BlogNews21ST DEC 2023
AuthorSamir Yawar
7 min read
News

GTA6 Leaker, MS Drainer and Falsefont Malware dominate headlines

Twitter
Facebook
WhatsApp
Email
LinkedIn
This week's cybersecurity news roundup looks at the GTA6 leaker, MS Drainer, and FalseFont exploits.

Welcome to our latest cybersecurity news roundup, where we comprehensively overview the most pressing issues in the tech and cybersecurity landscape. This edition covers the GTA6 leaker, MS Drainer, and Falsefont exploits. 

Join us as we navigate the evolving challenges and advancements in technology, cybersecurity, and beyond.

Cybersecurity News Roundup for Dec 22, 2023


Here’s what went down this week:

GTA6 Leaker gets a life sentence

Arion Kurtaj, a member of the Lapsus$ cybercrime group, has been sentenced indefinitely to a "secure hospital" by a British judge.

Residing in Oxford, Kurtaj played a significant role as a key member of Lapsus$, responsible for leaking clips from Rockstar Games' anticipated video game, Grand Theft Auto VI.

Prosecutors assert that Kurtaj was "caught red-handed" violating his bail conditions when authorities discovered an Amazon Fire Stick in his hotel room's TV. This device enabled him to connect to cloud computing services using his smartphone, keyboard, and mouse. This clever workaround allowed him to carry out the Grand Theft Auto VI leak despite his laptop being confiscated.

The judge expressed concern that Kurtaj, due to his skills and evident inclination towards cybercrime, poses a continuing "high risk" to the public. Consequently, he will remain in a secure hospital until medical professionals deem him no longer a threat.

In addition to his involvement in cybercrime, the court disclosed that Kurtaj displayed violent behavior while in custody, resulting in "dozens of reports of injury or property damage."

Owing to his autism, healthcare professionals had initially deemed Kurtaj unfit to stand trial. The decision to determine if his alleged actions were carried out with criminal intent was left to the jury.

The BBC further reported that a mental health assessment conducted during the sentencing hearing revealed Kurtaj's strong motivation to "return to cyber-crime as soon as possible."

Malicious Google and Twitter Ads

Google and Twitter advertisements are being utilized to promote websites hosting a cryptocurrency exploitation tool known as 'MS Drainer,' which is responsible for siphoning off $59 million from 63,210 individuals in the last nine months.

As per insights from blockchain threat analysts at ScamSniffer, they have identified over ten thousand phishing websites employing the drainer since March 2023, with notable surges in activity observed in May, June, and November.

A drainer, in this context, refers to a malicious smart contract or a comprehensive phishing suite engineered to deplete funds from a user's cryptocurrency wallet without their explicit consent.

How the MS Drainer exploit displays malicious Google ads
Malicious Google ads displayed | Source: ScamSniffer

Individuals are redirected to a seemingly legitimate phishing website, where they unwittingly authorize malicious contracts. This allows the drainer to execute unauthorized transactions, transferring the victim's funds to the attacker's designated wallet address.

How does the MS Drainer exploit work?

MS Drainer is being promoted through deceptive ads on Google Search, strategically displayed for keywords associated with decentralized finance (DeFi) platforms such as Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.

Numerous ads exploit a tracking template vulnerability in Google Ads to manipulate the URL, making it appear as if it is affiliated with the targeted project's official domain. However, upon clicking, users are redirected to a phishing site.

On Twitter, also known as "X," the prevalence of MS Drainer advertisements is substantial, constituting six out of nine reported phishing ads on the platform, according to ScamSniffer.

Microsoft warns defense companies of FalseFont malware

Microsoft reports that the APT33 Iranian cyber-espionage group is employing a newly discovered backdoor malware named FalseFont to target defense contractors globally.

In a statement, the Seattle-based tech giant revealed:

Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector."

The Defense Industrial Base sector, encompassing over 100,000 defense companies and subcontractors engaged in the research and development of military weapons systems, subsystems, and components, has been the primary focus of these attacks.

Also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, the hacking group has been operational since at least 2013. Its targets range across various industry sectors in the United States, Saudi Arabia, and South Korea, including government, defense, research, finance, and engineering domains.

The recently identified custom backdoor, FalseFont, provides the hackers with remote access to compromised systems, enabling file execution and transfer to their command-and-control servers. Microsoft notes that FalseFont was first detected in the wild around early November 2023.

"The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft," stated Microsoft.

In response to these threats, network defenders are advised to reset credentials for accounts targeted in password spray attacks to mitigate the attack surface. Additionally, Microsoft recommends revoking session cookies and enhancing the security of accounts and RDP or Windows Virtual Desktop endpoints by implementing multi-factor authentication (MFA).

Previous Coverage

Check out our previous news reports about cybersecurity happenings around the world:


Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
FalseFont is a newly identified and sophisticated backdoor malware utilized by the Iranian cyber-espionage group APT33 (also known as Peach Sandstorm, HOLMIUM, or Refined Kitten). This malware serves as a tool for unauthorized access and control over compromised computer systems.