CyberSecurityBoard
Sponsor Register Login

Kaspersky crimeware report: FakeSG, Akira and AMOS

Cybercriminals try to capitalize on their victims in every possible way by distributing various types of malware designed for different platforms.
In recent months, we have written private reports on a wide range of topics, such as new cross-platform ransomware, macOS stealers and malware distribution campaigns.
In this article, we share excerpts from our reports on the FakeSG campaign, the Akira ransomware and the AMOS stealer.
Clicking the notification downloads a malicious file to the device.
Over the course of time, the attackers have changed the download URL to stay undetected longer.
The download is a JS file that contains obfuscated code.
Finally, it displays a prompt to update the browser and starts automatically downloading another script.
Part of the 7z file is a malicious configuration file containing the address of the C2. C2 address.
Akira is a relatively new ransomware variant, first detected in this past April and written in C++, that can run in Windows and Linux environments.
Despite the malware being relatively new, the attackers behind Akira are quite busy with over 60 confirmed infected organizations worldwide.
In many ways, Akira is no different from other ransomware families: shadow copies are deleted; logical drives are encrypted, and certain file types and directories are skipped; there is a leak/communication site on TOR; and so on.
Akira's communication site is something different.
Certain famous stealers, such as Redline and Raccoon, have been around for years.
In the beginning of the year, we saw a number of new stealers appearing for macOS: XLoader, MacStealer, Atomic MacOS aka AMOS and others.
The initial version, written in Go, had typical stealer features, such as stealing passwords, files, browser data and so on.
The new version changed a few things, most notably, the programming language.
Similarly to the Redline and Rhadamantys campaigns, popular software sites get cloned, and users are lured into downloading the malware.
The downloaded file is a DMG image that contains instructions on how to install the malware as can be seen in the image below.
The first thing the malware does is retrieve the user name and check if the password is blank or no password is required.
If the password is required and the user is not logged in, the malware creates a popup using osascript, asking to enter the password.


This Cyber News was published on securelist.com. Publication date: Wed, 13 Dec 2023 10:13:04 +0000


