfi2tPOCg<\/a> <a href=\"https:\/\/t.co\/Stigwn0Tiz\">pic.twitter.com\/Stigwn0Tiz<\/a><\/p>\n<p>\u2014 Europol (@Europol) <a href=\"https:\/\/twitter.com\/Europol\/status\/1864583544820945092?ref_src=twsrc%5Etfw\">December 5, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The investigation team seized 50 servers and over 200 TB of documents with evidence of criminal activity. More than 80 storage devices, mobile phones, computers, as well as cash and cryptocurrencies worth \u20ac63,000 were confiscated. Two suspected operators of Manson Market were arrested in Germany and Austria.\u00a0<\/p>\n<p>Another operation coordinated by Europol led to the <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/international-operation-takes-down-another-encrypted-messaging-service-used-criminals\">shutdown<\/a> of the encrypted messaging platform <strong>Matrix<\/strong>. It facilitated illegal activities for at least 8,000 users in 33 languages worldwide. The service allowed encrypted video calls, transaction tracking, and anonymous web browsing.<\/p>\n<p>Forty servers were disabled in France and Germany, and five suspects were arrested in Spain and France. One of them, a 52-year-old Lithuanian citizen, is believed to be the owner and main operator of Matrix.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXfuFzKhwLg4N4XjH3s_Jr_fRoc1cZBDih-CHFCaZAZPPhIGRr0_cS1t4yxUfWQnZO-xQUEp8If-mfh_MZkku3rl-076hp4I_2t9OZrna2X0Zbk6cAtrWB7deyYmtF_CxfVBQV3gUw?key=U34cthnCSZNMeFdonvE6xRkK\" alt=\"Cybersecurity Highlights: Malware Targets Binance, Telegram's New Tools, and More\"\/><figcaption class=\"wp-element-caption\">Data: Europol.<\/figcaption><\/figure>\n<p>Authorities seized 970 encrypted phones, \u20ac145,000 ($152,500) in cash, \u20ac500,000 ($525,000) in cryptocurrencies, and four vehicles.<\/p>\n<h2 class=\"wp-block-heading\"><strong>CP3O Admits to Illegal Cryptocurrency Mining Worth $1 Million<\/strong><\/h2>\n<p>Nebraska resident Charles O. Parks III, known as CP3O, <a href=\"https:\/\/www.documentcloud.org\/documents\/25446861-parks-guilty-plea-press-release\/\">admitted<\/a> to using cloud computing services for cryptocurrency mining. The affected companies are presumably Amazon and Microsoft.<\/p>\n<p>According to the case materials, from January to August 2021, CP3O mined Ethereum, Litecoin, and Monero worth approximately $970,000 from various accounts. He did not pay the $3.5 million bill for provider services.<\/p>\n<p>Parks was arrested in April and faces up to 20 years in prison.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>Teen Arrested in the US for Alleged Hacks on Gemini and KuCoin Clients<\/strong><\/h2>\n<p>US authorities <a href=\"https:\/\/storage.courtlistener.com\/recap\/gov.uscourts.njd.556587\/gov.uscourts.njd.556587.1.0.pdf\">arrested<\/a> 19-year-old Remington Goy Oglethorpe, linked to the cybercriminal group Scattered Spider. He is accused of hacking an American financial institution and two unnamed telecommunications companies.<\/p>\n<p>According to the investigation, the hacker, known as remi, breached internal networks through phishing employees of targeted organizations. By posing as benefits providers, schedule change requests, or HR inquiries, he tricked them into visiting malicious sites and entering login credentials for work computers.\u00a0<\/p>\n<p>From October 2023 to May 2024, Oglethorpe, after gaining access to telecom systems, sent over 8.6 million phishing SMS to steal recipients&#8217; cryptocurrency. Some of these attacks targeted clients of the Gemini and KuCoin exchanges.<\/p>\n<p>During a search of the hacker&#8217;s home, his iPhone contained screenshots of phishing messages, credential collection pages, and crypto wallets with tens of thousands of dollars in digital currencies.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Programmer Suspects FSB of Installing Spyware on His Phone\u00a0<\/strong><\/h2>\n<p>Citizen Lab specialists examined the mobile phone of a Russian programmer, which was confiscated by FSB officers during a 15-day arrest, and found secretly installed spyware. The malware posed as a legitimate Android app, Cube Call Recorder.