83r71nJul 22, 2024

A new variant of the Play ransomware, specifically designed for Linux, has emerged and is targeting VMware ESXi systems. This variant is notable because it encrypts virtual machine files, including disks, configurations, and metadata, and appends them with the ".PLAY" extension. It also drops a ransom note in the root directory. The Play ransomware group appears to be utilizing services from Prolific Puma, a provider of illicit link-shortening services, to aid in evading detection while spreading malware. They employ a Registered Domain Generation Algorithm (RDGA) to create new domain names, a technique becoming popular among various cybercriminal groups for activities like phishing, spamming, and malware distribution. The RDGA allows for the creation of numerous domain names, making it harder to detect and defend against compared to traditional DGAs. This Linux variant of Play represents a broader attack strategy across the Linux platform, potentially expanding the group's victim base and increasing the success rate of ransom negotiations. The Play ransomware, initially appearing in June 2022, is known for its double extortion tactic, encrypting systems after stealing sensitive data and demanding a ransom for decryption. As of October 2023, estimates suggest around 300 organizations worldwide have fallen victim to this ransomware group. The discovery of this Linux variant was made from a RAR archive file found on an IP address associated with tools previously used in Play ransomware attacks, indicating that the Linux version may follow similar tactics.

https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html

#cybersecurity #vmware #esxi #linux #playransomware #ransomware #attack #encryption #prolificpuma #rdga #dga #trendmicro

New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma

Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more.

Trend Micro
Infoblox Threat IntelFeb 21, 2024
Prolific Puma continues to abuse the usTLD, along with the meTLD (Montenegro). In the last couple days, they've registered: zn4[.]us,omot[.]me,xcrs[.]info,7fy[.]us,vksl[.]info,oesz[.]me,eayf[.]me,mxds[.]me.
#dns #infoblox #cybercrime #malware #cybersecurity #infosec #tds #prolificpuma #phishing
Infoblox Threat IntelFeb 3, 2024
Prolific Puma is still busy and abusing the usTLD. In the last few days, they've registered wm0[.]us,w6u[.]us,9gm[.]us,va6[.]us,eiyi[.]me,skjh[.]me,om0[.]us,rtfd[.]me,ifih[.]me,xb7[.]us,6hv[.]us,ghty[.]me,h9q[.]us,piwp[.]me,mk9[.]us,q5b[.]us,lb3[.]us,4zg[.]us,sbrr[.]me. #dns #infoblox #cybercrime #malware #cybersecurity #infosec #tds #prolificpuma #phishing
Renée BurtonDec 4, 2023
Some of our folks are giving a technical webinar December 13th on SMS Cybercrime -- a DNS perspective. They will cover the malicious link shortener Prolific Puma and how we discovered it, what we see from an MFA phishing perspective, and look at what DNS actors doing all that USPS phishing look like. #dns #cybersecurity #infosec #phishing #prolificpuma #sms #malware #cybercrime #infoblox https://www.infoblox.com/registration-sms-cybercrime-a-dns-perspective/
SMS Cybercrime: A DNS Perspective | Webinar | Infoblox

Join this Infoblox webinar and learn how Infoblox detects threats that are used in SMS attacks.

Infoblox
Renée BurtonNov 7, 2023

So.. twice this year a DNS threat actor changed behavior when we were investigating and they soared from suspicious to malicious. lol. clever. first #decoydog then #prolificpuma ... anyhow.. kinda funny.. we fully expected them to regroup... it's their job after all to do the crime thing.. but they just can't let go of music references.. new email address 6lackrules@proton[.]me. no more anon usTLD registrations it looks like.

Here's some domains. a slight change in hosting. i don't see the shorteners set up yet but for these'll be for sms bad activities again i'm sure.

zk0[.]us,zg5[.]us,yl4[.]us,yg2[.]us,y4f[.]us,xa4[.]us,x8i[.]us,wu7[.]us,wn3[.]us,w1m[.]us,v9e[.]us,v3y[.]us,uv5[.]us,uj2[.]us,ud4[.]us,u7n[.]us,u2f[.]us,tr0[.]us,tl1[.]us,t7x[.]us,s9k[.]us,qb9[.]us,q8r[.]us,q6d[.]us,q3u[.]us,q2u[.]us,pj8[.]us,p6s[.]us,p6h[.]us,o8r[.]us,o8l[.]us,o1i[.]us,lh8[.]us,ks0[.]us,kf8[.]us,k7x[.]us,k3o[.]us,jx4[.]us,jf4[.]us,hz0[.]us,h7s[.]us,h6l[.]us,g9s[.]us,g9j[.]us,fy3[.]us,f5y[.]us,f3z[.]us,er7[.]us,ecyz[.]us,e9c[.]us,d8c[.]us,c9i[.]us,c9a[.]us,bk7[.]us,a8m[.]us,a8j[.]us,a6r[.]us,9yl[.]us,9xl[.]us,9ou[.]us,9ma[.]us,9jy[.]us,9iq[.]us,8qe[.]us,8mv[.]us,8im[.]us,8fv[.]us,7ov[.]us,7nv[.]us,7cb[.]us,6np[.]us,6bu[.]us,5jc[.]us,5ja[.]us,3kc[.]us,2jk[.]us,2cl[.]us,0ho[.]us,piyt[.]us,zlyx[.]us,wyop[.]us,wk0[.]us,k0z[.]us,8ec[.]us,7ol[.]us,kaqu[.]us,jdhr[.]us,ivdo[.]us,w6r[.]us,t6s[.]us,sg4[.]us,j8q[.]us,f1d[.]us,aehv[.]us,utpy[.]us,jqcu[.]us,kxjm[.]us

#dns #malware #smishing #phishing #cybersecurity #infosec #infoblox

Matt WillemsenNov 3, 2023
.US Harbors Prolific Malicious Link Shortening Service
The top-level domain for the United States — .US — is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.
https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/ #dotUS #LinkShortening #malware #ProlificPuma
.US Harbors Prolific Malicious Link Shortening Service – Krebs on Security

Avoid the Hack! Nov 2, 2023

.US Harbors Prolific Malicious Link Shortening Service

From @briankrebs

"Prolific Pumba" registering malicious shortened .us domains daily as a link shortening service for malicious websites, helping them evade security/detection mechanisms and masking the true nature of the malicious domain.

#cybersecurity #infosec #prolificpuma

https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/

.US Harbors Prolific Malicious Link Shortening Service – Krebs on Security

FreemindNov 1, 2023

Prolific Puma’s operations highlight the potential abuse of the DNS for criminal activities while remaining undetected for an extended period, underscoring the ongoing challenges in combating cybercrime.

#Cybersecurity #DarkWeb #SEO #ProlificPuma

https://cybersec84.wordpress.com/2023/11/01/prolific-puma-exposed-seo-researchers-discover-underground-link-shortening-service/

Prolific Puma Exposed: SEO Researchers Discover Underground Link Shortening Service

A clandestine threat actor operating under the alias “Prolific Puma” has maintained a discreet online presence, running a secretive link-shortening service in the underground for over t…

CyberSec84 | Cybersecurity news.
Ionut IlascuNov 1, 2023

Incredible what DNS data can help uncover.

Short link service for crims registered up to 75, 000 domains since April 2023.

Operation active for at least 4 years helped deliver phishing, scams, and malware.

In one day, they registered close to 800 domains, daily average since May is 43 domains.

#ProlificPuma

https://www.bleepingcomputer.com/news/security/massive-cybercrime-url-shortening-service-uncovered-via-dns-data/

Massive cybercrime URL shortening service uncovered via DNS data

A threat actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.

BleepingComputer
dispatchOct 31, 2023
.US Harbors Prolific Malicious Link Shortening Service https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/ #NationalTelecommunicationsandInformationAdministration #blackpumaoct33@ukr.net #maliciouslinkshortener #ALittleSunshine #JosefBakhovsky #KristapsRonka #ProlificPuma #WebFraud2.0 #BlackPumas #LeilaPuma #Namecheap #Infoblox #NameSilo #GoDaddy
.US Harbors Prolific Malicious Link Shortening Service – Krebs on Security