Cyware Weekly Threat Intelligence - June 24–28
Weekly Threat Briefing • Jun 28, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Jun 28, 2024
In a bold alliance, the NCA and the FBI embark on a relentless pursuit to dismantle the Qilin ransomware gang. This elusive group, seemingly shielded by Russian government approval, has wreaked havoc on global healthcare providers. Meanwhile, on the frontlines of data privacy, the CPPA and CNIL forge a strategic partnership. This transatlantic collaboration promises a robust framework for joint research and education on emerging technologies and data protection.
The U.K's National Crime Agency (NCA) and the FBI have joined forces to track down and disrupt the activities of the Qilin ransomware gang. The agencies are trying to identify and apprehend the criminals behind Qilin, which has been operating with the apparent approval of the Russian government. The Qilin ransomware gang has targeted global healthcare providers, causing widespread disruption and leaking sensitive patient data.
The California Privacy Protection Agency (CPPA) signed a partnership agreement with France’s Commission Nationale de l'Informatique et des Libertés (CNIL) to conduct joint research on data privacy issues and share investigative learnings. The declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.
In a diabolical dance of cyber mayhem, the Unfurling Hemlock threat actor deployed malware cluster bombs. Over 50,000 such files, meticulously crafted, target systems primarily in the U.S., Germany, Russia, and others. Additionally, the UAC-0184 waged a digital war on Ukraine using the XWorm RAT. In a parallel nightmare, the polyfill[.]io domain, once benign, now serves malware to over 100,000 websites.
The Unfurling Hemlock threat actor is using a malware cluster bomb technique to deliver multiple types of malware to compromised systems, providing high levels of redundancy and persistence. Over 50,000 cluster bomb files linked to the threat group have been identified, with the attacks targeting systems primarily in the U.S., as well as in Germany, Russia, Turkey, India, and Canada. The attacks begin with the execution of a file named 'WEXTRACT.EXE', which contains nested compressed cabinet files, each containing a malware sample. The final stage executes the extracted files in reverse order.
Cyble identified the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm RAT. The campaign begins with a malicious LNK shortcut file disguised as an Excel document, which executes a PowerShell script to download and execute malicious files. The attackers use DLL sideloading and a tool called Shadowloader to inject the XWorm RAT into a running process. The XWorm RAT has various capabilities, including data theft, DDoS attacks, and cryptocurrency manipulation.
The polyfill[.]io domain, previously used for JavaScript polyfills, has been compromised and is now serving malicious code to over 100,000 websites. The domain was bought by a Chinese organization, leading to a supply chain attack that infected visitors' browsers with malware. The malicious code is dynamically generated based on the website's HTTP headers, making it difficult to detect and block. Google has started blocking Google Ads for affected websites to reduce traffic and potential victims.
SpyMax, an Android RAT, has been spotted targeting Telegram users. It does not require rooted devices, making it easier for threat actors to gather private information and control victims' devices. The malware pretends to be the Telegram app and requests Accessibility Service permission, acting as a trojan with keylogger capabilities. It collects location information and communicates with a C2 server to send compressed data and receive system commands and APK payload.
A supply chain attack on WordPress plugins led to the compromise of five plugins, allowing attackers to create unauthorized admin accounts and inject SEO spam on affected websites. The affected plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. The injected malware attempts to create a new administrative user account and sends those details back to an attacker-controlled server. The malware also injects malicious JavaScript into the footer of websites, which appears to add SEO spam throughout the website
North Korean hackers are actively using the HappyDoor malware in spear-phishing email attacks to steal sensitive information and gain remote access. HappyDoor is a malware used by the Kimsuky group, a North Korean hacking group, since 2021 and is still active as of 2024. The evolving HappyDoor malware operates via regsvr32.exe in three stages and has functions such as screen capture, key logging, file leakage, and communication with C&C servers using HTTP.
A new breed of malware masquerades as cracks and commercial tools, each download spawning a uniquely hashed menace, yet all bearing the same nefarious capabilities. This digital chameleon, named InnoLoader, utilizes InnoSetup to present a deceptive installer interface. Discovered vulnerabilities in Sensor Net Connect device and Thermoscan IP desktop application could elevate a regular user to administrator status, endangering sensitive medical data and inviting denial-of-service attacks on critical monitoring systems. In Southeast Asia, a stealthy adversary named Snowblind has been preying on banking customers, wreaking financial havoc.