Go to listing page

Cyware Weekly Threat Intelligence, July 18 - 22, 2022

Cyware Weekly Threat Intelligence,  July 18 - 22, 2022

Share Blog Post

The Good

The DOJ announced a bit of a win this week in the ongoing battle against state-sponsored ransomware campaigns. It clawed back about half a million in cryptocurrency that was paid as ransom to Maui ransomware hackers. Meanwhile, NIST has released the first draft of revised HIPAA guidelines that aims at improving the management of security risks affecting Electronic protected health information (ePHI).
  • The DOJ seized around $500,000 from state-backed North Korean hackers who use the Maui ransomware in their attacks. The amount was returned to two healthcare providers who had paid the ransom to the gang.
  • Google has officially added support for DNS-over-HTTP/3 (DoH3) in Android to keep DNS queries private. This will effectively prevent third parties from snooping on users' browsing activities.
  • The FBI has urged the Treasury Department and U.S. Securities and Exchange Commission to make changes to the procedures and regulations surrounding ransom payments and incident reporting for the victims of cyberattacks. The regulations will primarily focus on how to engage with sanctioned ransomware groups. 
  • In an effort to strengthen the security of patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry. The guidelines are currently drafted and will be regulated soon.  

The Bad

Several high-profile personalities were caught in the crosshairs of spyware campaigns. While the notorious Pegasus spyware was used to infect at least 30 Thai activists, academics, lawyers, and NGO workers, the DevilsTongue spyware was used to pilfer sensitive data from journalists in the Middle East. Web skimming attacks were also reported this week after researchers discovered over 50,000 payment card details on dark web forums. These details belonged to customers who made restaurant payments through online portals of InTouchPOS, MenuDrive, and Harbortouch. 

  • Citizen Lab found that at least 30 Thai activists, academics, lawyers, and NGO workers, were targeted by the Pegasus spyware. The observed infections took place between October 2020 and November 2021.
  • Over the last month, a crimeware group named 8220 has expanded its botnet to roughly 30,000 hosts. The group makes use of SSH brute force attacks and abuses Linux and cloud app vulnerabilities to grow its botnet.  
  • From late 2021 through the present, the TA4563 threat actor has been targeting various European financial and investment entities with the malware known as EvilNum. It is a backdoor that can be used for data theft or to load additional payloads.
  • Ukrainians were targeted by a new version of the GoMet backdoor that was first observed in March. Believed to be an act of Russian state-sponsored threat actors, the campaign leveraged fake Windows updates to distribute the backdoor. In another instance, the Russia-based Turla APT group was found distributing Android malware masquerading as an app for pro-Ukrainian hacktivists to conduct DDoS attacks.
  • Neopets, a virtual pet website, suffered a data breach that impacted the personal data of 69 million members. Reportedly, a hacker named 'TarTarX' has begun selling the source code and database for the Neopets.com website for four bitcoins.
  • Online scammers were found leveraging Google search results to perform tech support scams. In one instance, threat actors had manipulated the search results for the keyword ‘YouTube’ to redirect users to pages pretending to be security alerts from Windows Defender. 
  • Over 50,000 payment card details of customers are being sold on dark web forums. These details were stolen in two different Magecart campaigns by injecting malicious code into the online ordering portals of InTouchPOS, MenuDrive, and Harbortouch. In a similar vein, the PrestaShop website was infected with a card skimming code to pilfer shipping and billing details of users.
  • A vulnerability in the mental health app Feelyou exposed the email addresses of almost 78,000 users from 177 countries. The platform claimed that no other data has been impacted. 
  • Threat actors compromised the official website of Premint NFT and stole 314 NFTs, amounting to approximately $375,000. The attack has six primary EOAs associated with it, among which two wallets contain Bored Ape Yacht Club, Otherside, Oddities, and goblintown.wtf NFTs.
  • British jeweler Graff reportedly paid a ransom of $7.5 million, following the Conti ransomware attack in September 2021. To claim the attack, the group had published 69,000 confidential files related to 11,000 of Graff's clients.
  • The FBI issued a warning against cybercriminals distributing fake cryptocurrency investment applications to crypto enthusiasts in the U.S. They make users install fake apps and deposit funds into wallets allegedly associated with the victims' accounts. So far, cybercriminals have already pilfered roughly $42.7 million from 244 investors.
  • Belgian officials have accused Chinese state-sponsored actors of a series of cyberattacks against its interior and defense ministries. The noted Chinese groups in the report are tracked as APT27, APT30, APT31, and Gallium. 
  • Cozy Bear (APT29) was seen abusing legitimate cloud services, such as Google Drive and DropBox, to target a number of Western diplomatic missions, including foreign embassies of Portugal and Brazil. The group’s phishing technique includes a malicious HTML file, called EnvyScout, which acts as a dropper for Cobalt Strike and additional payloads.
  • Building materials giant Knauf disclosed that it was hit by Black Basta ransomware. As a result, its business operations were disrupted, forcing its global IT team to shut down all IT systems to isolate the incident.
  • LockBit affiliates are widely using server machines to spread ransomware throughout enterprise networks. The attack chain starts by abusing the Remote Desktop Protocol. 
  • PayPal and Norton were spoofed in a new ‘Double-Spear’ phishing campaign. This enabled the attackers to steal both money and personal information from users. 
  • Candiru surveillance firm’s DevilsTongue spyware made its debut in a new attack campaign that targeted journalists in the Middle East. The attack exploited a recently fixed zero-day flaw in the Chrome browser to distribute the spyware.

