With several tricks up their sleeves, Wizard Spider—the gang behind the TrickBot trojan—is bouncing back for the second innings. The group has been linked with a new ransomware strain dubbed Diavol that uses Asynchronous Procedure Calls (APCs) and asymmetric algorithms to encrypt files.
Not only TrickBot, but the operators of Mirai have also launched a new botnet named Mirai_ptea that targets a new vulnerability in the KGUARD DVR devices. According to researchers’ telemetry, the botnet is mainly distributed across the U.S., Korea, and Brazil.
Buer Loader and Smoker Loader notoriety also drew researchers’ attention, raising concerns about the rising threat of malware downloaders.
Top Breaches Reported in the Last 24 Hours
Spain’s 4th largest telecom operator MasMovil Ibercom has become the latest victim of the infamous REvil ransomware. To claim the attack, the group has shared screenshots of the folders named Backup, RESELLERS, PARLEM, and OCU. MasMovil has confirmed the attack and further mentioned that there has been no demand for ransom from the gang.
Another target of REvil
The University Medical Center of Southern Nevada is another organization to have fallen victim to a REvil ransomware attack. Following the attack, the gang has posted screenshots of stolen data that includes driver’s licenses, passports, and Social security numbers of many users.
MonPass server breached
Hackers breached a server of MonPass to deploy a Cobalt Strike-based backdoor. The backdoor was active between February and March. However, the incident came to light in late March.
LimeVPN data on sale
Data stolen from LimeVPN is up for sale on RaidForums dark marketplace. The stolen records consist of user names, passwords in plain text, IP addresses, and billing information.
New Skills Academy
New Skills Academy has suffered a data breach that resulted in the loss of sensitive data belonging to its students. The threat actors gained unauthorized access to the network to steal usernames, email addresses, and encrypted passwords of individuals.
Top Malware Reported in the Last 24 Hours
Smoke Loader detected
A new threat campaign is enticing users to download Smoke Loader malware from a fake Privacy Tools website that pretends to offer file protection services. The malware is downloaded as an initial stage payload, which later drops Racoon Stealer and RedLine malware as final payloads.
New Diavol ransomware
A newly found Diavol ransomware has been linked to the Wizard Spider threat actor group, famously known for its TrickBot trojan. The thing that sets it apart from other ransomware is the way it encrypts files. Diavol uses user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm as part of its encryption procedure. Currently, the source of intrusion is unknown.
New Mirai_ptea botnet
A new variant of Mirai botnet dubbed Mirai_ptea is exploiting a new vulnerability in KGUARD DVR to propagate across IoT devices. According to researchers’ telemetry, the botnet is mainly distributed across the U.S., Korea, and Brazil.
Buer Loader spotted
A phishing campaign themed around the COVID-19 vaccine was launched to distribute Buer Loader. The subject line of the email read, ‘Covid-19 Vaccination Information.’ to gain the attention of recipients.
Top Vulnerabilities Reported in the Last 24 Hours
Vulnerable ProfilePress plugin
Several vulnerabilities found in the ProfilePress plugin can allow attackers to escalate user privileges and upload malicious code, resulting in the complete takeover of a WordPress site. The flaws are tracked as CVE-2021-34621, CVE-2021-34622, CVE-2021-34623, and CVE-2021-34624. Patches to fix the vulnerabilities were released this May.
Vulnerable WAGO devices
Several critical and high-severity vulnerabilities identified in PLC and HMI products have been patched by the manufacturer WAGO. Two of these vulnerabilities are tracked as CVE-2021-34566 and CVE-2021-34567. These flaws can allow attackers to cause a denial of service condition and in some cases, even arbitrary code execution attacks.