Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence, April 11 - 15, 2022

Cyware Weekly Threat Intelligence, April 11 - 15, 2022 - Featured Image

Weekly Threat Briefing Apr 15, 2022

The Good

There’s always something good to look forward to. Finally, Microsoft took control of 65 domains that the chaotic ZLoader threat actors were leveraging to control, expand, and communicate with its botnet. In parallel, the law enforcement authorities shut down the dark web marketplace RaidForums.

  • Microsoft dismantled 65 domains associated with the ZLoader threat actors, thereby taking down the group behind cybercrimes worth millions of dollars. The ZLoader operators employ malware-as-a-service to steal and extort money; the botnet consists of malware-infected devices belonging to global businesses, schools, hospitals, and homes.

  • International law enforcement ran an operation, TOURNIQUET, to successfully seize RaidForums, an infamous dark web marketplace known for offering stolen personal data. The operation was conducted by law enforcement agencies from the U.S., U.K., Portugal, Sweden, and Romania. The law enforcement agencies arrested the administrator of the dark web marketplace and two of his accomplices.

  • A group of cybersecurity companies that help defend industrial systems from hackers, joined forces to launch the Operational Technology Cybersecurity Coalition, which aims to strengthen the ICS and critical infrastructure in the U.S. The coalition aims to streamline how the founding members share threat information with each other and the government.

The Bad

In other updates, the Conti ransomware group is still running its business, despite the massive leak of its source codes. The group added three new organizations—Nordex, Snap-on, and Panasonic Corp.—to their list of victims. Security experts also expressed their concerns as the NB65 hacking group took advantage of Conti’s leaked source code to target organizations in Russia. The notorious Lazarus was also spotted making a comeback with fake job offer lures to ensnare individuals working in the chemical sector.

  • The Conti ransomware group added two new organizations to its list of victims. These were Snap-on and Panasonic Corp. While Snap-on was targeted in March, the Panasonic Corp. was compromised in February. Panasonic revealed that its Canadian operations were affected by the attack. On the other hand, Snap-on disclosed that attackers gained access to social security numbers, names, birthdates, and employee identification-related material of its franchisees and associates.

  • The Italian luxury fashion house Ermenegildo Zegna confirmed a ransomware attack that resulted in an extensive IT systems outage. The attack occurred in August 2021 and was the work of the RansomEXX ransomware group.

  • Christie Business Holdings Company revealed a data breach that affected the personal information of roughly 500,000 individuals. Threat actors gained unauthorized access to compromised email accounts between July and August 2021. According to the healthcare services provider, no electronic medical records and the firm’s patient portal were impacted in the incident.

  • The Anonymous collective group leaked 446GB of data after launching DDoS attacks against the Russian Ministry of Culture. The dumped data included around 600,000 new emails associated with the ministry.

  • California-based respiratory care provider SuperCare Health disclosed a data breach that affected more than 300,000 individuals. The exposed files included names, addresses, dates of birth, medical record numbers, patient account numbers, and health-related information of patients. In some cases, social security numbers, and driver’s license numbers were compromised.

  • A hacking group named NB65 used Conti’s leaked source code to create its own ransomware. This new ransomware was used in a series of cyberattacks against organizations in Russia. The attackers leveraged the ransomware to steal data and later leaked it online.

  • LockBit ransomware group managed to maintain its persistence on a regional U.S. government agency for at least five months. However, logs retrieved from the compromised machines showed that two threat groups were engaged in reconnaissance and remote access operations. The toolset included utilities for brute-force attacks, scanning, and command execution.

  • The notorious Lazarus is back with the ‘Operation Dream Job’ campaign spree, targeting organizations in the chemical sector. The campaign has previously targeted individuals in the defense, government, and engineering sectors.

  • The FBI linked the $600 million cryptocurrency heist that targeted the players of the popular video game Axie Infinity to the infamous North Korean cybercrime groups - Lazarus and APT 38. The attackers had exploited a network used to send cryptocurrency to carry out the heist.

