Go to listing page

Cyware Weekly Threat Intelligence, April 04–08, 2022

Cyware Weekly Threat Intelligence, April 04–08, 2022

Share Blog Post

The Good

Governments are increasingly looking to upgrade their cybersecurity policies to align with the changing security landscape. Taking a step in that direction, the U.S. State Department launched its Bureau of Cyberspace and Digital Policy. The Cyclops Blink botnet was killed before it could even blink a complete blink. The FBI took down the modular botnet by disrupting its infrastructure and closing external management ports. 

  • The FBI announced taking down the Cyclops Blink botnet, which used to target firewall appliances and SOHO networking devices. It was under the control of the Russian Sandworm group.
  • German police disrupted the dark web market Hydra and seized bitcoin worth $25 million. The marketplace was a hub for selling narcotics, stolen credit card data, money laundering services, fake identity documents, and protecting Tor users.
  • The Bureau of Cyberspace and Digital Policy was launched officially under the State Department to address the national security challenges, economic opportunities, and implications for the U.S. in the areas of cyberspace, digital technologies, and digital policy.
  • The Australian Department of Home Affairs started work on a new national data security action plan. It comes as a part of the federal government’s digital economy strategy, which will safeguard citizens’ data stored on digital networks and systems. 

The Bad

Despite humongous data leaks of its own internal communications, Conti remains in business. The ransomware actor leaked around 5GB of files belonging to Parker Hannifin. Just when you think a particular threat has disappeared and you can breathe a little easy, it comes and hits you hard. The same goes for the recent Magecart attack against a mattress maker, which impacted customers across 12 nations. Cadbury UK took to Twitter to warn against a scam pretending to sell free chocolates. Falling victim to it can turn pretty bitter, warned the company.  

  • A Magecart attack at Emma Sleep Company affected the credit or debit card details of its customers. The attackers injected the malicious code into the checkout page to steal personal information and credit card data.
  • A compromised Trezor hardware wallet mailing list was used to send fake data breach notifications to steal cryptocurrency wallets and the assets stored within them. Attackers leveraged one of the newsletters hosted at MailChimp to launch the attack. The notifications prompted recipients to download a fake Trezor Suite software that would steal their recovery seeds.
  • Discord communities of multiple major NFT projects were hacked as part of a phishing scam to trick users into handing over their digital JPEGs. Some of the affected projects were Bored Ape Yacht Club, Nyoki, Doodles, Kaiju Kingz, and Shamanz. The ultimate goal was to trick users into clicking a link to mint a fake NFT by sending ETH and in some instances an NFT to wrap into a token.
  • Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam that steals their personal information. The scam, which goes with the title ‘Free easter chocolate basket,’ is making the rounds on WhatsApp and social media sites. The recipients are asked to click on a link to claim the free gift. But, before that, the recipients are asked to answer a series of questions appearing on the screen.
  • More than $15 million were stolen after hackers exploited the DeFi platform Inverse Finance. According to the company, the hackers manipulated its money market, Anchor, and increased the price of INV via Sushiswap. This enabled the attackers to borrow $15.6 million in the DOLA, ETH, WBTC, and YFI cryptocurrencies.
  • Wind turbine giant Nordex was forced to shut down its IT systems after discovering a cyberattack. The incident affected multiple systems in the firm. As a part of the precautionary measure, the company took immediate actions to prevent further propagation of the attack.
  • An ongoing malware attack campaign is using ISO disk images to deliver AsyncRAT, LimeRAT, and other commodity malware to victims. The threat actors behind the campaign have been using a new version of the 3LOSH crypter to generate obfuscated code to hide the RAT payloads and facilitate the infection process.
  • Ukraine CERT-UA published a security advisory about spear-phishing attacks conducted by Russia-linked Armageddon APT. The attacks targeted local state organizations with malware. The phishing messages were sent from ‘vadim_melnik88@i[.]ua.’ In another instance, the CERT-UA also revealed a cyberattack that enabled attackers to get session data, a list of contacts, and the history of their Telegram session. The operators leveraged the Telegram website to send malicious links to users.
  • The Conti ransomware group has leaked more than 5GB of files allegedly stolen from U.S. industrial component giant Parker Hannifin. As the company continues its investigation, it confirmed that some data, including the personal information of employees, was accessed by hackers.
  • The Australian Competition & Consumer Commission has issued a warning about the rise in money recovery scams. It is found that scammers are impersonating a money recovery firm, law office, or a special government task force to trick users into filling out fake paperwork that could help them with the recovery of previously stolen funds. The targeted victims are approached via phone or email. The ultimate goal of scammers is to steal identification details from users. Some of these scams also enabled threat actors to gain remote access to victims’ computers or smartphones.
  • The Texas Department of Insurance (TDI) disclosed a data security incident that affected roughly 1.8 million people. It occurred due to a vulnerability in one of its web applications. The exposed information included names, phone numbers, addresses, dates of birth, and social security numbers of individuals.
  • A data theft tool used by BlackCat (aka ALPHV) ransomware is increasingly being used to target industrial organizations. It is tracked as ExMatter, a modified version of Fendr. Researchers revealed that the BlackCat group had used Fendr to exfiltrate data from oil, gas, mining, and construction firms in South America.
  • AridViper APT group was found targeting high-ranking Israeli officials in a cyberespionage campaign to spy and steal data by compromising their systems and mobile devices.
  • A phishing email pretending to be a payment notification from a trusted bank was found delivering Remcos RAT. The email asked the recipient to open the attached Excel file that is protected by a password. The file lures the victim into clicking the ‘Enable Content’ button to execute the malicious macro code.
  • North Carolina A&T State University became the latest victim of BlackCat ransomware. The incident occurred on March 7, forcing staff and students to operate manually. Systems taken down by the intrusion included wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Banner Document Management, Chrome River, and Qulatrics.
  • WonderHero has disabled its website and services after hackers stole $320,000 worth of Binance Coin. Threat actors took advantage of the cross-chain bridging withdrawal feature on the platform to launch the attack.
  • The critical Spring4Shell vulnerability has lately been exploited by the Mirai botnet. The attack was first observed on April 1. The botnet exploited one of the Spring4Shell vulnerabilities (CVE-2022-22965) to launch attacks.
  • Google removed several apps from its Play Store after they were found stealing sensitive data from users. The apps had over 45 million downloads and collected the data through a third-party SDK that had the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even modem router MAC addresses.
  • Fraudsters made nearly $1.7 million by promising cryptocurrency giveaway scams on YouTube. Over 36 YouTube channels used for the purpose were observed between February 16 and February 18, attracting at least 165,000 viewers. The videos were made using footage of tech entrepreneurs and crypto investors like Elon Musk, Brad Gralinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood to add legitimacy to scams. Additionally, these videos include links to at least 29 websites with instructions on how to double cryptocurrency investments.

New Threats 

Borat’s in town; not the movie though. It’s a new RAT that can conduct both ransomware and DDoS attacks, along with possessing several other capabilities. WhatsApp has once again become a favorite target for cybercriminals as a new phishing campaign abuses the platform’s voice messaging feature. The SharkBot banking trojan has resurfaced in a new campaign, biting victims across many countries. 

  • Researchers discovered a new RAT named Borat that is capable of conducting DDoS and ransomware attacks. Other capabilities include recording keystrokes, capturing videos from the webcam, stealing credentials from Chromium-based web browsers, and pilfering Discord tokens from infected systems.
  • A new campaign that delivers SocGholish in the initial stage, with BLISTER as a second-stage loader, has been uncovered by researchers. It is believed that both the loaders are being used to evade detection to execute final payloads, specifically LockBit in this case.
  • A new WhatsApp phishing campaign impersonating WhatsApp’s voice message feature is being used to spread information-stealing malware. So far, the campaign has affected around 28,000 email addresses. As a part of the campaign, the recipients are led to a series of steps that ultimately cause the installation of the malware that is capable of pilfering credentials.
  • The FIN7 APT group has evolved its malware and attack tactics. These include a new POWERPLANT backdoor and two new versions of BIRDWATCH downloader—tracked as CROWVIEW and FOWLGAZE. Researchers claim that these malware are being used by threat actors to gain initial access and deliver more payloads.
  • Researchers uncovered a new cyberespionage campaign targeting Malaysian users. Active since 2021, the campaign primarily targets the customers of eight Malaysian banks - Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. The attack leverages multiple apps and websites for cleaning services such as Maid4u, Grabmaid, Maria’s Cleaning, YourMiad, Maideasy, and MaidACall to trick users. The goal of the malware operators is to obtain banking credentials from the victims.
  • A new .NET-based info-stealer called Lightning Stealer is capable of stealing sensitive details by targeting over 30 browsers, Telegram, Discord, Steam, and crypto wallets. The malware stores the exfiltrated data in JSON format.
  • A newly discovered Colibri loader campaign is being used to deliver the Vidar info-stealer as the final payload. The attack starts with a malicious Word document deploying the loader. Colibri leverages PowerShell to maintain persistence after a reboot.
  • Researchers found a new campaign distributing SharkBot malware. At least six apps with over 15,000 downloads were leveraged to spread the malware. Most of the victims were from Italy and the U.K, with some users from China, India, Romania, Russia, Ukraine, and Belarus.
  • A new campaign dubbed Operation Bearded Barbie has been associated with APT-C-23, a subgroup of the Hamas-linked cyber warfare operation. The campaign used a fake messaging app known as VolatileVenom to deliver two new malware - Barbie downloader and BarbWire backdoor. The campaign targeted high-profile officials working in defense, law enforcement, emergency services, and other government services.
  • A new information stealer named FFDroider capable of stealing credentials and cookies stored in browsers has been uncovered by security researchers. The stolen credentials can be used further to hijack victims’ social media accounts. The malware is distributed via cracked software, free software for games, and other files downloaded from torrent sites.
  • Cado security stumbled across a new malware variant, dubbed Denonia, that targets AWS Lambda, a scalable service used by SMBs and enterprise players worldwide.
  • Threat actors have repurposed the code of an old Android malware called ExobotCompact to build a new malware dubbed Octo. It is distributed via a variety of fake apps disguised as Pocket Screencaster, Fast Cleaner 2021, Postbank Security, BAWAG PSK Security, and Play Store update.  Once executed, the Octo could allow threat actors to conduct fraudulent transactions, records keystrokes, and harvest contact information.
  • A new Traffic Direction System (TDS) called Parrot has emerged in recent months to redirect victims to 16,500 malicious websites for universities, local governments, adult content platforms, and personal blogs. The newly discovered TDS shares similarities to the Prometheus TDS that appeared in 2021.


lightning stealer
nordex group
spring4shell attacks
borat rat
operation bearded barbie
cyclops blink
powerplant backdoor
texas department of insurance tdi
colibri loader
parrot tds
octo android trojan
armageddon apt

Posted on: April 08, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.