Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - February 07–11

Cyware Weekly Threat Intelligence - February 07–11 - Featured Image

Weekly Threat Briefing Feb 11, 2022

The Good

It rained ransomware decryptors this week. A former operator and self-proclaimed developer for Maze, Egregor, and Sekhmet released decryptors for the victims. They claimed that this was a planned course of action and has nothing to do with recent takedown efforts by law enforcement. Russia took down three prolific online shops for stolen payment card data and stated that similar domains will be targeted in the near future.

  • Decryptors for three infamous ransomware families—Maze, Egregor, and Sekhmet—have been recently released by an operator named ‘Topleak.’ Meanwhile, there is also a free Emsisoft decryptor for the above-mentioned ransomware.

  • Avast has released a decryption utility to recover files encrypted by TargetCompany ransomware for free. The decryptor works by cracking the password that has been appended to the encrypted files.

  • In the light of rising sophisticated cyberattacks targeting critical infrastructure throughout 2021, cybersecurity agencies from Australia, the U.K, and the U.S. released a joint advisory that offers trends, behaviors of criminals while also underlining recommendations for mitigation.

  • The crackdown on cybercrime in Russia continues with authorities seizing three carding marketplaces, namely Ferum Shop, Sky-Fraud, and Trump’s Dumps. The Russian Federation, furthermore, detained six people who were allegedly members of a group involved in trading stolen credit cards.

  • The U.S. Department of Justice seized almost $4.5 billion worth of cryptocurrency, stolen during the 2016 Bitfinex crypto exchange hack. A Manhattan couple has been arrested for stealing 119,756 Bitcoins in the attack.

  • From April, Microsoft will disable macros in Office files downloaded from the internet. Documents downloaded from untrusted sources will have a Mark of the Web (MOTW) attribute to block macros. The changes will be implemented in the current version of Office, with patches for Office LTSC and Office versions 2013, 2016, 2019, and 2021.

The Bad

Once again, a government agency was the target of a major cyberattack. Unidentified adversaries attacked the U.K Foreign Office, in what is suspected to be a cyberespionage campaign. In a new revelation, the BlackCat ransomware group claimed to be former members of the now-defunct DarkSide gang. However, the elephant in the room is this APT group that remained hidden for a decade. Named ModifiedElephant, researchers have finally shed light on its operations.

  • More than 500 online stores running the outdated Magento 1 platform were compromised in a large-scale digital skimming attack. Researchers indicate that nearly 19 backdoors were deployed on compromised systems. All of these websites were compromised by exploiting a known vulnerability in the Quickview plugin.

  • Threat actors are using a Windows living-off-the-land binary (LOLBin) known as Regsvr32 to drop trojans like Lokibot and Qbot. The tactic allows attackers to bypass application whitelisting during the execution phase of the attack.

  • The U.K Foreign Office was the target of a serious cybersecurity incident. According to media reports, attackers infiltrated Foreign Commonwealth and Development Office (FCDO) systems. Nevertheless, not many details were available about the attack, and BAE Systems Applied Intelligence was called for urgent remediation.

  • Threat actors are using fake Windows 11 upgrade installers to trick users into downloading the RedLine stealer malware. The malware is currently being used to pilfer passwords, browser cookies, credit card details, and cryptocurrency wallet information. According to researchers, the attackers are using a seemingly legitimate ‘windows-upgraded.com’ domain for the malware distribution as part of their campaign.

  • Data of over 6,000 Puma employees was stolen following a ransomware attack in December 2021 that hit HR management platform Ultimate Kronos Group (UKG). The theft of the data was confirmed by Kronos on January 7. In its notification, Kronos informed that the attackers had accessed its cloud-based environment before deploying the ransomware.

  • The blockchain infrastructures of Meter and Moonriver networks were hacked, allowing attackers to steal $4.4 million in ETH and BTC. The attackers had exploited a feature that automatically wrapped and unwrapped gas tokens to pilfer the fund.

  • The BlackCat ransomware gang has confirmed that they are former members of the notorious BlackMatter/DarkSide ransomware. Discovered in November 2021, the ransomware is written in Rust language. It uses different encryption methods to encrypt files across a wide range of corporate environments.