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Read our new report: &#8220;Something to Remember Us By: Device Confiscated by Russian Authorities Returned With Monokle-type Spyware Installed&#8221; <\/p>\n<p>\u270d\ufe0f by <a href=\"https:\/\/twitter.com\/cooperq?ref_src=twsrc%5Etfw\">@cooperq<\/a>, <a href=\"https:\/\/twitter.com\/PDXbek?ref_src=twsrc%5Etfw\">@PDXbek<\/a>, and <a href=\"https:\/\/twitter.com\/jsrailton?ref_src=twsrc%5Etfw\">@jsrailton<\/a><a href=\"https:\/\/t.co\/XPkogcCndq\">https:\/\/t.co\/XPkogcCndq<\/a> <a href=\"https:\/\/t.co\/U6pT0t9xiq\">https:\/\/t.co\/U6pT0t9xiq<\/a> <a href=\"https:\/\/t.co\/1BfvAo2woJ\">pic.twitter.com\/1BfvAo2woJ<\/a><\/p>\n<p>\u2014 The Citizen Lab (@citizenlab) <a href=\"https:\/\/twitter.com\/citizenlab\/status\/1864661347646017619?ref_src=twsrc%5Etfw\">December 5, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The program had unlimited access to the device through a wide range of permissions. Its features included:<\/p>\n<ul class=\"wp-block-list\">\n<li>standby location tracking;<\/li>\n<li>access to SMS, contact lists, calendar entries, and messenger correspondence;<\/li>\n<li>recording phone calls, screen activities, and video via the camera;<\/li>\n<li>extracting messages, files, and passwords, including through keylogging;<\/li>\n<li>executing shell commands, decrypting data, and installing <span data-descr=\"Android Package Kit \u2014 format of archive executable application files for Android\" class=\"old_tooltip\">APK<\/span> packages.<\/li>\n<\/ul>\n<p>Citizen Lab believes the malware is a new version of the Monokle spyware, developed by employees of the Special Technology Center LLC in St. Petersburg.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Developers of meme heroine Hawk Tuah&#8217;s token suspected of exit scam.<\/li>\n<li>Polish police explained claims against former WEX head Dmitry Vasiliev.<\/li>\n<li>OpenAI introduced a Pro version of o1 for $200 a month. Researchers suspected it of deceiving people.<\/li>\n<li>Garantex, Russia Today, Ryuk: UK shut down Russian cryptocurrency laundering network.<\/li>\n<li>Hackers attacked Solana developers through JavaScript library substitution.<\/li>\n<li>Phantom crypto wallet &#8220;freed&#8221; users from seed phrases.<\/li>\n<li>Corporate fraud icon Enron &#8220;resurrected,&#8221; community intrigued by tokens.<\/li>\n<li>Former Celsius CEO admitted guilt on two of seven charges.<\/li>\n<li>Share of BNB Chain blocks affected by &#8220;sandwich bots&#8221; hit a record.<\/li>\n<li>Russian Ministry of Internal Affairs uncovered a scheme with fake crypto ATMs.<\/li>\n<li>Hydra founder sentenced to life in Russia.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to Read Over the Weekend?<\/strong><\/h2>\n<p>We explain the types of cryptocurrency pyramids and what attracts people to them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have compiled the most significant cybersecurity news of the week. Turkish hackers developed malware targeting Binance and MetaMask. Telegram to use IWF tools to combat child pornography. Fake conferencing software emptied Web3 specialists&#8217; wallets. A programmer suspected the FSB of installing spyware on his phone.\u00a0 Turkish Hackers Develop Malware Targeting Binance and MetaMask Researchers [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":19290,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-19291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"65","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/19291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=19291"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/19291\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/19290"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=19291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=19291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=19291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}