New Threats

Researchers warned about a set of five new vulnerabilities that could put impact patient care. Microsoft identified a new defense evasion malware, named Tarrask, that leverages a zero-day flaw in Windows task scheduling. Besides, two new deadly botnets—called Enemybot and Fodcha— capable of launching massive DDoS attacks were also unearthed in two disparate campaigns. Additionally, a new version of RedLine Stealer is gaining popularity in cybercrime forums for its ability to pilfer credentials from web browsers, cryptocurrency platforms, and email accounts.

  • Microsoft uncovered a new campaign associated with the Chinese-backed Hafnium hacking group. The campaign leveraged an unpatched zero-day in Windows task scheduling to deploy a new malware named Tarrask.
  • A new Enemybot botnet, which was first discovered in March, borrows modules from both Mirai and Gafgyt botnets. It was recently observed targeting routers from Seowon Intech, D-Link, Netgear, and Zhone. The threat actors behind the botnet employ brute-force attacks and exploit tools to compromise devices.
  • Security researchers detected a new Remcos RAT campaign that targeted the African banking sector. Threat actors attempted to deliver the malware using the HTML smuggling technique. The phishing emails purported to be from a recruiter from another African bank with information about job opportunities.
  • The notorious Emotet trojan has been upgraded with 16 additional modules. Some of these modules are used for spamming and pilfering credentials from different web browsers and email accounts.
  • Researchers spotted a new scam call tactic called the eavesdropping scam. This involves voicemail messages that include critical information about the targeted users. Once the victims return the call, the scammers can run a variety of scams, most commonly offering fraudulent tax relief services. It is revealed that the scam had first emerged in early 2022.
  • A new version of RedLine stealer named Meta Stealer is being sold at $125 for a monthly subscription or $1,000 for unlimited lifetime use. It is capable of stealing passwords from Chrome, Edge, Firefox, and cryptocurrency wallets.
  • Researchers shared details about the new Fakecalls banking trojan. It mimics the mobile apps of popular Korean banks to spy on users. When installed, the trojan immediately requests permission to access contacts, microphone, camera, geolocation, and call handling. Kaspersky found that, in some cases, the trojan can imitate phone conversations with customer support.
  • CERT-UA had released mitigation measures for a new variant of the Industroyer malware dubbed Industroyer-2. The malware variant was used by Sandworm APT to launch attacks against high-voltage electrical substations in Ukraine.
  • A set of five newly discovered vulnerabilities called JekyllBot:5 were found impacting Aethon TUG autonomous mobile robots. The flaws, if exploited, could put several medical firms at risk of remote hijack. Attackers can gain access to real-time camera feeds, disrupt the timely delivery of patient medication, and interfere in operations.
  • The operators behind Qbot trojan were found leveraging MSI Windows Installer packages to push the malicious payload. The packages are embedded within password-protected ZIP archive attachments that are sent via phishing emails.
  • The CISA urged federal agencies to patch a WatchGuard firewall vulnerability that is being actively exploited in the wild. The vulnerability, tracked as CVE-2022-23176, affects the Fireware OS running on WatchGuard Firebox and XTM appliances.
  • A malware, called PIPEDREAM, capable of targeting ICS/SCADA systems was unveiled this week. The malware can target a wide range of PLCs from Schneider Electric and Omron. It can also attack other industrial technologies from the likes of CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).
  • A newly discovered Fodcha botnet infected around 62,000 IoT devices between March 29 and April 10. The botnet is distributed via brute-force attacks and exploits. Most of its infected devices are located in China.
  • A threat actor dubbed Haskers Gang is actively using the Telegram and Discord platforms to promote a newly discovered information-stealing malware named ZingoStealer that comes with the capabilities of XMRig miner and RedLine Stealer. Since its inception, malware has targeted gamers in Russia.
  • The UAC-0041 threat cluster leveraged a known vulnerability (CVE-2018-6882) in Zimbra software to distribute the IcedID trojan. The campaign targeted organizations in Ukraine.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.