  • CyberNews researchers uncovered five clones of The Pirate Bay, erected by scammers to serve malicious ads. The malvertising campaigns were impacting more than 7 million online users per month.

  • The Memorial Hermann Health System is notifying patients about a cyberattack that impacted their PHI. According to the health system, the incident has affected the information of 6,260 patients. The affected information includes first names, last names, dates of birth, driver’s license numbers, and health insurance information of individuals.

  • A cyberattack disrupted the operations of Pop TV, Slovenia’s most popular TV channel. The attack took place on February 09, following which the employees were prevented from adding new content to the platform.

  • Data belonging to Ohlone Community College District (OCDD) network in Fremont, California, has been compromised in a sophisticated cyberattack. This includes Social Security Numbers, dates of birth, driver’s license number, medical information, and bank account details of individuals.

  • Data stolen from accounting conglomerate Optionis Group by the Vice Society ransomware group has surfaced on the dark web. Report suggests that the exposed data include spreadsheets for management accounts, timesheets for contractors, as well as letters associated with HM Revenue and Customs.

  • Detailing about the tactics of ModifiedElephant APT, researchers revealed that the attackers relied on spear-phishing emails with malicious attachments for over a decade now to launch cyberespionage campaigns. On multiple occasions, the attached documents included exploits for CVE-2012-0158, CVE-2013-3906, CVE-2014-1761, and CVE-2015-1641. The emails were used to push keyloggers, remote access trojans like NetWire and DarkComet, and even Android malware.

New Threats

Coming to other new developments in the threat landscape this week, Medusa and Flubot have joined hands and their infection rates are drastically rising. The Out to Sea campaign, conducted by OilRig APT, has been going on for quite some time now. It shows no signs of drowning as a new backdoor—Marlin—has been introduced. Molerats has been slithering around with a new campaign and a previously undocumented implant, NimbleMamba. It has already dug its fangs into Middle Eastern entities.

  • A new variant of FritzFrog botnet, which comes with new features such as the use of the Tor proxy chain, has managed to make 24,000 attack attempts within a month. The target list includes organizations in the healthcare, education, and government sectors. Researchers claim that the operators are in the process of adding capabilities to target WordPress servers.
  • A new wave of attack campaigns from the Kimsuky hacking group has been found delivering a custom backdoor malware dubbed Gold Dragon. Gold Dragon is a second-stage backdoor that establishes persistence on the victim’s system. Furthermore, it helps the attackers install the xRAT tool to manually steal sensitive data from the targeted system.
  • A new backdoor dubbed Marlin has been associated with a long-running espionage campaign named Out to Sea that started in April 2018. The malware is a new addition to the arsenal of OilRig aka APT34 threat actor group. Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.
  • A threat actor tracked as Molerats has been associated with a new campaign that leverages a previously undocumented implant named NimbleMamba. The sophisticated attack campaign has targeted Middle Eastern governments, foreign policy think tanks, a state-affiliated airline, and a security firm. The new malware is believed to be an upgraded version of the SharpStage backdoor.
  • Researchers have detected some new activity in the Roaming Mantis attack campaign that has been active since 2018. The attackers have made changes in the Android trojan Wroba to target Android and iPhone users in Germany and France. Designed to steal credentials and distribute malware, the campaign is executed via malicious apps and phishing pages.
  • Security analysts at Vade found cybercriminals launching Right-to-Left Override attacks in a new bait to lure victims into accessing malicious files in order to steal their Office 365 credentials.
  • New attack campaigns that target Android users with Flubot and Medusa trojans have been uncovered by researchers. Both the malware are distributed via SMS phishing infrastructures that prompt users to install a missed package delivery app or fake version of Flash Player. While Medusa has so far infected 1,500 devices with targets in Canada, Turkey, and the U.S., Flubot has evolved to target users across Europe.
  • Siemens released nine advisories to address 27 new flaws in its SIMATIC products. The vulnerabilities, if exploited, could allow the attackers to remotely launch DoS attacks against several Siemens PLCs and related products.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.