Go to listing page

Cyware Weekly Threat Intelligence, April 11 - 15, 2022

Cyware Weekly Threat Intelligence, April 11 - 15, 2022

Share Blog Post

The Good

There’s always something good to look forward to. Finally, Microsoft took control of 65 domains that the chaotic ZLoader threat actors were leveraging to control, expand, and communicate with its botnet. In parallel, the law enforcement authorities shut down the dark web marketplace RaidForums.

  • Microsoft dismantled 65 domains associated with the ZLoader threat actors, thereby taking down the group behind cybercrimes worth millions of dollars. The ZLoader operators employ malware-as-a-service to steal and extort money; the botnet consists of malware-infected devices belonging to global businesses, schools, hospitals, and homes.
  • International law enforcement ran an operation, TOURNIQUET, to successfully seize RaidForums, an infamous dark web marketplace known for offering stolen personal data. The operation was conducted by law enforcement agencies from the U.S., U.K., Portugal, Sweden, and Romania. The law enforcement agencies arrested the administrator of the dark web marketplace and two of his accomplices. 
  • A group of cybersecurity companies that help defend industrial systems from hackers, joined forces to launch the Operational Technology Cybersecurity Coalition, which aims to strengthen the ICS and critical infrastructure in the U.S. The coalition aims to streamline how the founding members share threat information with each other and the government.

The Bad

In other updates, the Conti ransomware group is still running its business, despite the massive leak of its source codes. The group added three new organizations—Nordex, Snap-on, and Panasonic Corp.—to their list of victims. Security experts also expressed their concerns as the NB65 hacking group took advantage of Conti’s leaked source code to target organizations in Russia. The notorious Lazarus was also spotted making a comeback with fake job offer lures to ensnare individuals working in the chemical sector. 

  • The Conti ransomware group added two new organizations to its list of victims. These were Snap-on and Panasonic Corp. While Snap-on was targeted in March, the Panasonic Corp. was compromised in February. Panasonic revealed that its Canadian operations were affected by the attack. On the other hand, Snap-on disclosed that attackers gained access to social security numbers, names, birthdates, and employee identification-related material of its franchisees and associates.
  • The Italian luxury fashion house Ermenegildo Zegna confirmed a ransomware attack that resulted in an extensive IT systems outage. The attack occurred in August 2021 and was the work of the RansomEXX ransomware group.
  • Christie Business Holdings Company revealed a data breach that affected the personal information of roughly 500,000 individuals. Threat actors gained unauthorized access to compromised email accounts between July and August 2021. According to the healthcare services provider, no electronic medical records and the firm’s patient portal were impacted in the incident.
  • The Anonymous collective group leaked 446GB of data after launching DDoS attacks against the Russian Ministry of Culture. The dumped data included around 600,000 new emails associated with the ministry.
  • California-based respiratory care provider SuperCare Health disclosed a data breach that affected more than 300,000 individuals. The exposed files included names, addresses, dates of birth, medical record numbers, patient account numbers, and health-related information of patients. In some cases, social security numbers, and driver’s license numbers were compromised.
  • A hacking group named NB65 used Conti’s leaked source code to create its own ransomware. This new ransomware was used in a series of cyberattacks against organizations in Russia. The attackers leveraged the ransomware to steal data and later leaked it online. 
  • LockBit ransomware group managed to maintain its persistence on a regional U.S. government agency for at least five months. However, logs retrieved from the compromised machines showed that two threat groups were engaged in reconnaissance and remote access operations. The toolset included utilities for brute-force attacks, scanning, and command execution.
  • The notorious Lazarus is back with the ‘Operation Dream Job’ campaign spree, targeting organizations in the chemical sector. The campaign has previously targeted individuals in the defense, government, and engineering sectors.
  • The FBI linked the $600 million cryptocurrency heist that targeted the players of the popular video game Axie Infinity to the infamous North Korean cybercrime groups - Lazarus and APT 38. The attackers had exploited a network used to send cryptocurrency to carry out the heist. 

New Threats

Researchers warned about a set of five new vulnerabilities that could put impact patient care. Microsoft identified a new defense evasion malware, named Tarrask, that leverages a zero-day flaw in Windows task scheduling. Besides, two new deadly botnets—called Enemybot and Fodcha— capable of launching massive DDoS attacks were also unearthed in two disparate campaigns. Additionally, a new version of RedLine Stealer is gaining popularity in cybercrime forums for its ability to pilfer credentials from web browsers, cryptocurrency platforms, and email accounts. 

  • Microsoft uncovered a new campaign associated with the Chinese-backed Hafnium hacking group. The campaign leveraged an unpatched zero-day in Windows task scheduling to deploy a new malware named Tarrask
  • A new Enemybot botnet, which was first discovered in March, borrows modules from both Mirai and Gafgyt botnets. It was recently observed targeting routers from Seowon Intech, D-Link, Netgear, and Zhone. The threat actors behind the botnet employ brute-force attacks and exploit tools to compromise devices.
  • Security researchers detected a new Remcos RAT campaign that targeted the African banking sector. Threat actors attempted to deliver the malware using the HTML smuggling technique. The phishing emails purported to be from a recruiter from another African bank with information about job opportunities.
  • The notorious Emotet trojan has been upgraded with 16 additional modules. Some of these modules are used for spamming and pilfering credentials from different web browsers and email accounts.
  • Researchers spotted a new scam call tactic called the eavesdropping scam. This involves voicemail messages that include critical information about the targeted users. Once the victims return the call, the scammers can run a variety of scams, most commonly offering fraudulent tax relief services. It is revealed that the scam had first emerged in early 2022.
  • A new version of RedLine stealer named Meta Stealer is being sold at $125 for a monthly subscription or $1,000 for unlimited lifetime use. It is capable of stealing passwords from Chrome, Edge, Firefox, and cryptocurrency wallets.  
  • Researchers shared details about the new Fakecalls banking trojan. It mimics the mobile apps of popular Korean banks to spy on users. When installed, the trojan immediately requests permission to access contacts, microphone, camera, geolocation, and call handling. Kaspersky found that, in some cases, the trojan can imitate phone conversations with customer support.
  • CERT-UA had released mitigation measures for a new variant of the Industroyer malware dubbed Industroyer-2. The malware variant was used by Sandworm APT to launch attacks against high-voltage electrical substations in Ukraine.
  • A set of five newly discovered vulnerabilities called JekyllBot:5 were found impacting Aethon TUG autonomous mobile robots. The flaws, if exploited, could put several medical firms at risk of remote hijack. Attackers can gain access to real-time camera feeds, disrupt the timely delivery of patient medication, and interfere in operations.
  • The operators behind Qbot trojan were found leveraging MSI Windows Installer packages to push the malicious payload. The packages are embedded within password-protected ZIP archive attachments that are sent via phishing emails. 
  • The CISA urged federal agencies to patch a WatchGuard firewall vulnerability that is being actively exploited in the wild. The vulnerability, tracked as CVE-2022-23176, affects the Fireware OS running on WatchGuard Firebox and XTM appliances.
  • A malware, called PIPEDREAM, capable of targeting ICS/SCADA systems was unveiled this week. The malware can target a wide range of PLCs from Schneider Electric and Omron. It can also attack other industrial technologies from the likes of CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).
  • A newly discovered Fodcha botnet infected around 62,000 IoT devices between March 29 and April 10. The botnet is distributed via brute-force attacks and exploits. Most of its infected devices are located in China.
  • A threat actor dubbed Haskers Gang is actively using the Telegram and Discord platforms to promote a newly discovered information-stealing malware named ZingoStealer that comes with the capabilities of XMRig miner and RedLine Stealer. Since its inception, malware has targeted gamers in Russia. 
  • The UAC-0041 threat cluster leveraged a known vulnerability (CVE-2018-6882) in Zimbra software to distribute the IcedID trojan. The campaign targeted organizations in Ukraine.


operation dream job
supercare health
enemybot botnet
remcos rat campaign
meta stealer
zloader threat actors
qbot trojan
fakecalls banking trojan

Posted on: April 15, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.