This mysterious hacker is leaving hidden messages for the investigators on their tail

There’s a new threat actor in the cybercrime space, which seems to be taking researchers’ counterattacks - personally. 

Cybersecurity researchers from Checkmarx have recently published a blog post on a threat actor dubbed RED-LILI. This group was seen delivering malicious NPM packages using automatically created user accounts. 

Since then, Checkmarx published its findings on the techniques and methods of this threat actor, and even created the RED-LILI Tracker to share with the community information about the attacker's packages, and analysis findings.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Don't go there - ever

This move did not sit well with the group, which responded by changing up its tactics a bit. Besides trying to make the malicious packages seem more credible, and to obfuscate the malicious code as well as it can, the group also started leaving messages to the researchers.

These messages were being delivered through package names, which “diverged from the normal pattern” into some of these:

dontbelikethat
notsobrilliant
dontgothereever
dontblowthisoff
heisnotwhatyousee
helloboy634
nosoawesome232
Fuckyouscanner

Since initially reporting on the group, it slowed down and paused the burst automation attacks, the researchers have found. RED-LILI has also dumped old domain names and registered a new domain - 22timer[.]ga. 

The researchers believe the next wave of the attack is yet to come, as RED-LILI now explores and publishes cherry-picked packages, each with its own unique evasion mechanism. 

“However, the attacker’s thumbprint still remains as they re-use similar characteristics (code similarity, same identifying strings, etc.),” the researchers concluded. “In recent packages, they are doing it while exfiltrating the data they collect to previously unknown addresses on different services, from what we have seen before such as free webhook services, for example, pipedream and requestbin.”

A detailed breakdown of the group’s methods, as well as all the package names that have so far been uncovered, can be found on this link



from TechRadar - All the latest technology news https://ift.tt/L9G1PZh
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us