Go to listing page

Cyware Weekly Threat Intelligence, March 21–25, 2022

Cyware Weekly Threat Intelligence, March 21–25, 2022

Share Blog Post

The Good

By now, we are already aware of the despicable Lapsus$ gang and its long list of high-profile victims. However, the gang forgot to guard itself, leading to the arrest of seven of its members. Here’s to hoping that the Lapsus$ chapter will be over soon. Emsisoft introduced a free decryptor for Diavol ransomware. Victims can now rejoice as they don’t need to give in to the exorbitant demands of the threat actors by paying a ransom. 

  • Emsisoft released a free decryptor for the victims of Diavol ransomware. The FBI, in January, had linked Diavol operations to the infamous TrickBot gang. However, the cybersecurity firm cannot guarantee that the decrypted data would be identical to the one previously encrypted since the ransomware doesn’t save any information about unencrypted files.
  • Japan stepped up its cyber defenses by launching a reorganized cyber defense unit that combines previously separate cyber departments. It shall protect the Japan Self Defense-Forces’ networks against perceived threats from China, North Korea, and Russia.
  • The Western Australian government announced to invest around $20 million to broaden the state’s cybersecurity capabilities. The improved services will promote secure data exchanges between agencies and identification and response toward cyber threats.  
  • The City of London Police claimed to have arrested seven teenage suspects related to the Lapsus$ gang. Two of the suspects are a 16-year-old living in Oxford and a 17-year-old residing in Brazil. The suspects have not been charged yet. 
  • The U.S. indicted four Russian government employees for their participation in hacking companies from the global energy sector between 2012 and 2018. The campaigns targeted thousands of systems at hundreds of organizations in approximately 135 nations. 

The Bad

Attacks against healthcare entities don’t seem to cease. A healthcare provider with 72 offices across Texas suffered a breach impacting a million Texans. Steam scams have once again gained popularity in the threat landscape. One unique Esports voting scam is currently making rounds targeting users of a video game digital distribution platform. The Anonymous collective group has become very active and claimed Transneft, Central Bank of Russia, and Nestlè as its victims.

  • CRM tool Hubspot has been hacked, which has led to data breaches at Swan Bitcoin, BlockFi, Circle, and NYDIG. A total of 30 clients have been affected. However, treasuries and operations remain unaffected, stated the companies. The attack was caused by a threat actor gaining access to an employee account and targeting stakeholders in the cryptocurrency sector.
  • Omega Company—the R&D unit of Russian oil pipeline company Transneft—was hacked by the Anonymous collective. The hacktivists have exfiltrated 79GB of emails and published them on the Distributed Denial of Secrets, a non-profit whistleblower leak site. The hackers, in another incident, announced hacking Nestlè and stealing 10 GB of sensitive data, including company emails, passwords, and data related to business customers. 
  • Texas-based Jefferson Dental and Orthodontics suffered a data breach that may have affected more than a million Texans. The attack occurred on August 9, 2021, and led to the exposure of SSNs, financial information, health insurance information, and drivers’ licenses.
  • The FBI, in coordination with the Treasury Department and FinCEN, issued a joint cybersecurity advisory warning of AvosLocker ransomware targeting several critical infrastructures in the U.S. The RaaS affiliate-based actor has also targeted industries in the financial services, government facilities, and critical manufacturing sectors. The threat actor’s leak site boasts of targeting victims in the U.S., the UAE, the U.K, China, Germany, Syria, Spain, Saudi Arabia, Turkey, and Belgium.
  • Scammers are sending phishing emails to Facebook users, with the subject line - Someone tried to log into your account, user ID. The message contains two buttons, “Report the User” and “Yes, Me.” Upon clicking any of the buttons, a pre-formatted mail is opened and additional details are requested from the targets.
  • The U.S. National Rifle Association confirmed falling victim to a ransomware attack that occurred last October. The attack affected the networks, preventing individuals from accessing email or network files.
  • Fake Esports voting sites are being used against Steam users through Steam-themed Discord channels. The scammers lured the users with attractive offers and tied them to fictional rewards if the message recipient takes part. The messages are sent in a different language to attract more users.
  • The attackers behind RansomEXX ransomware published 12 GB of data stolen from the Scottish Association for Mental Health (SAMH). This included individuals’ driving licenses, passports, home addresses, and phone numbers. In some cases, passwords and credit card details were also affected.
  • Researchers discovered that over 5,000 QNAP NAS devices have been affected by the DeadBolt ransomware since January 26. The ransomware asked 0.03 Bitcoin in ransom to release the decryption key.
  • An unknown Chinese threat actor has been targeting betting companies in Taiwan, Hong Kong, and the Philippines. Dubbed Operation Dragon Castling, the attack exploits a vulnerability in WPS Office to plant the MulCom backdoor on targeted systems. Phishing emails are used as an initial infection vector.
  • Hundreds of malicious npm packages were used in a large-scale attack to target Microsoft Azure developers. Some of the impacted packages include @azure npm scope, @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. Researchers claim that typosquatting was used to dupe developers into downloading malicious packages.
  • Threat actors are hiding Vidar malware in Microsoft Compiled HTML files to avoid detection in email spam campaigns. The campaign uses a phishing email with a generic subject line and an attachment named ‘request.doc, which is actually an ISO disk image. The ISO image contains two files- a Microsoft Compiled HTML Help file and an executable file.
  • North Korean hackers exploited a zero-day RCE vulnerability (CVE-2022-0609) in the Chrome web browser to launch attacks against organizations in the U.S. These attack campaigns were named Operation Dream Job and Operation AppleJeus. While Operation Dream Job targeted over 250 individuals working in 10 different news media, domain registrars, web hosting providers, and software vendors, Operation AppleJeus affected over 85 users in cryptocurrency and fintech industries.
  • Accounts of some customers associated with the wealth and asset management division of Morgan Stanley have been compromised following a vishing attack. The scammers impersonated the banking firm and convinced the users into sharing their banking and login credentials. After successfully breaching the accounts, the scammers electronically transferred money to their own bank accounts via the Zella payment service.
  • The IT infrastructure of the 200-year-old Edinburgh's Heriot-Watt University was severely hit by a cyberattack. It’s been over a week and staff and student directories remain unavailable. The university stated that no data has been stolen.
  • Hackers knocked the website of the U.K Ministry of Defense offline. The Army, which is resorted to using paper systems, has declared a cyber emergency and enacted Op Rhodes. The number of affected candidates is somewhere between 125 and 150 and some recruits’ data was for sale for 1 Bitcoin on the dark web. 

New Threats

The South Korean DarkHotel gang resurfaced in a new campaign targeting luxury resorts in China. It pretended to be the Macau Government Tourism Office. A new backdoor, dubbed Serpent, was found slithering into the systems of French entities via the Chocolatey package installer. There’s a new phishing technique in town, named browser-in-the-browser, which can mimic a legitimate domain to pilfer credentials. 

  • A new attack campaign by the South Korea-based DarkHotel hacking gang has been targeting luxury resorts in Macau, China. The campaign started in December 2021 and continued until January this year. Two of the hotels targeted include the Grand Coloane Resort and the Wynn Palace, both 5-star hotels. The group had sent phishing emails to 17 hotels on December 7, 2021, from an address pretending to be from the Macao Government Tourism Office.
  • French entities in the real estate, construction, and government sectors were attacked via macro-enabled Microsoft Word documents propagating the open-source Chocolatey package installer. The installer, in turn, was used to deliver a backdoor called Serpent. The backdoor is capable of enabling remote administration, data theft, C2, and delivering other payloads.
  • Arid Gopher is a newly spotted malware attributed to APT-C-23 (Arid Viper). The malware is a variant of the Micropsia malware, used previously by APT-C-23. The malware, which is still under development, is distributed via a fake Microsoft Word document that pretends to contain sections from an academic publication regarding financial investments.
  • A new BitRAT malware campaign is leveraging illegal crack tools for Windows 10 license verification. The campaign targets users looking to activate pirated Windows OS versions for free on webhards. The malicious file, named ‘W10DigitalActiviation.exe’, pretends to offer a free version of Windows 10. Instead, the file downloads the malware from a hardcoded C2 server operated by the threat actor.
  • A new phishing technique called Browser-in-the-Browser (BitB) attack can be exploited to spoof a legitimate domain and steal Google, Facebook, and Microsoft credentials. The attack takes advantage of third-party SSO options embedded on websites that issue popup windows for authentication.
  • A newly discovered macOS malware called GIMMICK has been attributed to the Storm Cloud Chinese espionage threat actor group. While the macOS variant is written in Objective C, the Windows versions are written in both .NET and Delphi. Researchers discovered the sample in a campaign that was used to compromise a MacBook Pro running macOS 11.6.
  • A new variant of PlugX RAT, named Hodur, is being used by Mustang Panda in an ongoing attack campaign. Most of the victims are located in East and Southeast Asia, with a few in Europe and Africa. The malware is distributed via decoy documents that contain information about ongoing events in Europe and the war in Ukraine.
  • CERT-UA has issued an advisory about a new DoubleZero wiper malware that is targeting Ukrainian organizations. The malware has been actively used since March 17 and is launched via spear-phishing emails. DoubleZero overwrites the content with zero blocks of 4096 bytes or using API-calls NtFileOpen, NtfsControlFile.
  • A new wave of JSSLoader infections has been observed this year. Attackers are using XLL files to deliver the malware. The file is distributed in the form of Excel attachments through emails.
  • Researchers uncovered a new campaign that seeks to distribute malicious Android and iOS apps posing as popular cryptocurrency wallets. The campaign is believed to be active from May 2021. So far, the apps have managed to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, TrustWallet, Bitpie, TokenPocket, and OneKey. A majority of users in China are affected by the campaign.


darkhotel apt
hodur malware
operation dream job
vidar infostealer
malicious npm packages
browser in the browser bitb
doublezero wiper
anonymous collective
gimmick malware
operation dragon castling
arid gopher
serpent backdoor

Posted on: March 25, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite