Go to listing page

Cyware Weekly Threat Intelligence, April 18–22, 2022

Cyware Weekly Threat Intelligence, April 18–22, 2022

Share Blog Post

The Good

Governments are realizing that multilateral collaboration, not only among private organizations, but also among different nations is the way to create a secure cyberspace. In this regard, the U.S. is partnering with six other countries to safeguard the cross-border flow of data. Cybercriminals making mistakes and leaving gaps in their malware architecture has always been a good piece of news. Due to this very reason, researchers were able to build a decryptor for the Yanluowang ransomware.

  • The U.S. is partnering with six other countries—Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan—to create privacy and cybersecurity standards for the data that cross over into each other’s borders.
  • A security lapse discovered in the encryption process of the Yanluowang ransomware has enabled researchers to build a decryptor. This decryptor is available for free to the victims who are infected by the ransomware. The ransomware was first spotted in October 2021 and was used in highly targeted attacks against large organizations.
  • U.S Cyber Command allocated over $236 million in the command’s fiscal year 2023 spending request. The funds would augment operational support to each of the Joint Cyber Warfighting Architecture components to deliver critical cyber capabilities.
  • Australia’s financial intelligence and regulatory body AUSTRAC released two financial crime guides to aid organizations in detecting and preventing ransomware attacks and the exploitation of digital currencies. The guides assist businesses in identifying if a certain payment is associated with a ransomware attack or if someone is leveraging digital currencies to commit financial frauds. 
  • The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is organizing Locked Shields 2022, an international live-fire cyber defense exercise for the protection of national civilian and military IT systems and critical infrastructure.

The Bad

Do not speak ill of the dead for they may come alive. It’s been almost a year since Emotet was shut down and now, it’s back from its grave and quickly rising to the forefront of the threat landscape via rapidly spreading email scams. Not only Emotet, but we also have another resurrection on our hands this week. REvil’s servers are up on the Tor network and the gang has already listed two fresh victims on its new leak site. New week, new crypto hack. A cyberattack on BeanStalk Farms resulted in the loss of millions worth of cryptocurrency. 

  • An attack on a third-party system has disrupted the operations of a Canadian airline company, Sunwing Airlines Inc. The firm disclosed that the third-party system used for check-ins and boarding was breached, leaving thousands of passengers stranded at the airport.
  • The FBI has shared an advisory to warn organizations about the escalating attacks by BlackCat ransomware. The note reveals that the ransomware has targeted at least 60 organizations worldwide between November 2021 and March 2022. Additionally, the operators announced nine new victims as of April 21.
  • Researchers have spotted REvil ransomware’s servers being up in the Tor network after several months of inactivity. A new leak site associated with the ransomware is being promoted on a RuTOR dark web marketplace. The site includes a list of organizations targeted by the ransomware, out of which two are new ones.
  • The FBI has issued an advisory about the potential impact of ransomware attacks on organizations in the Food and Agriculture (FA) sector in the U.S. Two such attacks disrupting the supply of seeds and fertilizers were reported in early 2022.
  • The Unified Government (UG) of Wyandotte County and Kansas City experienced a cyberattack at its data centers. According to the UG, it is working with the U.S. Department of Homeland Security, FBI, and Mid-America Regional Council cybersecurity task force to restore data services. It is yet to be determined if any data was compromised.
  • Scammers are taking advantage of the ongoing geopolitical war to deceive Ukrainians, as well as people from other nations, into sending donations to the wrong recipients. The scams are being carried out through fake donation sites, fake Red Cross portals, and social media. In one such instance, the scammer known as @Xenta777 on Twitter had asked people to make military equipment-related donations.
  • GitHub reported that threat actors used stolen OAuth user tokens to exfiltrate private data from several organizations. The stolen OAuth tokens were linked to two OAuth integrators, Heroku and Travis-CI. The first intrusion was detected on April 12 after the company’s security team identified unauthorized access to its npm production infrastructure using a compromised AWS API key.
  • BeanStalk Farms, an Ethereum-based stablecoin protocol, suffered a loss of around $182 million following a cyberattack. The attackers got away with around $80 million of crypto tokens by projecting a flash loan on the lending platform Aave, which is used to amass a large amount of Beanstalk’s native governance token, Stalk.
  • Researchers observed that the recent Emotet outbreak is being spread through various malicious Microsoft Office files that come attached with phishing emails. The emails include ‘Re:’ or ‘Fe:’ in the subject line. The attached Excel files and Word documents contain the ‘Enable Content’ button that, if clicked, causes the download of malicious macros.
  • Several instances of IRS tax scams targeting users in the U.S were reported recently. In one incident, threat actors used phishing emails that appeared to come from the IRS to warn the recipients about the last date for filing the tax and asked them to complete the tax filing by clicking on malicious attachments. In some cases, the cybercriminals also impersonated federal agencies such as DHS to warn victims about overdue payments to the IRS, which should be paid via a link that redirects them to a fake PayPal site.

