Cyware Weekly Threat Intelligence - May 03–07

Weekly Threat Briefing • May 7, 2021
Weekly Threat Briefing • May 7, 2021
The Good
While you anxiously wait for the weekend, here’s a bit of good news to cheer you up. As industrial systems are witnessing increased cybercrime activities, the NSA has provided guidance on securing the connections between IT systems and OT systems. In similar news, the U.S. Attorney's Office for the District of Maryland seized a fake vaccine domain pretending to develop COVID-19 vaccines.
The Bad
Not everything is sunshine and rainbows in the cyberworld, just like the physical world right now. The Avaddon ransomware gang was pretty busy this week, extorting unfortunate victims. Victims of the Codecov supply chain attack keep popping up almost every week; this week it was Twilio. In other news, there has been a bounty of data breaches. One of the most significant data breaches is that of USAGM.
New Threats
We were blessed, unfortunately, with several new malware strains this week. Researchers found a new threat actor that launched a cyberespionage campaign deploying three new malware. Call it a triple whammy, if you may! The latest Buer loader now comes written in Rust and efficiently evades detection. In the same vein, we should inform you about a new variant of an Android malware—Ghimob—that is on the prowl to steal your banking credentials.
Three new malware, DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK, were associated with a massive cyberespionage campaign that targeted many organizations in the U.S. Launched via phishing emails, the attacks were carried out by a new uncategorized group - UNC2529.
A new cryptocurrency stealer variant, Panda Stealer, has been found targeting individuals across the U.S., Australia, Japan, and Germany. It is being spread through a global spam campaign that leverages Discord channels.
A malware tracked as Javali, is being widely used to target users in Latin America and Europe. The malware is distributed via phishing emails that pretend to be a delivery notice.
The new Buer malware loader variant is being propagated via phishing emails. Dubbed RustyBuer, the new strain is written in Rust language and is capable of delivering Cobalt Strike Beacon as a second-stage payload.
A new Windows malware called Pingback has been found using DLL hijacking attack to target Microsoft Windows 64-bit systems. The malware takes advantage of ICMP for its C2 activities.
Researchers have demonstrated a new attack technique, dubbed TBONE, that can enable attackers to hack Tesla and other cars remotely without any user interaction. The abuses two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices.
A newly revealed DNS bug, dubbed TsuNAME, can now be used by threat actors as an amplification vector in massive reflection-based DDoS attacks against authoritative DNS servers.
Moriya, a previously unknown rootkit, is being used by unknown threat actors to execute passive backdoors on public-facing servers. It enables the attackers to spy on victim network traffic. This rootkit is part of the TunnelSnake campaign.
A new Android malware named Ghimob is impersonating third-party apps to steal and spy on user data. It mainly targets cryptocurrency and online banking.