Go to listing page

Cyware Weekly Threat Intelligence, March 28–April 01, 2022

Cyware Weekly Threat Intelligence, March 28–April 01, 2022

Share Blog Post

The Good

There is always a reason to celebrate when cybercriminals get busted. This week, the FBI dismantled a notorious cybercrime ring that stole millions of dollars from American businesses through business email compromise schemes. On a different note, we saw several positive developments in the form of international agreements on cybersecurity. For instance, Singapore and the U.S. agreed to strengthen their cooperation through a new annual cybersecurity dialogue.

  • Under “Operation Eagle Sweep,” the FBI dismantled a major cybercrime operation engaged in business email compromise schemes. Starting in September 2021, the authorities arrested 65 suspects in the United States, Nigeria, South Africa, Cambodia, and Canada.
  • The Australian government sets aside approximately $7.5 billion in funds for boosting cybersecurity and intelligence capabilities within the country.
  • A team of researchers designed a new system to tackle concerns related to invasive tracking. Dubbed Privid, the system enables video analytics in a privacy-preserving way. 
  • U.S. lawmakers proposed a new bill that would focus on strengthening the cybersecurity posture of the American healthcare and public health sector. The Healthcare Cybersecurity Act aims to enhance collaboration between the CISA and the HHS. 
  • The EU and the U.S. reached an agreement on reviving trans-Atlantic data flows deal. The deal would ensure “predictable, trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
  • Singapore and the U.S. will be holding a yearly dialogue as part of strengthening cooperation on combating cyberthreats while promoting resilience and securing critical infrastructure.

The Bad

The healthcare sector remains a favorite target of cyberattackers. This week a health plan provider for law enforcement officials, LEHB, disclosed falling prey to a ransomware attack that lead to huge data loss. Even the education sector has come under the attackers' crosshairs as the personal data of hundreds of thousands of NYC students was leaked. While looking for new jobs, beware of getting phished as thousands of fake job offers are being circulated by scammers. 

  • The personal information of roughly 820,000 current and former New York City public school students was affected in a breach that occurred in January after threat actors gained unauthorized access to an online grading system and attendance system. 
  • Hackers are compromising WordPress sites to use visitors’ browsers as a channel to launch DDoS attacks on Ukrainian websites belonging to government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, and banking.
  • Researchers are warning against active exploitation of the Log4Shell vulnerability, to deliver backdoors and cryptocurrency miners onto vulnerable VMware Horizon servers. The campaign leverages remote monitoring software packages, Atera or Spashtop, and the Sliver backdoor.
  • A threat actor dubbed RED-LILI was linked to an ongoing large-scale supply chain attack campaign that targets the NPM package repository. Researchers found nearly 800 malicious packages that were published in the repository via a fully-automated system that enabled the attacker to bypass the verification process.
  • Threat actors have been found sending nearly 4,000 phishing emails related to fake jobs to trick victims into sharing their personal data or committing money laundering. In order to look convincing, these phishing emails include logos for corporate brandings, spoofed university addresses, Google Forms, and fake checks.
  • A ransomware attack at Shutterfly affected the personal information of its employees. The attack occurred on December 3, 2021, after which the Conti ransomware group had leaked around 7.05GB of stolen data on its site. Apart from stealing employee data, the gang had also encrypted over 4,000 devices and 120 VMware ESXi servers. 
  • Cyber attackers hacked the Ronin network of Axie Infinity, the blockchain-based game, and stole more than $620 million in cryptocurrency. They used hacked private keys to forge fake withdrawals. 
  • The Lapsus$ gang announced its return on Telegram by leaking confidential information stolen from software firm Globant. Around 70GB of source code and administrator passwords associated with the firm’s Atlassian suite, stolen by threat actors, is available on their Telegram channel. 
  • Law Enforcement Health Benefits (LEHB) disclosed a ransomware attack that occurred last year. According to the organization, attackers encrypted files on September 14, 2021. Among the files affected include the personal information of more than 85,000 users.
  • Hive ransomware gang has claimed to have stolen 850,000 PII records from Partnership HealthPlan of California (PHC). The stolen data includes names, social security numbers, and addresses of users. Around 400GB of stolen files from the healthcare organization’s server has been posted on Hive’s dark website.
  • Kaspersky unmasked North Korea state-backed hackers distributing an infected DeFi wallet for cryptocurrency assets. The campaign, possibly conducted by Lazarus, has the capability to gain full access to the targeted systems.
  • Phishers are abusing Microsoft Azure’s Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. Researchers noticed that threat actors leveraged custom branding and web hosting features to host static landing phishing pages. Each landing page automatically gets its own secure page padlock in the address bar due to the *.1.azurestaticapps.net wildcard TLS certificate.
  • Two vulnerabilities have been found affecting Rockwell Programmable Logic Controllers. They are tracked as CVE-2022-1161 and CVE-2022-1159. While the former affects numerous versions of Rockwell’s Logix Controllers, the latter impacts several versions of its Studio 5000 Logix Designer application. The flaws can allow attackers to launch Stuxnet-style attacks on PLCs.

