Cyware Daily Threat Intelligence

Daily Threat Briefing • May 4, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 4, 2022
Unprecedented ransomware attacks from North Korean hacking groups have grabbed the attention of researchers. This follows the discovery of four ransomware strains that were used in the wild over the past two years to extort APT38’s victims. The four ransomware in question are Beaf, PXJ, ZZZZ, and ChiChi. In another update, several new malware loaders were registered in the last 24 hours as Winnti’s new Operation CuckooBees campaign surfaced.
Meanwhile, phishing emails have turned out to be a significant go-to-attack vector in different ongoing attack campaigns that target NHS employees and verified Twitter accounts. The ultimate goal of these campaigns is to harvest credentials from victims.
Winnti steals trade secrets
A newly discovered Operation CuckooBees campaign associated with the Winnti APT group was found stealing intellectual property from several organizations across North America, Europe, and Asia. The campaign had leveraged the Windows Common Log Files System (CLFS) mechanism to evade detection and distribute a variety of new malware loaders, such as a new DEPLOYLOG loader, and different new versions of Spyder Loader, PRIVATELOG, and WINNKIT.
NSW hit
The Australian state of New South Wales’s (NSW) transport agency revealed that it was impacted by a cyberattack in early April. The attack was launched via the agency’s Authorised Inspection Scheme (AIS) online application system. During this incident, an unauthorized third-party successfully accessed a small number of the application’s user accounts.
NHS employees targeted in phishing attacks
Researchers have detected an ongoing phishing attack campaign targeting the National Health Service (NHS). The campaign uses hijacked NHS email accounts to send credential harvesting links to employees based in England and Scotland. So far, around 1,157 phishing emails used for this purpose have been identified in the attack.
Twitter accounts targeted
Multiple verified Twitter accounts have been targeted in an ongoing phishing email attack operation to collect login credentials from users. These accounts belong to celebrities, politicians, influencers, journalists, and private and public entities. These accounts are particularly sought after by hackers to promote scam campaigns and malicious activities.
WooCommerce cart under attack
An instance of a malicious credit card swiper being injected into WordPress’ wp-settings.php file was observed by researchers. The malicious card swiper was exclusively designed to target online stores using the WooCommerce platform.
Golang variants of BlackByte ransomware exposed
Researchers have shared technical details of two new Go variants of recently found BlackByte ransomware. The first variant was seen-in-the-wild in September 2021 and the second variant, referred to as BlackByte v2, was discovered in February 2022. Both the variants employ various anti-analysis techniques, including a multitude of encryption algorithms to stay under the radar.
Scammers target craft fair vendors
Multiple crafting community groups across the U.K were targeted in a scam that promised to help them grab a stall at a fair price. The scammers asked the groups to book their spots using a fake booking form that harvested their personal and financial information. Later, it asked the victims to make payments of £60 to £75 to confirm their booking. However, this ended up with victims losing money at the hand of scammers.
APT38’s new ransomware strain
Researchers have linked several ransomware strains to the APT38 hacking group. These ransomware are Beaf, PXJ, ZZZZ, and ChiChi. It is believed that Beaf, PXJ, and ZZZZ share a notable amount of source code and functionalities with VHD and TFlower ransomware.