Cyber News related to Kaspersky crimeware report: FakeSG, Akira and AMOS

Kaspersky crimeware report: FakeSG, Akira and AMOS - Cybercriminals try to capitalize on their victims in every possible way by distributing various types of malware designed for different platforms. In recent months, we have written private reports on a wide range of topics, such as new cross-platform ...
1 year ago Securelist.com Akira
Kaspersky Unveils New Flagship Product Line for Business, Kaspersky Next - PRESS RELEASE. Woburn, MA - April 16, 2024 - Today Kaspersky introduced its new flagship product line, Kaspersky Next, combining robust endpoint protection with the transparency and speed of EDR, alongside the visibility and powerful tools of XDR. ...
1 year ago Darkreading.com
CVE-2024-13614 - Kaspersky has fixed a security issue in Kaspersky Anti-Virus SDK for Windows, Kaspersky Security for Virtualization Light Agent, Kaspersky Endpoint Security for Windows, Kaspersky Small Office Security, Kaspersky for Windows (Standard, Plus, ...
4 months ago Tenable.com
Non-mobile malware statistics, Q1 2024 - More than 83,000 users experienced ransomware attacks, with 20% of all victims published on ransomware gangs' DLSs hit by LockBit. In Q1, Kaspersky solutions protected 83,270 unique users from ransomware Trojan attacks. Number of unique users ...
1 year ago Securelist.com LockBit
Lazarus hackers breach six companies in watering hole attacks - In the incidents analyzed by Kaspersky, victims are redirected to sites that mimick software vendors, such as the distributor of Cross EX - a tool that enables South Koreans to use security software in various web browsers for online banking and ...
1 month ago Bleepingcomputer.com
Australia bans all Kaspersky products on government systems - The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country. products and web services by Australian ...
3 months ago Bleepingcomputer.com
Russian media, academia targeted in espionage campaign using Google Chrome zero-day exploit | The Record from Recorded Future News - Last June, Kaspersky discovered another espionage campaign, dubbed Operation Triangulation, that exploited two vulnerabilities in Apple devices. Russian security researchers discovered sophisticated new malware used in an espionage campaign targeting ...
2 months ago Therecord.media CVE-2025-2783
Akira Ransomware Using Compromised Credentials and Public Tools in New Wave of Cyberattacks - According to their leak site, the group has compromised over 350 organizations, with victims who refuse payment seeing their data published in the dedicated “Leaks” section. The cybersecurity landscape faces a mounting threat as the Akira ...
1 month ago Cybersecuritynews.com Akira
Akira ransomware gang says it stole passport scans from Lush The Register - Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira's affiliate likely had access to a system containing staff-related data. Company documents relating to accounting, finances, ...
1 year ago Go.theregister.com Akira
Akira ransomware gang says it stole passport scans from Lush The Register - Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira's affiliate likely had access to a system containing staff-related data. Company documents relating to accounting, finances, ...
1 year ago Theregister.com Akira
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus - An advanced persistent threat group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa. Over that period, the Spanish-speaking ...
1 year ago Darkreading.com Kimsuky OilRig
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus - An advanced persistent threat group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa. Over that period, the Spanish-speaking ...
1 year ago Darkreading.com Kimsuky OilRig
US energy firm shares how Akira ransomware hacked its systems - In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty ...
1 year ago Bleepingcomputer.com Akira
LockBit takedown surges Akira Ransomware Attacks - Following the takedown of the LockBit Ransomware group's website in 'Operation Cronos' by law enforcement agencies, there has been a notable surge in the activity of the Akira Ransomware group in recent weeks. This rise has been particularly ...
1 year ago Cybersecurity-insiders.com LockBit Akira Ra group
Ransomware victims targeted by fake hack-back offers - Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data. Both Royal and Akira ransomware ...
1 year ago Bleepingcomputer.com Akira Qilin
Pirated Software Puts Mac Users at Risk as Proxy Malware Emerges - Malware is being targeted at Mac users who receive pirated versions of popular apps from warez websites after they choose to download them from those websites. Various reports state that cybercriminals are infecting macOS devices with proxy trojans ...
1 year ago Cysecurity.news
Tietoevry ransomware attack causes outages for Swedish firms, cities - Finnish IT services and enterprise cloud hosting provider Tietoevry has suffered a ransomware attack impacting cloud hosting customers in one of its data centers in Sweden, with the attack reportedly conducted by the Akira ransomware gang. Tietoevry ...
1 year ago Bleepingcomputer.com Akira
Daily Malicious Files Soar 3% in 2023, Kaspersky Finds - Cybercriminals unleashed an average of 411,000 malicious files every day in 2023, representing a 3% increase from the previous year, according to Kaspersky. The firm's Security Bulletin: Statistics of the Year Report, published on December 14, 2023, ...
1 year ago Infosecurity-magazine.com LockBit
Nissan Australia cyberattack claimed by Akira ransomware gang - Today, the Akira ransomware gang claimed that it breached the network of Nissan Australia, the Australian division of Japanese car maker Nissan. In a new entry added to the operation's date leak blog on December 22, Akira says that its operators ...
1 year ago Bleepingcomputer.com Akira Qilin
New Akira ransomware decryptor cracks encryptions keys using GPUs - Nugroho developed the decryptor after being asked for help from a friend, deeming the encrypted system solvable within a week, based on how Akira generates encryption keys using timestamps. Akira ransomware dynamically generates unique encryption ...
3 months ago Bleepingcomputer.com Akira
New TetrisPhantom hackers steal data from secure USB drives on govt systems - A new sophisticated threat tracked as 'TetrisPhantom' has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely ...
1 year ago Bleepingcomputer.com Ragnar Locker
StripedFly malware framework infects 1 million Windows, Linux hosts - A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the ...
1 year ago Bleepingcomputer.com
Persistent Espionage Campaign Targets APAC Governments - Cybersecurity experts at Kaspersky have unveiled a covert and highly advanced espionage campaign, codenamed "TetrisPhantom." The persistent operation has specifically targeted government institutions in the Asia-Pacific region, utilizing a unique ...
1 year ago Infosecurity-magazine.com
Threat Actors Leveraging Reddit Posts To Actively Spread AMOS and Lumma Stealers - The malicious actors are distributing two dangerous data stealers—AMOS for macOS users and Lumma Stealer for Windows users—through seemingly helpful posts on cryptocurrency trading subreddits. The scammers employ social engineering tactics by ...
2 months ago Cybersecuritynews.com
Kasperskys ICS CERT Predictions for 2024: Ransomware Rampage, Cosmopolitical Hacktivism, and Beyond - Looking back at 2023, Kaspersky predicted the industrial cybersecurity landscape would continue to evolve, with several key trends emerging. The pursuit of efficiency in IIoT and SmartXXX systems fueled an expanded attack surface, while the surge in ...
1 year ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)