Go to listing page

Cyware Monthly Threat Intelligence, April 2021

Cyware Monthly Threat Intelligence, April 2021

Share Blog Post

The Good

Controlling one of the most dangerous and prolific malware threats is indeed a great achievement. In a big blow to Emotet operators, a coordinated law enforcement action disrupted the infamous botnet and caused it to self-destruct. In different news, Microsoft released a simulator that helps study attacks on networks by AI-controlled cyber agents. Further, the U.K. NCSC presented a free cybersecurity training program to teachers and staff.

  • European law enforcement agencies used a customized DLL to wipe out the notorious Windows malware Emotet. The specially-crafted DLL caused the software to self-destruct. Besides, the FBI shared about 4.3 million email addresses stolen by Emotet with the Have I Been Pwned breach notification site to mitigate threats faced by the victims.
  • The NFC Forum released a new framework for NFC-enabled mobile devices that will safeguard the confidentiality and privacy of NFC communications.
  • An open-source cyberattack simulator was developed by Microsoft that would allow developers to create simulated environments to play against AI-controlled cyber agents. Dubbed CyberBattleSim, this Python-based Open AI Gym Interface models the way intruders spread laterally on a network.
  • The Internet of Secure Things Alliance (ioXt) launched a new security certification for VPNs and mobile apps. The compliance program consists of a set of security-related requirements against which apps can be certified.
  • The U.K NCSC released a free cybersecurity training package for teachers and staff to help them mitigate cyber threats, while demonstrating case studies for a better understanding of the impact of cyber incidents.

The Bad

There was quite a lot of cybercriminal activity against government entities this month, with the Washington, D.C., Police Department and Illinois Office of the Attorney General reporting data leaks. Meanwhile, the sensitive data of millions of users of BigBasket, ParkMobile, Facebook, and other platforms were leaked on hacking forums. Threats against financial firms continue to rise with VISA warning of hackers attempting to steal payment and personal data.

  • The Washington, D.C. Ppolice Department confirmed that its computer network was breached and data was stolen in an attack by the Babuk ransomware gang. The threat actor posted more than 250GB of data on its site on the dark web. 
  • Hundreds of third-party Android contact-tracing apps were found leaking sensitive data due to the API developed by Apple and Google. With these apps, anyone could view users’ medical data.
  • DopplePaymer ransomware operators leaked files from the Illinois Office of the Attorney General after a failed negotiation. The leaked files consist of information from court cases orchestrated by the Illinois OAG, including some private documents.
  • A set of 20 million records belonging to BigBasket users was dropped by ShinyHunters on a popular hacking forum. Earlier this month, it also leaked sensitive information of about 2.5 million Upstox users, including 56 million KYC documents stolen from the company’s server.
  • In another data leak incident, a staggering 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed on a cybercrime forum. The leaked details were claimed to be stolen from government domains from across the world, including the U.S., the U.K, Australia, Brazil, and Canada.
  • Conti ransomware claimed to have attacked Broward County Public schools and demanded a $40 million ransom. More than 1TB of data was stolen that included social security numbers, addresses, birth dates, and contact information.
  • Cybercriminals abused Google Alerts by redirecting users to fake adult sites, fake dating apps, sweepstake scams, and unwanted browser extensions. Such attacks were launched by sending fake Google Alert URLs to unsuspicious users.
  • A hacker was found selling approximately 50GB of sensitive data stolen from OTP-generating companies, including Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter.
  • Babuk ransomware operators reportedly posted 500GB worth of Houston Rockets’ internal business data—contracts, NDA, and financial data—on its dark web forum.  
  • ParkMobile suffered a breach and the account information of 21 million customers was for sale on a Russian-speaking crime forum for $125,000.
  • Global payment processor VISA issued a warning against threat actors increasingly deploying web shells, to inject malicious scripts, on compromised servers to exfiltrate credit card information from online customers. 
  • Data of 533 million Facebook users were posted on a cybercrime forum. The leaked data included phone numbers, Facebook IDs, birth dates, gender, and location.

New Threats

From zero-day exploits to using modified tools, cybercriminals appear to be working hard amidst the pandemic. Researchers spotted two phishing campaigns launched against JPMorgan Chase customers. In more threats, security experts exposed new backdoor malware such as RotaJakiro, Nebulae, and Vyveva, with file-stealing capabilities. Nonetheless, if you fall for a pink-themed WhatsApp, hackers may gain your unsolicited permission to control your device.

  • JPMorgan Chase Bank customers were being targeted in two new phishing scams that leveraged social engineering and brand impersonation tactics to steal customers’ login credentials.
  • A new cyberespionage campaign was spotted deploying a new backdoor called Nebulae and its activities spanned for two years. The campaign was launched by the Chinese Naikon APT group and targeted military organizations in Southeast Asia. 
  • The UNC2447 threat actor abused a zero-day flaw in Sonicwall SMA 100 Series VPN appliances to deploy the new FiveHands ransomware on North American and European target networks. The patches were released in February.
  • A new backdoor malware named RotaJakiro, reportedly associated with the Torii botnet, targeted Linux 64-bit systems. It can exfiltrate system details and sensitive data while using a double encryption algorithm (a combination of AES and XOR) to evade detection.
  • An updated WhatsApp Pink malware was found doing rounds with an added feature - automatically responding to Signal, Telegram, Viber, and Skype messages. The malware is distributed via a fake version of WhatsApp claiming to be pink-themed.
  • The new Pareto botnet infected a massive number of Android devices to conduct fraud in the internet TV advertising ecosystem. It works by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent platforms.
  • A newly discovered zero-day authentication bypass vulnerability found in Pulse Connect Secure gateway is currently being exploited in the wild. Tracked as CVE-2021-22893, the flaw has been linked with UNC2603 and UNC2717 threat actors against different government and law enforcement agencies.
  • Lazarus APT was found stealing cryptocurrency with a never-before-seen tool - modified JS sniffers. Named Lazarus BTC Changer, this crypto skimmer switches the destination payment address to the threat actor’s BTC address.
  • The new Saint Bot malware was leveraged to drop information stealers and other malware downloaders in targeted campaigns against Georgian government institutions. 
  • NAME:WRECK, a set of nine newly disclosed DNS vulnerabilities, put more than 100 million consumers, enterprises, and industrial IoT devices at risk. These vulnerabilities affect four well-known TCP/IP stacks, IPnet, FreeBSD, Nucleus NET, and NetX. 
  • Cring ransomware exploited a vulnerability in Fortigate VPN servers. Although Fortinet issued a security patch to fix the vulnerability last year, cybercriminals are deploying the exploit against networks that are yet to be patched.
  • New backdoor malware Vyveva was used by the Lazarus APT group against a South African freight and logistics firm. The backdoor can exfiltrate files, collect data from infected machines and drives, connect to a C2 server remotely, and execute arbitrary code.
  • A new malicious document builder known as EtterSilent was used to run cybercriminal schemes. The tool comes in two versions: one that exploits a vulnerability in Microsoft Office, and another one that imitates the digital signature product DocuSign.


lazarus btc changer
ettersilent builder
nebulae backdoor
pareto botnet
cring ransomware
saint bot malware
rotajakiro backdoor

Posted on: May 04, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.