Go to listing page

Cyware Weekly Threat Intelligence, August 09–13, 2021

Cyware Weekly Threat Intelligence, August 09–13, 2021

Share Blog Post

The Good

Is the enemy of my enemy my friend? Probably not. But, it’s always fun to see threat actors pitting against each other. One such unhappy affiliate from the Conti gang released sensitive information as the former was unhappy about their payment. Talking about hackers, a tool has been developed that can restrict hackers from abusing Cobalt Strike beacons for malware command and control.

  • Europol detained 23 suspects accused of defrauding companies of more than $1.2 million in multiple BEC scams across 20 countries. Meanwhile, German authorities nabbed four cybercriminals for swindling millions of euros from novice investors through fake websites.
  • The U.S. Senate set aside more than $1.9 billion in cybersecurity funds for state and local governments to strengthen their cybersecurity posture and help organizations defend themselves.
  • The CobaltSpam tool developed by Mario Henkel can flood Cobalt Strike servers with fake beacons to debauch the internal databases of compromised systems. This would prevent attackers from differentiating real and fake infections. 
  • An unhappy affiliate linked to the Conti ransomware gang leaked confidential information—screenshots of IP addresses, instructions and training material for new recruits, and how-to guides—on an underground forum.
  • Researchers presented a scheme—Pretty Good Phone Privacy—that can hide users’ locations from carriers with just a software upgrade. 

The Bad

Given the choice between getting free vaccines and paying for a fake vaccine card, which one would you choose? ?Apparently, a lot of people are going for the latter, resulting in a rise in sales of such cards at underground marketplaces. In other news, a Chinese cyberespionage actor is posing as an Iranian threat actor and launching attacks against Israel. Crytek warned its customers of a ransomware attack by Egregor last year. Data was leaked. Yikes!

  • Waste Management Resources disclosed unauthorized access into its network that exposed healthcare information—social security numbers, dates of birth, and bank account numbers—of current and former employees and their dependents.  
  • A ransomware attack on St. Joseph’s/Candler laid bare the protected healthcare information for both staff and patients. Victims have been informed.
  • Game developer and publisher Crytek alerted its customers about an Egregor ransomware attack that occurred in October 2020. Criminals leaked the stolen personal data of customers on its leak site.
  • DeFi protocol and network Poly Network lost more than $600 million in a massive cryptocurrency heist. Hackers reportedly reversed more than $4,772,000 worth of assets in less than 24 hours. However, a majority of the funds have been returned to the firm.
  • A Chinese cyberespionage group, dubbed UNC215, impersonated Iranian threat actors to target Israeli organizations in a campaign that began in January 2019.
  • The Joplin City government paid $320,000 in ransom to a ransomware group that briefly impacted the city’s COVID-19 dashboard, online utility payments, and court functions.
  • Security researchers reported a fake version of the Briansclub[.]com carding shop that was using a similar domain to lure users. The fake website was siphoning off the funds deposited by cybercriminal users of the infamous carding shop.
  • Flashpoint experts suggest AlphaBay, which used to be the largest darknet marketplace and community, could be returning after four years of hiatus.
  • The sale of fake COVID-19 vaccine cards has ramped up on the dark web, with most of the sales from the Netherlands, Switzerland, Greece, France, and Italy.

New Threats

This week left researchers questioning the characteristics of a new malware. This newly developed malware calls itself a ransomware but has the features of a wiper. Dubbed Chaos, it may be released in the wild soon. A new smishing scam is causing quite the chaos as it is very persuasive and impersonates an international parcel delivery firm. In another boat, a malvertising campaign was found using a rebranded version of the Cinobi trojan to target Japan.  

  • SentinelOne warned against a new AdLoad malware variant that bypasses Apple's YARA signature-based XProtect built-in antivirus tech to infect macOS. The malware variant is connected with an ongoing attack campaign active since November 2020.
  • An under-construction malware Chaos is available for testing - as per the advertisements on dark web forums. While it claims to be a ransomware, Chaos is actually a wiper. 
  • A new smishing scam is mimicking the international delivery company DPD. The scam is convincing and attempts to entice victims into giving away their payment information and other personal details.
  • AllWorld Cards, a new criminal carding marketplace, is being promoted by a threat actor who published a million credit cards stolen between 2018 and 2019. As per a ransom sampling of 98 cards, 27% of them were still active.
  • IISpy, a previously undocumented backdoor, is capable of evading detection, disrupting the server’s logging in, and conducting long-term cyberespionage.
  • A new strain of the eCh0raix ransomware is targeting Synology NAS and QNAP NAS devices. Findings until June suggest that the gang has earned quite a decent amount of ransom from Small Office and Home Office (SOHO) users.
  • The Iran-linked ITG18 threat actor deployed an Android backdoor to pilfer confidential information from at least 20 Iranian reformists. The campaign was active between August 2020 and May 2021 and used LittleLooter, a previously undocumented malware.
  • A new malvertising campaign by the Water Kappa group attempts to steal the banking credentials of Japanese targets using a rebranded version of Cinobi banking trojan.
  • FlyTrap, a new Android trojan packaged under fraudulent apps, reportedly compromised Facebook accounts of more than 10,000 users in at least 144 countries since March 2021.
  • Virtual meetings, such as Zoom, Microsoft Teams, and Skype, can fall prey to an exotic attack named Glowworm. This enables threat actors to eavesdrop on confidential conversations by measuring the LED power light changes in an audio output device and converting them to audio reproductions.   


cinobi trojan
glowworm attack
conti ransomware gang
chaos malware
ech0raix ransomware
adload malware

Posted on: August 13, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.