New Threats

Meanwhile, Roaming Mantis has shifted its focus to France. Since February, the gang has infected over ten ten thousand Android and iOS devices via Smishing attacks. There’s also an update on new malware frameworks - Redeemer ransomware builder and Lightning Framework - that are capable of infecting a wide range of devices. 

  • After hitting Germany, Taiwan, South Korea, Japan, the US, and the U.K. the Roaming Mantis has now targeted users in France. The financially motivated threat actor has compromised over ten thousand Android and iOS devices since February. 
  • CloudMensis is a new macOS malware that gathers information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures. Developed in Objective-C, the spyware uses public cloud storage services to communicate back and forth with its operators.
  • A new version of the Redeemer ransomware builder is available for free on hacker forums. The new version 2.0 is written entirely in C++ and targets Windows Vista, 7, 8, 10, and 11.
  • Lightning Framework is a new malware that targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. The malware masquerades as the Seahorse GNOME password and encryption key manager to evade detection on infected systems.
  • A new ransomware family dubbed Luna discovered on dark web forums is capable of targeting Windows, Linux, and ESXi systems. Attributed to Russian threat actors, ransomware is still under development.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that over 1.5 million vehicles are at risk of remote attacks owing to a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers. These vulnerabilities could impact access to a vehicle's fuel supply and controller, or allow location-based surveillance of vehicles in which the device is installed.
  • A total of 53 fake apps on the Google Play Store were spotted distributing Joker, FaceStealer, and Coper malware strains. These apps posed as SMS, photo editors, blood pressure monitor, emoji keyboards, and translation apps and were downloaded over 300,000 times.
  • A newly devised air-gap attack uses Serial Advanced Technology Attachment (SATA) cables as a communication medium (wireless antenna) to transfer radio signals at the 6Hz frequency band. 
  • APT29, a group of state-backed hackers from Russia, is now leveraging cloud services, including Google Drive and DropBox, in their attacks to avoid detection. These attacks are aimed at Western diplomatic missions and foreign embassies around the world.
  • A new threat group named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army, is actively selling Cybercrime-as-a-Service on Telegram and dark web forums. The services include exclusive data leaks, distributed denial-of-service (DDoS) campaigns for hire, RDP attacks, and initial access. 


joker android malware
turla apt group
lockbit affiliates
fake cryptocurrency investment
redeemer ransomware
gomet backdoor
magecart campaign
coper malware
ta4563 threat actor
pegasus spyware
roaming mantis

Posted on: July 22, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite