Go to listing page

Cyware Daily Threat Intelligence, March 29, 2022

Cyware Daily Threat Intelligence, March 29, 2022

Share Blog Post

Organizations and individuals are caught in the crosshairs of the burgeoning malware attack trends. A new malware loader dubbed Verblecon managed to stay under the radar for around a year only to be discovered now. Researchers uncovered the malware recently in a campaign that was used to install cryptocurrency miners on infected machines. In another instance, VMware Horizon servers vulnerable to Log4Shell vulnerability were found being exploited to deploy a backdoor named Sliver, and four miners - z0Miner, JavaX miner, Jin, and Mimu.

Furthermore, nearly 800 malicious npm packages have been found in a large-scale software supply chain attack to target developers. The packages are used by the RED-LILI threat actor to evade detection.

Top Breaches Reported in the Last 24 Hours

DDoS attacks spotted
Hackers are compromising WordPress sites to use visitors’ browsers as a channel to launch DDoS attacks on Ukrainian websites. During the investigation, researchers found that Ukrainian websites belonging to government agencies think tanks, recruitment sites for the International Legion of Defense of Ukraine, and banking have been affected by such attacks.

Indian government officials targeted
A new Transparent Tribe APT campaign targeting the Indian government and military officials has been uncovered by researchers. The campaign has been ongoing since June 2021 and uses fake domains mimicking legitimate sites to deliver Crimson RAT, a Python-based stager, and a NET-based downloader.

Top Malware Reported in the Last 24 Hours

Newly discovered Wslink loader
Researchers have discovered a new Wslink malware loader that runs as a server and executes modules in memory. The malware makes use of process virtual machine as part of its obfuscation process.

Sophisticated Verblecon loader
A newly discovered malware loader, dubbed Verblecon, is being used to install cryptocurrency miners on infected machines. Despite being around for more than a year, the malware sample is able to maintain a low detection rate due to the polymorphic nature of the code. Researchers claim that cybercriminals may use the loader in the future to disseminate ransomware and even launch espionage attacks.

Backdoor and miners detected
Researchers are warning that the Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners onto vulnerable VMware Horizon servers. The campaign leverages remote monitoring software packages, Atera or Spashtop, and the backdoor detected is Sliver. The four miners are z0Miner, JavaX miner, Jin, and Mimu.

Software supply chain attack campaign
A threat actor dubbed RED-LILI has been linked to an ongoing large-scale supply chain attack campaign that targets the NPM package repository. Researchers found nearly 800 malicious packages that were published in the repository via a fully-automated system that enabled the attacker to bypass the verification process.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft issues patches
Microsoft has issued patches for fIve security flaws discovered in Microsoft Azure’s Defender for IoT. The flaws were discovered last year and are tracked as CVE-2021-42310, CVE-2021-42312, CVE-2021-37222, CVE-2021-42313, and CVE-2021-42311. They are marked as critical and have a rating of 10 on the CVSS scale.

Top Scams Reported in the Last 24 Hours

Employment fraud
Threat actors have been found sending nearly 4,000 phishing emails related to fake jobs to trick victims into sharing their personal data or committing money laundering. They pose as recruiters or employers and offer jobs ranging from caregivers to administrative assistants, models, or rebate processors. Researchers shared specific examples that include fake job offers from UNICEF and fashion brands like Zaful and Fashion Nova. In order to look convincing, these phishing emails include logos for corporate brandings, spoofed university addresses, Google Forms, and fake checks.


red lili threat actor
log4shell vulnerability
javax miner
vmware horizon servers

Posted on: March 29, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.