Go to listing page

Cyware Weekly Threat Intelligence, March 15 - 19, 2021

Cyware Weekly Threat Intelligence, March 15 - 19, 2021

Share Blog Post

The Good

This week, we have an important update in the response to recent supply chain hacks. The CISA released a forensics collection tool, named CHIRP, that would help identify malicious activity connected to the SolarWinds attack. In another boat, the TIA published a white paper detailing supply chain security standards for the telecommunications industry.

Now, the pièce de résistance. Raise your glasses to make a toast as we have a piece of terrific news for you. Cyware, the industry’s only Virtual Cyber Fusion platform provider, raised $30 million in Series B funding, led by Advent International and Ten Eleven Ventures. And the best part is that we closed this round just within seven months of the previous one.

  • The Spanish Police confiscated servers and arrested the developers of Mobdro, an Android app that entrapped smartphones into proxies and DDoS botnets.
  • The U.S. Department of Justice (DOJ) indicted a Swiss national for attacking more than 100 organizations and publishing proprietary information on their online website. Among the companies hacked, include Verkada, Intel Corp, and Nissan Motor Co.
  • The CISA released a new tool to identify post-compromise malicious activity related to the SolarWinds hack. Named CISA Hunt and Incident Response Program (CHIRP), the Python-based forensics collection tool has been designed for Windows OS.
  • The Telecommunications Industry Association (TIA) published a new white paper on SCS 9001, the first process-based supply chain security standard for the ICT industry. The new standard will be released later this year.

The Bad

Just because today’s newsletter has brought along a horde of precious news, we are not free from the kerfuffle caused by cyberattacks. More SolarWinds news. Mimecast confirmed falling victim to the attack and losing some of its source code to the hackers. The now-defunct data leak site, WeLeakInfo, got info of its own customers leaked. Pretty ironic, no?

  • Security agencies were found leaking troves of sensitive data in a major security lapse. Among the exposed data, includes the name of the author, operating system, author email, device details, file path information, and name of the PDF app.
  • Around 103GB worth of data belonging to New Jersey-based Descartes Aljex Software was left exposed due to a misconfigured AWS S3 bucket. This affected more than 4,000 people that included customers, company employees, sales reps, and people working for third-party.
  • Mimecast revealed that SolarWinds attackers broke into its internal network and downloaded source code from a limited number of repositories. The attackers, moreover, gained access to a subset of email addresses, salted and hashed credentials, and contact info.
  • A threat actor leaked data, including customer and payment information, from the WeLeakInfo data breach site and published it on another hacker forum - RaidForums. 
  • Two cryptocurrency portals—Cream Finance and PancakeSwap services—are currently dealing with DNS hijacking attacks that redirected visitors to fake versions of their websites. The crooks attempted to collect seed phrases and private keys from visitors to gain access to wallets and steal their funds. 
  • The Canada Revenue Agency locked more than 800,000 taxpayers out of its platform on Saturday after it detected unauthorized third-party access. Following the attack, the attackers had obtained access to usernames and passwords. 
  • The infamous China Chopper web shell has been detected in Exchange Server-related attacks, alongside DearCry ransomware deployment. The web shell is one of the tools used by the Hafnium threat actor group. 
  • Around 20 popular travel apps are at risk of exposing data due to several misconfiguration issues. These apps are mainly related to booking and ride-sharing apps. The data that could be exposed includes bank account numbers, phone numbers, home addresses, credit card details, healthcare data, and dates of birth. 

New Threats

So, what do we have here? This week handed us a new botnet that takes after the infamous Mirai. A new espionage campaign has come to the light and is attributed to the RedDelta threat actor. In other news, a malware crypter has been identified that has been in use by 30 hacker groups! More news below.

  • ZHtrap is a new IoT botnet that inherits functionalities from the infamous Mirai botnet. The botnet works by exploiting vulnerabilities in DVRs, CCTV cameras, Netgear routers, and Realtek devices.
  • An investigation reveals that the Satori botnet has added a new exploit that abuses a remote command execution vulnerability (CVE-2020-9020) in Iteris Vantage Velocity field unit version 2.3.1, 2.4.2, and 3.0. 
  • A phishing campaign that impersonates the IRS has been spotted distributing the Dridex banking trojan. The email uses the agency’s official logo and a spoofed sender domain of IRS[.]gov that claims to offer an application for financial assistance.
  • Researchers have analyzed an active campaign that targets U.S. taxpayers with an intent to spread NetWire and Remcos trojans. The campaign leverages the U.S. tax season to lure victims. 
  • XcodeSpy is a new malware that targets Xcode projects used in macOS for developing Apple software and applications. The ultimate goal of the malware is to spread custom EggShell backdoors. So far, two variants of EggShell have been detected, one of which shared an encrypted string with XcodeSpy.
  • Threat actors are using Google Ads to distribute a fake version of the Telegram desktop app. Three links spoofing Telegram’s website have been detected so far. One of these sites was used to spread AZORult trojan.
  • Security researchers have discovered a new type of steganography technique that involves of hiding data inside a PNG image file posted on Twitter. Threat actors can exploit the method to obscure their nefarious activities on social media platforms.
  • An espionage campaign dubbed Operation Diànxùn has been identified by the McAfee Advanced Threat Research Strategic Intelligence team. The attack tactics match those of RedDelta and Mustang Panda threat actors. The campaign is actively targeting telecommunication firms and the goal is suspected to be gaining access to covert information related to 5G technology. 
  • Researchers have discovered that more than 30 hacker groups have been using a malware crypter dubbed OnionCrypter. Written in C++, the malware crypter uses three layers of the encryption process. Some of the known malware that used the OnionCrypter include Lokibot, Zeus, AgentTesla, and Smokeloader.
  • CopperStealer is an actively developed password and cookie stealer that targets the users of major service providers including Google, Facebook, Amazon, and Apple. The threat actors behind the malware are using compromised accounts to run malicious ads and deliver additional malware in subsequent malvertising campaigns. CopperStealer shows similar targeting and delivery methods with the SilentFade malware.


operation dianxun
copperstealer malware
zhtrap botnet
dridex trojan
china chopper webshell
satori botnet
azorult trojan

Posted on: March 19, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.