Go to listing page

Cyware Weekly Threat Intelligence, November 29–December 03, 2021

Cyware Weekly Threat Intelligence, November 29–December 03, 2021

Share Blog Post

The Good

As mobile devices are in the crosshairs of cybercriminals, the CISA published guidelines for businesses, which would enable them to mitigate flaws and fortify enterprise protections by enforcing best practices for enterprise-managed mobile devices. As arrests of attackers give us a boost for the entire day, here’s one for you. The INTERPOL arrested around 1,000 suspects associated with various online frauds. Additionally, U.K and Israel signed a ten-year MoU to address cybersecurity challenges.

  • The CISA released a Capacity Enhancement Guide (CEG) to help organizations mitigate threats perpetrating from enterprise-managed mobile devices and their access to enterprise resources. The guideline, furthermore, encourages organizations to implement good app security, disable radios when not in use, and employ secure communication protocols and apps. The agency also published another CEG for consumers who want to strengthen the security of their mobile devices.    
  • The U.K and Israel signed a ten-year MoU to work in tandem against cybersecurity threats and other technology-related challenges. The partnership is expected to enable the countries to lead the technological revolution. 
  • The INTERPOL confiscated over 1,000 suspects involved in different online frauds and money laundering instances. It recovered nearly $27 million from them in total. Dubbed Operation HAECHII-II, the operation lasted from June to September and involved the cooperation of specialized police units from 20 countries. 
  • Twitter permanently removed 3,465 accounts connected to governments of six countries conducting spam or manipulation campaigns. The accounts were used in eight different campaigns attributed to Russia, Mexico, Tanzania, Venezuela, Uganda, and the People’s Republic of China. 
  • The anti-money mule operation—EMMA 7—led to the arrest of 1,803 suspects and the identification of 18,000 money mules. The operation was conducted by Europol, in coordination with 26 countries, INTERPOL, Eurojust, the Fintech FinCrime Exchange, and the European Banking Federation, and lasted for roughly two and a half months. 

The Bad

Malware operators have become quite sneaky as a two-year-old campaign came to light recently. This particular malware propagation campaign leverages fake installers of popular software to lure users. The Principality of Sealand’s official website was hacked by threat actors who injected web skimmers into the website. German organizations and organizations in Germany be careful as various phishing campaigns are impersonating major banks to gain banking credentials. 

  • The Los Angeles branch of Planned Parenthood suffered a data breach that affected the personal details of 400,000 patients. The incident occurred in October after a hacker installed malware and exfiltrated personal details related to patients. While the attack involved ransomware, the group did not confirm paying any ransom.
  • Hackers stole over $120 million from multiple cryptocurrency wallets linked to the BadgerDAO DeFi platform. The hackers stole more than 2,100 Bitcoins and 151 Ethercoins from Badger user accounts. In addition to this, a lone user lost more than 900 BTC, amounting to $51 million. As Badger continues investigating the hack, it has paused all smart contracts to stop further withdrawals. 
  • A two-year-old malware distribution campaign was found targeting users across Canada, the U.S., Australia, and some EU countries. The campaign uses fake installers of popular software as bait to trick users into downloading malware on their systems. The campaign was found deploying two undocumented malware families, with an aim to make financial gains by conducting fraudulent transactions, selling stolen credentials, and gaining access to Remote Desktop. 
  • A fake Android app disguised as a housekeeping service was used to steal online banking credentials from the customers of eight Malaysian banks. The app, dubbed Cleaning Service Malaysia, was promoted through fake websites and social media accounts. Some of the victims include Maybank, RHB, Public Bank, and BSN.
  • A threat actor hacked the government site of the Principality of Sealand in an attempt to plant web skimming code. The code enabled the hackers to collect payment card and user details for anyone who bought products such as nobility titles from the micronation’s online store. The threat actor intercepted all transactions made on the site from October 12. 
  • Multiple Iranian media and social networks have fallen victim to an ongoing SMS phishing campaign that masqueraded Iranian government services. The smishing campaign relies on social engineering to trick victims into giving up their credit card details. Besides gaining payment card details, the malicious applications were used to gain access to 2FA authentication SMS and turn the victim device into a bot. 
  • DNA Diagnostic Center (DDC) disclosed a security breach that affected over 2 million individuals. The incident occurred between May and July and the firm finished its internal investigation in October. The exposed data includes full names, platform account passwords, financial account numbers, and payment card information of people. However, the testing center stated that the compromised database contained backups dating between 2004 and 2012 and is not connected to active systems and databases. 
  • Multiple high-volume campaigns are spoofing key German banks, mainly Sparkasse and Volksbank, to exfiltrate bank credentials. These campaigns targeted various industries, including German organizations and employees of foreign agencies based in Germany, and impacted hundreds of organizations. The threat actors aim to specifically collect banking branch data, PIN, and login information. 
  • A connection was spotted between Thieflock ransomware operators and Yaunluowang ransomware; both have been associated with a series of attacks against U.S. corporations. While the latter mainly focuses on financial institutions, it has also targeted firms operating in the IT services, manufacturing, engineering, and consultancy sectors. The attackers distribute BazarLoader in the reconnaissance stage of the attack.
  • IKEA was targeted in a new phishing email reply-chain attack that affected its suppliers, business partners, and other IKEA organizations. The supply retail chain firm has launched an investigation to comprehend the scope of the attack.
  • A new espionage campaign by the ScarCruft APT group (aka APT37) targeted Windows and Android devices in South Korea. The campaign was launched using a newly found malware named Chinotto. The malware is capable of exfiltrating data, taking screenshots, removing files, and recording call logs, among others. Furthermore, Chinotto developers keep constantly updating the malware to avoid detection and customize it to meet the victim’s scenario.

