Cyware Weekly Threat Intelligence, August 29 - September 02, 2022

Weekly Threat Briefing • September 2, 2022
Weekly Threat Briefing • September 2, 2022
The NSA and the CISA have jointly released a series of guidelines to address threats from software supply chain attacks against the U.S. critical infrastructure and national security systems. The U.K telecom sector will have to follow a new security framework that is claimed to be one of the strongest regulations in the world. The framework has been developed to protect telecom networks against cyberattacks, data breaches, and software supply chain attacks.
There’s a new twist in software supply chain attacks on software repositories. New details related to the first ever phishing attack on the PyPi package repository have emerged this week. Researchers revealed that it was the work of a new threat actor named JuiceLedger that compromised hundreds of legitimate packages to deliver the JuiceStealer malware. The malware siphons passwords and other sensitive data from victims' web browsers. The notorious Evil Corp group is still at large and now is piggybacking on Raspberry Robin infrastructure to launch its attacks.
There’s no honor among thieves and this fits well with the gang behind the Prynt Stealer info-stealing malware. The threat actors have added a secret backdoor to send copies of data exfiltrated by WorldWind and DarkEye malware families to a private Telegram chat. Meanwhile, multi-platform ransomware families are gaining traction among threat actors seeking to cause damage to more than one organization at a time. In this row, researchers have discovered a new ransomware, called BianLian, that has targeted around 15 organizations.
A new Golang-based malware campaign was identified leveraging deep field images from NASA’s James Webb Space Telescope to deploy malware on infected devices. The campaign dubbed GO#WEBBFUSCATOR involved sending phishing emails that contained a Microsoft Office attachment named Geos-Rates.docx.
Check Point researchers shared details of a new campaign that distributed Nitrokod cryptominer. So far, the campaign has targeted 111,000 users in 11 countries. The crypto miner is used to mine Monero.
Developers behind Prynt Stealer info-stealing malware have created a secret backdoor that ends up in every derivative copy and variant of WorldWind and DarkEye malware families. The backdoor sends copies of victims’ exfiltrated data gathered by other threat actors to a private Telegram chat handled by the authors of the Prynt Stealer builder.
Snake keylogger was spotted in a new malspam campaign disguised as a business portfolio from a Qatari-based IT services provider. The attack originated from IP addresses in Vietnam and has already reached thousands of inboxes.
A cross-platform ransomware, dubbed BianLian, emerged in the threat landscape. Written in the Go language, the ransomware has claimed around 15 organizations as of September 1 as its victims. The initial access to victim networks is achieved by exploiting the ProxyShell flaw.
Researchers at AT&T have released details about a sophisticated cryptomining campaign in which 100 different malware loaders were leveraged to deploy miners and backdoors on the infected systems. These loaders were sent via phishing emails that used Mexican governmental documents, social security numbers, and tax returns as lures.
Cisco Talos identified three distinct campaigns, between March and June, delivering an array of malware, including ModernLoader and RedLine infostealer. Threat actors had used PowerShell, .NET assemblies, as well as HTA and VBS files to spread across a targeted network.
McAfee threat analysts discovered five Google Chrome extensions that track users’ browsing activities. The extensions have been, collectively, downloaded over 1.4 million times. The extensions claim to offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website.
A new, highly evasive JavaScript skimmer used by Magecart threat actors is under investigation. The skimmer is being used to target Magneto e-commerce websites.