Go to listing page

Cyware Daily Threat Intelligence, November 23, 2022

Cyware Daily Threat Intelligence, November 23, 2022

Share Blog Post

Malicious mobile apps are increasingly becoming an attack vector of choice for cybercriminals. Recently, researchers came across a new campaign targeting Android users. Orchestrated by the Bahamut APT group, the campaign has been active since January and leverages trojanized versions of legitimate VPN apps. So far, eight versions of these malicious apps have been discovered that were used to distribute Bahamut spyware. Meanwhile, SharkBot was also observed infecting thousands of Android users in Italy and the U.K., purporting to be a fake antivirus app on the Google Play Store. The primary purpose of this trojan was to pilfer banking-related information stored on devices.   

New changes in the ransomware threat landscape have also surfaced in the last 24 hours. While the lesser-known RansomExx has been revamped to RansomExx2 by rewriting the source code in Rust, the new Donut ransomware group has been associated with multiple double extortion attacks that targeted several organizations.

Top Breaches Reported in the Last 24 Hours

Massive password-stealing campaign
Group-IB researchers revealed a worldwide password-stealing campaign that resulted in the compromise of over 50 million passwords in the first seven months of the year. Around 34 Telegram groups were used by threat actors to infect over 890,000 devices. Each of these groups had as many as 200 active members and tricked victims by redirecting them to fake websites on the pretext of lucky draws, lotteries, and reviewing popular games on YouTube. 

AirAsia’s stolen data leaked
The Malaysian low-cost airline AirAsia had some of its data leaked by Daixin cybercrime group, following a ransomware attack that occurred earlier this month. The gang shared two spreadsheets that appeared to include personal information of passengers and staff, including their dates of birth, birthplace, and secret question for some. 

Indian power grids targeted
Attackers exploited security flaws in now-discontinued Boa web servers to target Indian power grids earlier this year. It is believed to be a work of a previously undocumented China-based threat cluster called Group 38. While the initial infection vector used to breach the networks remains unknown, the ShadowPad implant was controlled by using a network of compromised internet-facing DVR/IP camera devices. 

Donut group targets multiple companies
A new Donut extortion group is linked to the recent cyberattacks on multiple companies, such as DESFA, Sheppard Robson, and construction company Sando. The group uses custom ransomware for double-extortion attacks and encrypts specific files. The data of the affected organizations are leaked on the site that is handled by the group. 

Top Malware Reported in the Last 24 Hours

RansomExx upgraded
The RansomExx ransomware has been written in the Rust language in an attempt to enhance the evasion techniques. Dubbed RansomExx2, the variant includes functionality similar to previous C++ predecessors. The ransomware variant uses AES-256 and RSA algorithms to encrypt files in victims’ systems. 

Ducktail information-stealer
Researchers shared details of an ongoing Ducktail information-stealer campaign that targets Facebook ads and business platforms. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account. The ultimate purpose of this campaign is to run ads on hijacked Facebook accounts for monetary gain. 

SharkBot trojan returns
SharkBot returned in a new attack targeting Android users. The trojan disguised itself as a fake antivirus app on Google Play Store to steal banking information from users. Other capabilities of the trojan include recording keystrokes, intercepting SMSes, and enabling attackers to gain remote access to devices. Most of the affected devices belonged to users in Italy and the U.K. 

Bahamut spyware spotted
Fake VPN apps are being used to distribute Bahamut spyware in a campaign that is active since January. The campaign is conducted by a group of the same name and the main purpose is to extract sensitive user data from devices. So far, eight versions of these malicious apps have been discovered to be distributed via a website. 

Top Vulnerabilities Reported in the Last 24 Hours

BMC firmware is riddled with multiple flaws
More than a dozen vulnerabilities discovered in baseboard management controller (BMC) firmware can be abused to launch remote attacks and even damage the targeted server. The firmware affects IoT and OT devices used by Asus, Dell, HP, Lenovo, and Nvidia. Five of these flaws can be exploited for arbitrary code execution and two other flaws could be chained to achieve remote code execution with root privileges. Although patches are issued to address these vulnerabilities, other new flaws have been discovered during the analysis and those are still in the process of being fixed.


donut ransomware group
bmc firmware
ducktail information stealer
bahamut spyware
sharkbot trojan
fake vpn apps

Posted on: November 23, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite