Russian gang on cybercrime, known as insane evil, has been associated with more than 10 scams in social media that use a wide range of individuals StealAtomic MacOS Theft (aka Amos), and An angel drain.
“Specializing in fraud with identity, theft of cryptocurrency and malicious software involved in information, Crazy Eal – Note In the analysis.
The use of a variety of Arsenal Cryptoscam group is a sign that the actor threatens on users of both Windows and MacOS systems, which creates a risk to a decentralized financing ecosystem.
Crazy evil was rated active, at least since 2021, functioning in the first place as The Command team The task has redirected legal traffic to malicious targeted pages that are governed by other criminal crews. Allegedly guided by the actor of the threat known in Telegram as @abrahamcrazyevil, it serves more than 4800 subscribers on the messaging platform (@crazyevilcorp).
“They monetize traffic to these Botnet operators who intend to compromise users either widely, either specifically in the region or the operating system,” said the French Cybersecurity campaign SEKOIA in the Hlybokaje Trade Report in August 2022.
“Thus, the main problem facing the trade is to create quality traffic without boots, unnoticed or analyzed security suppliers, and eventually filtered on a type of traffic. In other words, the activity of traders is a form of lead generation.”
Unlike Other scores It revolves around the creation of fake trading sites to facilitate false operations, Crazy Ever focus on the theft of digital assets that include poor tokens (NFTS), cryptocurrencies, payment cards and accounts on the Internet. It is estimated that more than $ 5 million have been brought and tens of thousands of devices worldwide.
It also gained new fame as a result of the outburst Brand and CryptoloveBoth of them were previously identified as with as responsible for Company Clickfix The use of fake Google pages occurs in October 2024.
“Crazy evil clearly sacrifices the space of cryptocurrencies with the order of the attachments,” the future is recorded. “Crazy evil traders sometimes take a few days or weeks of intelligence time to take advantage of operations, determine goals and initiate interaction.”
In addition to the orchestration chains of attacks that deliver information thefts and drainage wallet, the group administrators claim that they offer instructions for operation and recommendations for their tuffs and Encrypt the services For harmful useful loads and boast a partnership structure to delegate operations.
Crazy Evil – This is the second group of cybercrime after Telekopye exposed to in recent years and it focuses its activities around Telegram. Recently recruited affiliates is a director who is controlled by the threat of Telegram Bot to other private channels –
- Paymentwhich announces profit for traders
- Accountingproviding an audit trail
- Informationproviding regular administrative and technical updates for traders
- The global chatwhich serves as the main communication space for discussion starting from work to memes
The cybercrime group has been found to be six textbooks, Avland, Typed, Deland, Zoomland, Defi and Kevland, each of which was associated with a specific scam that includes the incidence of the tool from fake websites – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
- Resistance (AKA AVS | RG or revenge) that uses Offer work and scam investments To distribute thefts and Amos thefts under the guise of the Web3 Communications tool called Voxium (“Voxiumcalls (.) Com”)
- Printeddistributing amos theft under the guise of artificial intelligence called Typerdex (“Typerdex (.) AI”)
- Owndistributing AMOS theft under the guise of a community development platform called Demeet (“DEMEET (.) app”)
- Samlandwho uses common scams that represent themselves for enlargement and WeChat (“App-Whechat (.)
- Defiwhich distributes amos theft under the guise of a digital asset management platform called Selenium Finance (“Selenium (.) Fi”)
- Kevlandwhich distributes the theft Amos under the guise of the AI-Avanced virtual meeting software with the name Catchenum (“Assembly (.) CA”)
“As the mad evil continues to succeed, other cybercrime structures are likely to pass their methods, forcing security groups to remain vigilant to prevent widespread and erosion of trust within cryptocurrency, gaming and software sectors,” – recorded The future.
Development occurs when the cybersecurity company has exposed the traffic distribution system (TDS), called Tag-124 Landupdate808. 404 TDS. Kingand CHAYA_002. Several groups of threats, including related Rhysida ransomware, interlock ransomware. TA866/Asylum Ambuscade. Socgholish. D3f@ck loaderand Ta582 It has been found that TDS is used in their original sequences of infection.
“Tag-124 contains a network of sites with compromised – Note. “When visitors fulfill specific criteria, on sites compromised by WordPress, there are fake Google Chrome target pages that eventually lead to malware infections.”
The recorded future also noted that the overall use of Tag-124 is reinforcing the relationship between Strains rhysida and interLock ransomwareAnd the latest variations of the Tag-124 companies used the ClickFix technique to instruct the visitors to execute the team pre-laid in their clipboard to start infection with malicious software.
Some of the useful loads deployed as part of the attack include Ramcos Rats and The pure booter (AKA BROOMSTICK OR Oyster), the last of which is the pipes for rhysida and interlock ransomware.
WordPress’s violated websites totaling over 10,000, also revealed that acts as a distribution channel for Amos and Socgholish as part of what has been described as an attack on the client.
“JavaScript, loaded with the user’s browser, generates a fake page in IFRAME”, C/Side Desciller Himanshu Anand – Note. “The attackers use outdated WordPress versions and plugins to make detection more complex for websites without a client’s monitoring tool.”
In addition, the actors threatened used the trust associated with popular platforms such as GITHUB to place malicious installers that lead to the deployment of Lumma theft and other useful loads such as SECTOPROT, Vidar Cteeler and Cobalt Strike Beacon.
Trend Micro’s activity shows significant overlaps with a tactic attributed to the actor of the threat called Stargazer GoblinWhich has GitHub repositories for distribution of useful load. However, the decisive difference is that the infection chain begins with infected sites, which are redirected to malicious GITHUB release links.
“The Lumma theft method of distribution is continuing to develop, and the actor threatens GitHub repository for malware,” – Badia’s security researchers, pierg and jovit samaniego – Note.
“The malicious software model (MAAS) provides malicious subjects to cost efficient and affordable means to perform complex cyberators and achieve its malicious goals, mitigating the distribution of threats such as the theft of Lumma.”
