Go to listing page

Cyware Daily Threat Intelligence, March 24, 2022

Cyware Daily Threat Intelligence, March 24, 2022

Share Blog Post

Cybercriminals are hiding malware in places that victims wouldn’t have thought about. Threat actors behind Vidar infostealer have upgraded their evasion techniques by hiding the malware in a Microsoft Compiled HTML Help (CHM) file. So, watch out for any unsolicited email containing a generic subject line and an attachment named ‘request.doc.’ In another incident, JSSLoader operators has been found leveraging XLL files to spread across systems.

Another new wiper malware, called Double Zero, has emerged in the threat landscape. It is being actively used against organizations in Ukraine with an aim to discard the existing content from disks.

Top Breaches Reported in the Last 24 Hours

Operation Dragon Castling campaign
An unknown Chinese threat actor has been targeting betting companies in Taiwan, Hong Kong, and the Philippines. Dubbed Operation Dragon Castling, the attack exploits a vulnerability in WPS Office to plant the MulCom backdoor on targeted systems. Phishing emails are used as an initial infection vector.

Central Bank of Russia hacked
The Anonymous Collective hacker group claimed to have hacked the Central Bank of Russia and stolen 35,000 documents. The news comes just one day after the attackers stole 10 GB of data from Nestlè.

Top Malware Reported in the Last 24 Hours

New DoubleZero wiper
CERT-UA has issued an advisory about a new DoubleZero wiper malware that is targeting Ukrainian organizations. The malware has been actively used since March 17 and is launched via spear-phishing emails. DoubleZero overwrites the content with zero blocks of 4096 bytes or using API-calls NtFileOpen, NtfsControlFile.

Malicious npm packages discovered
Hundreds of malicious npm packages were used in a large-scale attack to target Microsoft Azure developers. Some of the impacted packages include @azure npm scope, @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. Researchers claim that typosquatting was used to dupe developers into downloading malicious packages.

Vidar malware spotted
Threat actors are hiding Vidar malware in Microsoft Compiled HTML files to avoid detection in email spam campaigns. The campaign uses a phishing email with a generic subject line and an attachment named ‘request.doc, which is actually an ISO disk image. The ISO image contains two files- a Microsoft Compiled HTML Help file and an executable file.

JSSLoader malware infection
A new wave of JSSLoader infections has been observed this year. Attackers are using XLL files to deliver the malware. The file is distributed in the form of Excel attachments through emails.

Top Vulnerabilities Reported in the Last 24 Hours

VMware patches two flaws
VMware has released patches for two critical security vulnerabilities affecting its Carbon Black App Control platform. Tracked as CVE-2022-22951 and CVE-2022-22952, the flaws can be exploited by malicious actors to execute arbitrary code on affected installations in Windows systems. The flaws have a rating of 9.1 on the CVSS scale.


double zero
malicious npm packages
jssloader rat
vidar info stealer
operation dragon castling

Posted on: March 24, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.