Go to listing page

Cyware Daily Threat Intelligence, March 17, 2022

Cyware Daily Threat Intelligence, March 17, 2022

Share Blog Post

Poorly secured devices, networks, and servers are being weaponized to launch sophisticated malware attacks. In the past 24 hours, cybercriminals targeted unsecured Microsoft SQL and MySQL database servers to deploy Gh0stCringe RAT on devices. In another instance, the new DirtyMoe malware, which includes worm-like capabilities, has been found leveraging older, well-known vulnerabilities to compromise more systems. Moreover, the operators of TrickBot are exploiting Mikrotik routers in an attempt to refine their evasion technique and gain persistence on affected systems.

Besides these threats, security experts have unearthed a new LokiLocker ransomware that is being used to infect Windows systems. Its data-wiping capability leaves users with no chance to restore their lost files.

Top Breaches Reported in the Last 24 Hours

Godaddy-hosted sites affected
Around 281 WordPress sites hosted on GoDaddy were infected by a backdoor. The affected sites include MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe.
The campaign leveraged SEO poisoning attacks to launch the backdoor and stole money and personal information from users.

Misconfigured apps leak data
Nearly 2113 misconfigured mobile apps with tens of millions of downloads were found leaking users' data. The issue existed in the backend cloud databases. One of these apps belonged to a social audio platform that leaked bank details, location, phone numbers, and chat messages. Another bookkeeping app had exposed 280,000 phone numbers linked to at least 80,000 company names, addresses, bank balances, cash balances, invoice counts and emails. 

Top Malware Reported in the Last 24 Hours

Emotet makes use of tax season
Emotet trojan is taking advantage of the 2022 U.S. tax season to send out malicious emails pretending to be from the Internal Revenue Service. The attackers hijack victims’ email conversations as part of the infection chain to send fake tax forms or federal returns. Once the victim opens the attached Word or Excel document, they are tricked into enabling macros that download the malware onto the computer.

Gh0stCringe RAT spotted
Hackers are targeting poorly secured Microsoft SQL and MySQL database servers to deploy the Gh0stCringe RAT on devices. The RAT is a powerful malware that establishes a connection with the C2 server to receive custom commands or exfiltrate stolen information to the adversaries.

Malicious npm package
A malicious version of the popular npm package ‘node-ipc’ was used to delete all data and overwrite files on the developer’s machines, in addition to creating new text files with ‘peace’ messages. Selected versions of the package were used to target users in Russia and Belarus. 

LokiLocker ransomware
A newly found LokiLocker ransomware that includes disk wiping functionality has emerged in the ransomware threat landscape. The ransomware was first seen in August 2021. It shares similarities with LockBit, which is an infostealer.

TrickBot’s capabilities expand
Researchers disclosed that TrickBot malware is abusing MikroTik routers to establish connections with the attackers’ C2 servers. This is another persistence layer that helps the malware to evade detection by standard security systems.

DirtyMoe malware upgraded
The DirtyMoe malware has gained new worm-like capabilities to expand its reach. The worming module targets older well-known vulnerabilities such as Hot Potato privilege escalation vulnerability in Windows to gain reconnaissance.

Top Vulnerabilities Reported in the Last 24 Hours

Chrome 99 update
A Chrome 99 update released by Google patches a critical vulnerability tracked as CVE-2022-0971. Described as a use-after-free issue in the Blink Layout component. The latest Chrome update also includes 11 security fixes, with eight of these flaws being rated as high-severity on the CVSS scale.

Flaw in CRI-O container engine fixed 
A severe vulnerability affecting the CRI-O container engine for Kubernetes could be exploited to escape the container and gain root access to the host. Tracked as CVE-2022-0811, the flaw exists due to the lack of proper validation for kernel parameters passed to the pinns utility. The flaw was resolved with the release of CRI-O versions 1.22.3, 1.21.6, 1.20.7, and 1.19.6.

Top Scams Reported in the Last 24 Hours

Cryptorom crypto scam
Researchers disclosed a new Cryptorom scam that has been active since 2021. The scam primarily affected Bumble and Tinder users across Asia, the U.S., and Europe by luring them into downloading fake cryptocurrency apps. As per the latest update, scammers have evolved their tactics and are now leveraging WhatsApp to expand their reach. The message pretends to offer investment opportunities and trading tips, along with links to fake cryptocurrency and trading apps that would generate huge financial returns for victims.

Royal Mail scams
A new round of fake SMSes pretending to come from Royal Mail has been targeting users in the U.K. The message prompts the recipients to confirm the tracking number with the name - as the label was damaged - by clicking on a link. The link redirects the victims to a sign-up form for a ‘new iPhone 12’ parcel, for which they would be charged a small amount.  


trickbot malware
mikrotik routers
emotet trojan
lokilocker ransomware
ghostcringe rat

Posted on: March 17, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.