New Threats 

The last couple of months has been a fruitful time for data wipers. We found the seventh new wiper malware of the year in a new discovery this week. Dubbed AcidRain, it is raining attacks on modems and routers. A new conversation hijacking campaign was found propagating the IcedID trojan. You have heard about conventional obfuscation; now get ready for IPfuscation. This novel tactic is being used by Hive ransomware.
  • Avast has discovered a new Remote Access Tool (RAT) that is being actively used in the wild in the Philippines. The RAT leverages an expired digital certificate belonging to the Philippines Navy to communicate on the C2 server. According to researchers, the malware used in the campaign is written in C++.
  • The SunCrypt ransomware has been updated with new capabilities to terminate processes, stop services, and clean the machine of any evidence of the ransomware infection. The ransomware variant was first updated in 2022 and is still under development. The attackers also plan to include an anti-VM feature in the ransomware in the future.
  • Hive ransomware gang is using a new IPfuscation tactic to hide its payload. Here, the threat actors hide 64-bit Windows executables inside IPv4 addresses, which eventually causes the download of the Cobalt Strike Beacon. 
  • Researchers detected a new conversation hijacking campaign that delivers the IcedID trojan onto the victim’s system. As part of the campaign, threat actors also used compromised Microsoft Exchange servers to send emails from the hijacked accounts. Organizations in the energy, healthcare, law, and pharmaceutical sectors have fallen victim to these attacks.
  • A new Transparent Tribe APT campaign targeting the Indian government and military officials has been uncovered by researchers. The campaign has been ongoing since June 2021 and uses fake domains mimicking legitimate sites to deliver Crimson RAT, a Python-based stager, and a NET-based downloader.
  • Researchers have discovered a new Wslink malware loader that runs as a server and executes modules in memory. The malware makes use of the process virtual machine as part of its obfuscation process.
  • A newly discovered malware loader, dubbed Verblecon, is being used to install cryptocurrency miners on infected machines. Despite being around for more than a year, the malware sample is able to maintain a low detection rate due to the polymorphic nature of the code. Researchers claim that cybercriminals may use the loader in the future to disseminate ransomware and even launch espionage attacks.
  • A new variant of Mars Stealer is being used widely in multiple large-scale attack campaigns. In one such campaign, threat actors were spotted using Google Ads for OpenOffice installer to distribute the malware variant. The campaign primarily targeted users in Canada. According to researchers, the new Mars variant is capable of pilfering browser auto-fill data, browser extension data, credit cards, IP address, country code, and timezone, among others. 
  • A newly discovered Python-based ransomware has been found targeting the Jupyter Notebook tool to cause significant damage to organizations. The attackers are scanning the internet for applications that are left exposed with no passwords. 
  • A new wave of Remcos RAT campaign, set around the payment remittance theme, has been observed by researchers. The emails appear to come from financial institutions and include a malicious Excel file that starts the infection chain process.
  • A Chinese hacking group Deep Panda targeted VMware Horizon servers to deploy a new rootkit called ‘Fire Chili’. The attack exploited Log4Shell vulnerability to gain initial access to networks. The rootkit enabled the attackers to evade detection on compromised systems.
  • A new information-stealing malware, named BlackGuard, is being sold on the hacking forum for a lifetime price of $700 or a subscription of $200 per month. The stealer can pilfer sensitive information from a broad range of applications, including web browsers, cryptocurrency wallets, messengers, and emails. The collected information is bundled in a ZIP file and sent to the C2 server via a POST request.
  • Researchers uncovered a new wiper malware that targets modems and routers. Dubbed AcidRain, the malware was first spotted on February 24 after a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine. The malware strikes similarities with VPNFilter.


blackguard infostealer
lazarus apt
mars stealer
malicious npm packages
ronin network
suncrypt ransomware
icedid trojan
ipfuscation tactic
remcos rat
transparent tribe apt
jupyter notebook

Posted on: April 01, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.