New Threats
There’s a Flu(Bot) going around in Finland as the country’s NCSC warned against immensely surging FluBot infections. IKEA fell victim to a one of its kind reply-chain phishing attack that has affected its suppliers and business partners. The scope of the attacks is being investigated. AT&T users are recommended to be careful as a new EwDoor botnet strain is targeting them. 

  • Emotet is now distributed via malicious Windows App Installer packages that pretend to be Adobe PDF software. This new campaign begins with stolen reply-chain emails that pretend to be replies to existing conversations. Once installed, the malware steals victims’ emails to conduct spam campaigns in the future and deploy ransomware. 
  • The new NginRAT hides on Ngnix servers to target eCommerce servers in Europe and North America. The RAT is being used to conduct server-side attacks to exfiltrate payment card data from online stores. The trojan was spotted in Europe and North America where eCommerce servers were already infected by CronRAT. NginRAT has compromised servers in France, the U.S., and Germany. 
  • The Tor2Mine malware has been updated with new evasion tactics. According to new research, the new variant includes a PowerShell script that can disable malware protection, execute the miner payload, and steal Windows administrator credentials. The malware variant also attempts to shut down anti-malware protection and install the miner code on compromised devices.
  • Finland’s NCSC warned about a severe rise in FluBot attacks for the second time this year. The banking malware is pushed via text messages sent from infected Android devices. This new spam campaign also uses a voicemail theme that asks users to open a link to listen to a message from the mobile operator. The malware was also discovered in 10,000 websites.
  • A malware campaign distributing SpyAgent malware is targeting crypto users. The malware abuses legitimate Remote Access Tools such as TeamViewer to spread the infection to different devices. The malware employs DLL sideloading attacks to hide in Windows systems. The malware is distributed via fake cryptocurrency websites where the malware dropper mimics crypto wallets. Researchers have also noticed that SpyAgent downloads additional malware such as AZORult, RedLine Stealer, Cypress, and Ducky Stealers.
  • A new version of the EwDoor botnet is targeting AT&T customers. The latest version includes more BT trackers, along with functionalities. The current version of the botnet can also launch DDoS attacks and steal sensitive data. It propagates via CVE-2017-6079, a flaw affecting EdgeMarc Enterprise Session Border Controller devices belonging to AT&T. Around 5,700 AT&T users have been affected. 
  • Mandiant researchers linked the new Sabbath ransomware group, which recently launched its own victim site, to another formerly active ransomware group named Arcane. The ransomware has already launched attacks against healthcare, education, and natural resources in the U.S. and Canada. It has been able to fly under the radar because of its continuous rebranding. 
  • Threat actors have already started exploiting the interest in the Omicron COVID-19 variant and using it as lures in a phishing campaign. The attack was detected by U.K authorities and the NHS has issued warnings. The lures are of a free Omicron PCR test that pretends to allow recipients to bypass restrictions.


dna diagnostic center ddc
thieflock ransomware
flubot trojan
twitter handles
german banks
scarcruft apt
badgerdao defi platform
2fa authentication
omicron pcr test
sabbath ransomware

Posted on: December 03, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.