Go to listing page

Cyware Weekly Threat Intelligence, November 07 - 11, 2022

Cyware Weekly Threat Intelligence, November 07 - 11, 2022

Share Blog Post

The Good

Fighting cybercrime in today’s evolving threat landscape requires better visibility into attackers’ behavior. Keeping this in mind, MITRE Engenuity’s Center for Threat-Informed Defense has released an updated version of the Attack Flow project to boost the defense capability of organizations. In another development, a group of researchers has come up with a way to create One-Time Programs (OTPs) that could be used to prevent brute-force attacks.

  • The U.S. Department of Defense will publish a zero-trust strategy in the coming days, with a new look to achieve a new level of cybersecurity. The strategy comprises more than 100 activities, with suggestions to keep critical data secure.
  • The European Parliament has approved new cybersecurity rules to protect essential sectors such as energy, transport, banking, health, digital infrastructure, and public administration against cyber threats. This comes following the deteriorating security environment due to the Russia-Ukraine war. 
  • MITRE Engenuity’s Center for Threat-Informed Defense (CTID) released an updated version of the Attack Flow project, which would allow defenders to gain better visibility into a potential threat. The project will help enable security teams to easily describe, display, and share sequences of adversary behavior.
  • A team of scientists from Johns Hopkins University and NTT Research proposed a new approach to build One-Time Programs (OTPs) using commodity hardware found in mobile phones and cloud computing services. Such programs are purported to have multiple uses, including the prevention of brute-force attacks and the strengthening of various authentication methods.

The Bad

Cybercriminals are always on the lookout for taking advantage of the latest events or trends and target as many users as possible. This week, Twitter was the target of multiple attacks, with one of them being aimed at high-profile personalities to steal their Blue Tick status and promote various scams. Meanwhile, a classic extortion scam against Magento merchants was reported, with attackers threatening to release the stolen data unless a ransom of $3,000 was paid. In another update, Medibank disclosed that the ransomware attack on its systems affected the personal information of over 9.7 million Australians.
  • In an update on its data breach disclosure, Australian private health insurance provider Medibank revealed that the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. A ransomware gang known as BlogXX took credit for the attack and demanded a $10 million ransom payment. Since the firm refused to pay, the gang began leaking the stolen sensitive details of customers’ medical procedures on the dark web. 
  • Researchers revealed that administrators of Magento-based online stores are being targeted in a classic extortion scam. The administrators are threatened with a message to release their companies’ data unless a ransom of $3,000 is paid. 
  • Trend Micro researchers found a rise in the use of DeimosC2 framework among cybercriminals. The framework is being used as an alternative for the Cobalt Strike beacon to interact with victim computers.
  • Ukraine’s CERT detected a new spear-phishing campaign associated with the Armageddon group. The attackers posed as Ukraine’s SSSCIP agency to target Ukrainians. 
  • Ukrainian hacktivists claimed to breach the Central Bank of Russia, stealing around 2.6 GB of files. The files contained details of the bank’s operations, its security policies, and the personal data of employees. 
  • The LockBit ransomware group was found selling files stolen from German car parts giant Continental for $50 million. The hackers claim to have stolen a total of 40 GB of files and screenshots.
  • Cybercriminals are leveraging Twitter’s new $8 Blue Tick program to trick users into following their fake accounts that are peddling various kinds of scams. They are impersonating notable personalities and organizations to be granted a verified status. 
  • In another incident, a fraud network made up of thousands of bogus Twitter accounts was found impersonating legitimate NFT stores to swindle users out of their cryptocurrency assets. These fake accounts prompted victims to share access to their wallets under the guise of minting a new NFT.
  • Online gamers were the target of a massive phishing campaign that leveraged YouTube videos offering cracked software for popular games. These cracked software distributed info-stealing malware to steal passwords, cookies, autofill information from browsers, and cryptocurrency wallet information. 
  • Around 15,000 sites were compromised in a massive black hat SEO campaign that redirected visitors to false Q&A discussion forums. Security researchers believed that the goal of the threat actors was to generate enough indexed pages to increase the authority of the fake Q&A sites. 
  • The FBI warned against tech support scammers impersonating financial institutions’ refund payment portals to gain remote access and harvest sensitive information from victims’ systems. The scam begins with attackers sending emails that ask victims to contact the attackers to claim a refund from a service.

New Threats

LockBit 3.0 operators have got a new carrier in the form of Amadey Bot to deploy the ransomware on targeted machines. Previously, the ransomware was distributed via emails using various lures. There was also a spike observed in the distribution of Android banking trojans. While a group of five malware—Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy—was deployed via phishing emails to target customers from seven banks in India, the Vultur malware was seen propagating via fake utility apps that garnered over 100,000 downloads across the globe.

  • Zimperium researchers took a deep dive into Cloud9, a botnet that is delivered via a malicious Chrome extension spread via third-party websites. Once it infects users’ browsers, it can steal cookie files, keystrokes, and browser session data, and can also deploy other malware on the infected system. 
  • Mandiant researchers shared a technical report on how APT29 abused a feature called Windows Credential Roaming in a recent attack targeting a European diplomatic entity. This enabled the attackers to escalate their privileges on the targeted systems.
  • Reports revealed that the Android banking trojan Vultur accumulated more than 100,000 downloads on the Google Play Store. The malware hid behind fake utility applications to target users.  
  • In a new development, the most recent version of the malware, LockBit 3.0, is being spread via Amadey Bot, the ASEC analysis team found. The Amadey Bot was used in the past to install GrandCrab ransomware and FlawedAmmyy trojan. 
  • An updated version of IceXLoader malware (version 3.3.3) compromised thousands of personal and enterprise Windows machines across the world. The malware variant is written in the Nim programming language and is sold for $118 on underground forums. 
  • Trend Micro researchers found five banking malware families targeting customers of seven banks in India via phishing campaigns. The malware families—Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy—are being distributed via different phishing emails.   
  • Cyfirma researchers reported a campaign targeting Indian defense personnel with the Spymax RAT malware. The campaign has been ongoing since July 2021 and is dispersed via an APK file masquerading as a promotion letter for Subs Naik rank. 
  • A new information-stealing malware called StrelaStealer was identified targeting Outlook and Thunderbird email clients specifically to steal account credentials. The malware is delivered via email attachment to the victim’s system.
  • Previously unknown Chinese APT group Earth Longzhi was spotted targeting government, infrastructure, healthcare, defense, aviation, insurance, and urban development organizations in Ukraine, East Asia, and Southeast Asia with a custom Cobalt Strike loader called Symatic. The attackers have been active since 2020 and leverage spear-phishing emails to launch their attacks.
  • A threat group, tracked as Worok, was found hiding malware within PNG images to infect victims' machines with information-stealing malware without raising alarms. The targeted victims include government entities in the Middle East, Southeast Asia, and South Africa.


spymax rat malware
black hat seo campaign
extortion scam
malicious chrome extension
spear phishing campaign
blogxx ransomware
icexloader malware
lockbit 30 operators
earth longzhi
tech support scammers

Posted on: November 11, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite