Go to listing page

Cyware Weekly Threat Intelligence, June 21–25, 2021

Cyware Weekly Threat Intelligence, June 21–25, 2021

Share Blog Post

The Good

With a fresh cup of coffee, we would like to present to you all the good that happened in the cybersecurity world this week. The NSA is funding the development of the D3FEND framework to help cybersecurity professionals bolster their defenses. Google has launched a vulnerability interchange schema that would strengthen open-source security.

  • The NSA announced it is funding the development and release of the D3FEND framework to help security professionals tailor their defenses against specific security threats.
  • The U.S. state of Colorado's Senate unanimously approved the Colorado Privacy Act to safeguard the personal information of state residents.
  • The NSA released guidance to help organizations secure their Unified Communications and VVoIP call processing systems.
  • Google introduced a vulnerability interchange schema with the aim of fortifying open-source security. This new schema will address some major problems with managing open-source vulnerabilities.

The Bad

The Cl0p ransomware gang member arrests came as a breath of fresh air as the ransomware crisis keeps spiraling. However, the gang kept leaking sensitive information and it has got us worried. We came across a cryptojacking campaign that went on for three long years and made its operators very rich. A nuclear research institute suffered an attack by the Kimsuky threat actor. Data stolen from the City of Tulsa attack was released publicly by cybercriminals.

  • The REvil ransomware has been held responsible for the attacks on Brazil-based Grupo Fleury and France-based FCUK.
  • A campaign is propagating the Agent Tesla trojan and starts with phishing emails that pretend to be from DHL or Alpha Trans. The threat actor was observed utilizing Windows Imaging Format (WIM)  attachments for the distribution.
  • Following the ransomware attack on the City of Tulsa in May, the attackers posted more than 18,000 stolen files, including police citations and internal department files on the dark web. These files included names, dates of birth, addresses, and driver’s license numbers.
  • The Cl0p ransomware gang has published the list of new victims and their data on its data leak site. This implies that the people arrested by the police in the name of the Cl0p ransomware gang were not members of the core team.
  • Microsoft has traced a phishing campaign that distributes BazarCall malware. The campaign uses emails that lure recipients to call on a number to cancel their subscription to a certain service.
  • During a maintenance operation, the Asia Pacific Network Centre (APNIC) inadvertently left a portion of its Whois SQL database exposed. This was exposed for three months.
  • The Ragnar Locker ransomware hit Taiwan-based memory and storage manufacturer ADATA and made more than 700GB of archived stolen data public.
  • DirtyMoe, known for cryptomining and DDoS attacks, has infected over 100,000 Windows systems, according to researchers. The initial infection process relies on spam emails to lure users to malicious sites hosting an exploit kit named PurpleFox.
  • The South Korean Atomic Energy Research Institute (KAERI) has confirmed a cyberattack from the Kimsuky threat actor group. The adversary had exploited a vulnerability in the VPN system used within the research institute’s environment to enter into the network.
  • The operator of a malware, named Crackonosh, was found to have made more than 9,000 Monero coins after compromising 222,000 Windows computers since 2018. The malware was hidden inside pirated and cracked copies of popular software.

New Threats

Our one of the most notorious ransomware, REvil, got an update. Three of their Tor domains have been found to date. Talking about malware variants, IcedID banking trojan is back in a new variant, with a shiny new downloader. The PYSA ransomware gang has come to the scene with a new trojan, which is targeting schools in the U.S.

  • A new Ursnif trojan variant is being used in the wild to target online banking users in Italy. As a part of the attack, the trojan infects mobile devices with the Cerberus malware.
  • A new strain of REvil ransomware called LV ransomware is believed to be a work of GOLD NORTHFIELD and uses CRC32 hash to encrypt files. Three ransom payment Tor domains used by the LV gang have been discovered by security experts.
  • A new ChaChi trojan is being used as a critical part of ransomware operations targeting government organizations and schools in the U.S. The trojan is linked to the PYSA ransomware gang.
  • A newly discovered Ever101 ransomware targeted an Israeli computer firm and encrypted its devices. When encrypting files, the ransomware appends .ever101 extension and later drops a ransom note named !=READMY=!.txt.
  • A new variant of Agent Tesla RAT has been uncovered in a new phishing email campaign that used COVID-19 vaccination as a lure. Once executed, the malware collects credentials and other sensitive data.
  • A Linux version of DarkSide RaaS being promoted in the XSS hacking forum is now targeting ESXi servers. Written in C++, the malware collects the information before encrypting the files using Chacha20 and RSA 4096 algorithms.
  • The new DarkRadiation ransomware has been found targeting Linux and Docker cloud containers, while banking on Telegram messaging service for C2 communications.
  • Sload or Starslord loader has been spotted in a new cyberespionage campaign targeting users in Europe. The final payload of the downloader includes Ramnit and Trickbot trojans.
  • A new strain of IcedID banking trojan has been found in two new spam campaigns. This strain has been equipped with a new downloader.


chachi trojan
linux malware
starslord loader
dirtymoe malware
lv ransomware
cl0p ransomware gang
darkradiation ransomware

Posted on: June 26, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.