Go to listing page

Cyware Weekly Threat Intelligence, April 26 - 30, 2021

Cyware Weekly Threat Intelligence, April 26 - 30, 2021

Share Blog Post

The Good

Emotet is no more! And we are feeling good. At least, one less malware to terrorize us. The cyberworld has taken big strides in innovation this week. A new industry task force has been created by various stakeholders in an attempt to disrupt ransomware groups. In another such beatific news, with the release of a new framework, NFC communications will have stronger privacy. 

  • European law enforcement agencies used a customized DLL to wipe out the notorious Windows malware Emotet. The specially-crafted DLL caused the software to self-destruct. Besides, the FBI shared about 4.3 million email addresses stolen by Emotet with the Have I Been Pwned breach notification site to mitigate threats faced by the victims.
  • Ransomware Task Force, a coalition of more than 50 stakeholders, proposed 48 recommendations to combat ransomware attacks, and for a global network of ransomware investigation hubs.
  • The DARPA is testing zero-knowledge proofs, a cryptographic protocol to create mathematical evidence without having to show the underlying work, for use in the vulnerability disclosure process.
  • The NFC Forum released a new framework for NFC-enabled mobile devices that will safeguard the confidentiality and privacy of NFC communications.
  • Researchers found a new method to detect fake satellite images, even the ones capable of tricking trained human eyes and advanced computer detection techniques.

The Bad

The week witnessed loads of data breaches, be it due to misconfigured servers or cyberattacks. For instance, the police department in Washington, D.C. suffered an attack by the Babuk ransomware gang. While speaking of data breaches, accidental data leaks have become a huge concern for the cyber community with Wyoming Health Department accidentally exposing the test results of hundreds of thousands of residents. In addition to this, a failed ransom negotiation posed a big problem for the Illinois Office of the Attorney General.  

  • Hundreds of third-party Android contact-tracing apps were found leaking sensitive data due to the API developed by Apple and Google. With these apps, anyone can view users’ medical data.
  • Los Angeles-based Paleohacks exposed data belonging to almost 70,000 users due to a misconfigured AWS S3 bucket. The bucket included data from 2015 to 2020 and contained personally identifiable information.
  • The Wyoming Department of Health (WDH) accidentally disclosed COVID-19, flu, and breath alcohol test results of 164,000 individuals on the internet, along with their names, IDs, postal addresses, dates of birth, and dates of service.
  • DopplePaymer ransomware operators leaked files from the Illinois Office of the Attorney General after a failed negotiation. The leaked files include information from court cases orchestrated by the Illinois OAG, including some private documents.
  • Houston-based Gyrodata suffered a data breach leading to the leak of current and former employee data, including names, addresses, dates of birth, driver’s license numbers, social security numbers, passport numbers, and tax forms. 
  • The Washington, D.C. police department revealed that its computer network was breached and data was stolen in an attack by the Babuk ransomware gang. The threat actor posted more than 250GB of data on its site on the dark web. 
  • A set of 20 million records belonging to BigBasket users was dropped by ShinyHunters on a popular hacking forum. The attacker claimed that the data was stolen in November 2020, and includes email addresses, SHA1 hashed passwords, addresses, phone numbers, and other assorted information of users.
  • The court system for the Brazilian state of Rio Grande do Sul—Tribunal de Justiça do Estado do Rio Grande do Sul (TJRS)—suffered an attack by REvil ransomware. The attack encrypted employee files and the court systems were forced to shut down their networks.
  • Pompurin, a hacker, leaked a database containing personal and sensitive household data of over 250 million Americans. The leaked information contains full names, phone numbers, email addresses, dates of birth, marital status, gender, and physical addresses of users.
  • In yet another data leak incident, a staggering 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed on a cybercrime forum. The leaked details were claimed to be stolen from government domains from across the world, including the U.S., the U.K, Australia, Brazil, and Canada.

New Threats

Just sliding down the rocky rollercoaster of bad news, we reached Mr. Toad’s Wild Ride that is this section. Way too many new threats popped up this week and we tried our best to compile them for you. Let’s start with the phishing campaigns targeting JPMorgan Chase customers. Moving on to a new spyware that was discovered stealing passwords and sensitive information. Another cyberespionage campaign was revealed that spanned for two years and was conducted by the Naikon APT group. 

  • A new backdoor malware named RotaJakiro, reportedly associated with the Torii botnet, is targeting Linux 64-bit systems. It uses a double encryption algorithm (a combination of AES and XOR) to evade detection.
  • The RedLine Stealer was found in another new campaign disguised as an installer of the Telegram messaging app. This stealer is commonly used by attackers to harvest user credentials.
  • The WeSteal commodity cryptocurrency stealer is being advertised on an underground forum since February 2021. The malware comes with several anti-evasion techniques to enable its operators to silently mine cryptocurrencies, steal passwords, and disable webcam lights.
  • JPMorgan Chase Bank customers are being targeted in two new phishing scams that leverage social engineering and brand impersonation tactics to steal customers’ login credentials. 
  • Office 365 users are being targeted in a new phishing campaign. The campaign is carried out using themed emails that include a convincing SharePoint document claiming to require an email signature urgently.
  • A new cyberespionage campaign has been spotted that deployed a new backdoor called Nebulae and its activities spanned for two years. The campaign was launched by the Chinese Naikon APT group and targeted military organizations in Southeast Asia. 
  • A new ransomware dubbed WickrMe has been found targeting SharePoint servers as a way to reach out to victims and negotiate the ransom fee. 
  • The U.K. NCSC issued an alert about the new FluBot spyware that can steal passwords and sensitive info. It is installed via a tracking app delivered through a text message. 
  • The UNC2447 threat actor had abused a zero-day flaw in Sonicwall SMA 100 Series VPN appliances to deploy the new FiveHands ransomware on North American and European target networks. The patches were released in February.


babuk ransomware gang
nebulae backdoor
flubot spyware
hellowickrme ransomware
redline stealer
rotajakiro backdoor
wyoming department of health

Posted on: April 30, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite