The Rise of FusionCore: An Emerging European Cybercrime Group

FusionCore is a group that operates as both malware developers and threat actors, providing malware subscriptions as well as hacker-for-hire services. They specialize in a wide range of malware and use phishing as their primary attack vector for initial access.

The groups Malware-as-a-Service (MaaS) and hacker-for-hire operations provide a range of customizable tools and services on their website. This one-stop-shop is a haven for threat actors seeking cost-effective yet sophisticated malware to purchase.

FusionCore’s offerings include Typhon-R Stealer, RootFinder Stealer, RootFinder RAT, Cryptonic Crypter, RootFinder Ransomware, RootFinder Miner, Golden Mine, ApolloRAT, SarinLocker, and KratoS dropper. Additionally, the operators have started a ransomware affiliate program that equips attackers with the ransomware and affiliate software to manage victims.

Recently, researchers analyzed some of the previously undiscovered malware samples used by FusionCore, with findings indicating that the threat actor group is highly sophisticated and ambitious. The primary operators of FusionCore use open-source software to increase the evasiveness of their crypter stub, their hacker-for-hire services. Combined with its stealer capabilities, this poses a significant threat to organizations’ digital assets, potentially leading to financial losses due to stolen intellectual property or compromised customer data.

FusionCore Timeline:

In June 2022, Hydra started selling the Typhon-stealer, released on their new telegram channel, after working on new features and evasion capabilities. In the same month, the MaaS operators were found providing malware-spreading services across the globe, indicating that they likely have access to a private botnet spanned across multiple geographies. The operators charged a higher price to spread malware within Europe than any other continent.

In September 2022, FusionCore created a telegram channel for streamlining their MaaS operations. Hydra then recruited a Russian-speaking advertiser, who advertised the products on underground forums, channels, etc. with a 25% commission for the marketer on the revenue.

A month later, another malware developer in FusionCore, who goes by the alias NecroSys, came in advertising a soon-to-be-released ransomware written in C#, called SarinLocker. The group admin, SysKey, announced the official launch of the webshop for FusionCore in November 2022, as well as previews of upcoming tools and related features in the same month.

In January 2023, the MaaS operators were looking to expand their team with the addition of an experienced malware developer. In February 2023, the research team obtained the command and control (C2) panel snippet shared by the attacker on their telegram channel (now deleted), leveraging the poor Operations Security (OpSec) from the MaaS operators. The RootFinder telegram channel was deleted after the threat actors realized their operational error. The snippet reveals public IPs that are being used by FusionCore for testing grounds for the malware.

By March, Hydra published a screenshot of the Typhon Reborn stealer dashboard, which is still under development. It should be noted that the dashboard displays Sweden time by default. On March 26th, NecroSys announced on the Typhon stealer telegram channel an upcoming fully native and fully undetectable ransomware named “VIPERA Ransomware” designed to encrypt victim files in microseconds.

Summary:

Based on the available information and discussions, it can be ascertained with medium confidence that the operators of FusionCore are operating from Europe. The research team’s discovery of the C2 panel snippet shared by the attackers on their now-deleted telegram channel in February 2023 shed some light on the testing grounds for the malware being used by the MaaS operators. These public IPs are likely part of the botnet used to provide malware-spreading services.

It can be ascertained that FusionCore is a highly sophisticated and well-funded group, with a well-established and efficient modus operandi. The group has shown the ability to adapt to changing circumstances and remain active, despite the efforts of law enforcement agencies to shut them down.

FusionCore Key Takeaways

It is important for organizations to take measures to protect themselves against threats from groups like FusionCore. This includes maintaining up-to-date antivirus software, implementing strong password policies, training employees to be vigilant against phishing attacks, and regularly backing up important data to minimize the impact of a potential ransomware attack.

It is also recommended that organizations work closely with law enforcement agencies to report any suspected cybercrime activity and to implement threat intelligence sharing programs with other organizations in their industry to stay abreast of the latest threats and tactics used by groups like FusionCore.

References: