Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 2, 2021

With several tricks up their sleeves, Wizard Spider—the gang behind the TrickBot trojan—is bouncing back for the second innings. The group has been linked with a new ransomware strain dubbed Diavol that uses Asynchronous Procedure Calls (APCs) and asymmetric algorithms to encrypt files.

Not only TrickBot, but the operators of Mirai have also launched a new botnet named Mirai_ptea that targets a new vulnerability in the KGUARD DVR devices. According to researchers’ telemetry, the botnet is mainly distributed across the U.S., Korea, and Brazil.

Buer Loader and Smoker Loader notoriety also drew researchers’ attention, raising concerns about the rising threat of malware downloaders.

Top Breaches Reported in the Last 24 Hours

MasMovil attacked

Spain’s 4th largest telecom operator MasMovil Ibercom has become the latest victim of the infamous REvil ransomware. To claim the attack, the group has shared screenshots of the folders named Backup, RESELLERS, PARLEM, and OCU. MasMovil has confirmed the attack and further mentioned that there has been no demand for ransom from the gang.

Another target of REvil

The University Medical Center of Southern Nevada is another organization to have fallen victim to a REvil ransomware attack. Following the attack, the gang has posted screenshots of stolen data that includes driver’s licenses, passports, and Social security numbers of many users.

MonPass server breached

Hackers breached a server of MonPass to deploy a Cobalt Strike-based backdoor. The backdoor was active between February and March. However, the incident came to light in late March.

LimeVPN data on sale

Data stolen from LimeVPN is up for sale on RaidForums dark marketplace. The stolen records consist of user names, passwords in plain text, IP addresses, and billing information.

New Skills Academy

New Skills Academy has suffered a data breach that resulted in the loss of sensitive data belonging to its students. The threat actors gained unauthorized access to the network to steal usernames, email addresses, and encrypted passwords of individuals.

Top Malware Reported in the Last 24 Hours

Smoke Loader detected

A new threat campaign is enticing users to download Smoke Loader malware from a fake Privacy Tools website that pretends to offer file protection services. The malware is downloaded as an initial stage payload, which later drops Racoon Stealer and RedLine malware as final payloads.

New Diavol ransomware

A newly found Diavol ransomware has been linked to the Wizard Spider threat actor group, famously known for its TrickBot trojan. The thing that sets it apart from other ransomware is the way it encrypts files. Diavol uses user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm as part of its encryption procedure. Currently, the source of intrusion is unknown.

New Mirai_ptea botnet

A new variant of Mirai botnet dubbed Mirai_ptea is exploiting a new vulnerability in KGUARD DVR to propagate across IoT devices. According to researchers’ telemetry, the botnet is mainly distributed across the U.S., Korea, and Brazil.

Buer Loader spotted

A phishing campaign themed around the COVID-19 vaccine was launched to distribute Buer Loader. The subject line of the email read, ‘Covid-19 Vaccination Information.’ to gain the attention of recipients.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable ProfilePress plugin

Several vulnerabilities found in the ProfilePress plugin can allow attackers to escalate user privileges and upload malicious code, resulting in the complete takeover of a WordPress site. The flaws are tracked as CVE-2021-34621, CVE-2021-34622, CVE-2021-34623, and CVE-2021-34624. Patches to fix the vulnerabilities were released this May.

Vulnerable WAGO devices

Several critical and high-severity vulnerabilities identified in PLC and HMI products have been patched by the manufacturer WAGO. Two of these vulnerabilities are tracked as CVE-2021-34566 and CVE-2021-34567. These flaws can allow attackers to cause a denial of service condition and in some cases, even arbitrary code execution attacks.

Related Threat Briefings