New Threats

Since the Russian invasion of Ukraine started, the latter has had no respite from cyberattacks. The Russia-linked Gamaredon group is now launching targeted attacks using four new malware variants. Threat actors are back at spreading malware via fake Windows updates. They are propagating the 'Inno Stealer' malware through SEO poisoning tactics. There’s a new location in the cyber underground, named Industrial Spy, for the sale of stolen enterprise data.
  • A Hive ransomware affiliate has been found exploiting the ProxyShell vulnerability in Microsoft Exchange servers to deploy various backdoors, including the Cobalt Strike Beacon. Once the threat actors perform reconnaissance, they steal admin account credentials, exfiltrate valuable data, and deploy the ransomware in the final stage.
  • Over 400 samples of Ginzo stealer have appeared since it was first discovered on March 24, 2022. The malware is available for free on underground forums. The attackers have also set up a Telegram channel to sell the stealer. The malware is capable of harvesting data like screenshots, credentials, cookies, and telegram credentials. It can also steal cryptocurrency wallets and system information.
  • Russian state-sponsored threat actor group known as Gamaredon has been found targeting Ukrainians with four new variants of the Pteredo backdoor, also tracked as Pteranodon. All the four variants were observed using obfuscated VBS droppers that add Scheduled Tasks and then fetch additional modules from the C2 server. It should be noted that the Pteredo backdoor is still under active development.
  • In an attempt to spread the new Inno Stealer malware, threat actors are leveraging SEO poisoning tactics to promote fake Windows 11 updates. The malware is capable of stealing browser data and cryptocurrency wallets. According to researchers, the malware is written in Delphi and removes security solutions from Emisoft and ESET from the victim’s system.
  • Security researchers have found a connection between Conti ransomware and the recently emerged Karakurt data extortion group. The intelligence team has managed to connect the dots by obtaining remote access to multiple servers that are actively being used as C2 communication systems by threat actors. Since its inception in December 2021, the Karakurt group has claimed more than 40 victims across the globe.
  • A new variant of BotenaGo botnet is stealthily targeting a pool of IoT devices, including the Lilin security camera DVR devices. The variant derives its code from the source code of the original botnet that was leaked in October 2021.
  • A new zero-click flaw identified in iOS systems has been exploited to propagate Pegasus or Candiru spyware. At least 65 individuals have been targeted in the attack, including members of the European Parliament, Catalan presidents, legislators, and civil society organizations. The flaw affects various versions of the operating system prior to iOS 13.2 and was exploited using an exploit kit called HOMAGE.
  • Threat actors have launched a new marketplace called Industrial Spy that sells stolen data from breached companies. While the premium stolen datasets are priced at millions of dollars, lower-tier data are sold for as little as $2. The marketplace also offers free stolen data packs in a bid to attract more threat actors to use the site.
  • The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warned T-Mobile customers against a new SMS phishing campaign that sends users malicious links using unblockable texts.
  • Avast has published a technical report on a newly found malware, dubbed Certishell, that is targeting Czech and Slovak users exclusively. The malware contains modules for remote access, cryptomining, and even ransomware. It is being distributed via pirated copies of movies and songs, cracked software, and keygens of games and common tools.
  • Operators of the LemonDuck botnet are back in a new cryptocurrency mining campaign. The attackers take advantage of misconfigured Docker API on the Linux platform to launch malicious payloads. The campaign is currently active.
  • A new report reveals that the recently discovered Nokoyawa ransomware is a variant of Nemt ransomware. Researchers came to the conclusion after assessing the encryption technique, ransom note, and C2 servers used by both ransomware.


revil ransomware
ginzo stealer
global cross border privacy rules
homage exploit
locked shields
blackcat ransomware
yanluowang ransomware
conti ransomware
lemonduck botnet
nokoyawa ransomware
emotet botnet
inno stealer
sunwing airlines
hive ransomware
pteredo backdoor
beanstalk farms
industrial spy

Posted on: April 22, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.