Go to listing page

Cyware Daily Threat Intelligence, May 04, 2022

Cyware Daily Threat Intelligence, May 04, 2022

Share Blog Post

Unprecedented ransomware attacks from North Korean hacking groups have grabbed the attention of researchers. This follows the discovery of four ransomware strains that were used in the wild over the past two years to extort APT38’s victims. The four ransomware in question are Beaf, PXJ, ZZZZ, and ChiChi. In another update, several new malware loaders were registered in the last 24 hours as Winnti’s new Operation CuckooBees campaign surfaced. 

Meanwhile, phishing emails have turned out to be a significant go-to-attack vector in different ongoing attack campaigns that target NHS employees and verified Twitter accounts. The ultimate goal of these campaigns is to harvest credentials from victims.

Top Breaches Reported in the Last 24 Hours

Winnti steals trade secrets
A newly discovered Operation CuckooBees campaign associated with the Winnti APT group was found stealing intellectual property from several organizations across North America, Europe, and Asia. The campaign had leveraged the Windows Common Log Files System (CLFS) mechanism to evade detection and distribute a variety of new malware loaders, such as a new DEPLOYLOG loader, and different new versions of Spyder Loader, PRIVATELOG, and WINNKIT. 

NSW hit
The Australian state of New South Wales’s (NSW) transport agency revealed that it was impacted by a cyberattack in early April. The attack was launched via the agency’s Authorised Inspection Scheme (AIS) online application system. During this incident, an unauthorized third-party successfully accessed a small number of the application’s user accounts.

NHS employees targeted in phishing attacks
Researchers have detected an ongoing phishing attack campaign targeting the National Health Service (NHS). The campaign uses hijacked NHS email accounts to send credential harvesting links to employees based in England and Scotland. So far, around 1,157 phishing emails used for this purpose have been identified in the attack.

Twitter accounts targeted
Multiple verified Twitter accounts have been targeted in an ongoing phishing email attack operation to collect login credentials from users. These accounts belong to celebrities, politicians, influencers, journalists, and private and public entities. These accounts are particularly sought after by hackers to promote scam campaigns and malicious activities.  

Top Malware Reported in the Last 24 Hours

WooCommerce cart under attack
An instance of a malicious credit card swiper being injected into WordPress’ wp-settings.php file was observed by researchers. The malicious card swiper was exclusively designed to target online stores using the WooCommerce platform. 

Golang variants of BlackByte ransomware exposed
Researchers have shared technical details of two new Go variants of recently found BlackByte ransomware. The first variant was seen-in-the-wild in September 2021 and the second variant, referred to as BlackByte v2, was discovered in February 2022. Both the variants employ various anti-analysis techniques, including a multitude of encryption algorithms to stay under the radar.

Top Scams Reported in the Last 24 Hours

Scammers target craft fair vendors
Multiple crafting community groups across the U.K were targeted in a scam that promised to help them grab a stall at a fair price. The scammers asked the groups to book their spots using a fake booking form that harvested their personal and financial information. Later, it asked the victims to make payments of £60 to £75 to confirm their booking. However, this ended up with victims losing money at the hand of scammers. 

New Threat in Spotlight

APT38’s new ransomware strain
Researchers have linked several ransomware strains to the APT38 hacking group. These ransomware are Beaf, PXJ, ZZZZ, and ChiChi. It is believed that  Beaf, PXJ, and ZZZZ share a notable amount of source code and functionalities with VHD and TFlower ransomware. 


operation cuckoobees campaign
nhs employees
apt38 hacking gorup
woocommerce cart
spyder loader

Posted on: May 04, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.