Go to listing page

Cyware Daily Threat Intelligence, March 11, 2022

Cyware Daily Threat Intelligence, March 11, 2022

Share Blog Post

Looks like QakBot is going Emotet’s way. The threat actors behind the prolific trojan are now hijacking legitimate email conversations to infect systems of users. The ultimate goal of the campaign is to steal as many login credentials as possible by spreading the malware across multiple email accounts.

The creators of BazarBackdoor malware have also shifted to a new malware propagation technique that involves the use of website contact forms. This new tactic is replaced with the previously used phishing emails to help the attackers to move stealthily across networks.

Meanwhile, Google’s research team has provided an update about the rise in phishing activities by Fancy Bear and Ghostwriter hacking groups in the wake of the Russia-Ukraine conflict. The update also includes that the Chinese Mustang Panda APT has switched from going after Southeast Asian targets to focusing on Europeans.

Top Breaches Reported in the Last 24 Hours

Vodafone likely targeted by Lapsus$
Vodafone disclosed that it is working with a law enforcement agency to investigate claims of a data breach made by the Lapsus$ hacking group. As per the announcement made by attackers, around 200GB of source code has been stolen from the firm.

DDoS attacks observed
SecurityScorecard identified three separate DDoS attacks that targeted Ukrainian government and financial websites. One of these attacks was launched by a new botnet dubbed Zhadnost. A majority of routers, especially those manufactured by MikroTik, were targeted by the botnet.

Update on Ghostwriter activities
Recent research by the Google research team highlights that there has been an increase in phishing activities by Fancy Bear and Ghostwriter APT groups. The update also shares that the China-based Mustang Panda has shifted its focus on European countries and is also engaged in launching DDoS attacks against Ukrainian targets.

Top Malware Reported in the Last 24 Hours

QakBot adopts a new delivery technique
Threat actors behind QakBot are leveraging hijacked email conversations to trick users into downloading the malware. Once installed on a compromised system, the attackers hunt for other email accounts and steal required usernames and passwords to further propagate their malicious intentions.

BazarBackdoor’s new delivery format
The operators of BazarBackdoor malware are now using website contact forms instead of typical phishing emails to evade detection by security software. The tactic was observed in an attack where threat actors had posed as employees at a Canadian construction company and submitted a request for a product supply quote.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed Omicron software patched
Several high-severity vulnerabilities that can be exploited to achieve remote code execution attacks were patched in the CX-Programmer software from Omicron’s CX-One automation software suite. The vulnerabilities affected versions prior to 9.76.1 of the software. These vulnerabilities were caused by the lack of proper data validation, some of which could be exploited by sending a specially crafted CXP file. The flaws have been patched in CX-Programmer 9.77.

Flaws in package managers
Multiple security vulnerabilities disclosed in popular package managers can be exploited to run arbitrary code and access sensitive information from compromised systems. The flaws affect several versions of Composer, Bundler, Bower, Poetry, Yarn, pnpm, Pip, and Pipenv. While some of the package managers have been updated to address the flaws, there are a few like Pip and Pipenv that opted not to address many of these flaws.


mustang panda apt group
qakbot trojan
ghostwriter hacking group
bazarbackdoor malware
zhadnost botnet

Posted on: March 11, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite