Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

Unusual ‘Donald Trump’ Packer Malware Delivers RATs, Infostealers

A .Net malware packer is being used to deliver a variety of remote access trojans (RATs) and infostealers in campaigns targeted towards users in all sectors. Since the fixed password references Donald Trump, the malware is dubbed DTPacker. Notably, the malware delivers both an embedded payload as well as downloading it from a C2 server remotely, incorporating a packer and downloader into one strain. One campaign used fake Liverpool Football Club sites to trick users to download DTPacker.

Impact: The DTPacker malware was discovered to contain both packer and downloader functionality to target hundreds of thousands of end users.

Recommendation: Always follow best security practices when facing suspicious emails and messages. Please review the CISA Phishing Tip Sheet for more recommendations at https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Phishing%20Tip%20Sheet.pdf 

Phishing Impersonates Shipping Giant Maersk to Push STRRAT Malware

A phishing campaign is impersonating Maersk Shipping, a global shipping giant, by using seemingly legitimate email addresses to lure users and install the STRRAT remote access trojan. The STRRAT malware is a capable of faking ransomware attacks on a compromised machine to distract the user from the threat actor’s real motivation, the exfiltration of data. By hiding as normal day-to-day business operation emails as shipment notifications, organizations and their employees are vulnerable to this phishing campaign.

Impact: A phishing campaign is impersonating Maersk Shipping to trick employees to download the STRRAT malware onto their devices.

Recommendation: Be vigilant against phishing campaigns.

WordPress Plugin Flaw Puts Users of 20,000 Sites at Phishing Risk

A high-severity vulnerability, CVE-2022-0218, was found in the WordPress WP HTML Mail plugin. The plugin is installed on over 20,000 sites and is for designing custom emails and contact form notifications. The vulnerability allows an unauthenticated actor to modify the email template to include arbitrary data, leading to code injection and the distribution of phishing emails. The security update for the vulnerability became available on January 13, 2022, in the release of version 3.1.

Impact: CVE-2022-0218, a high-severity vulnerability, is affecting the WordPress WP HTML Mail plugin by allowing threat actors to inject code and distribute phishing emails.

Recommendation: Affected users and administrators are strongly encouraged to use best security practices and immediately apply the necessary updates to mitigate any potential exploitation risk by malicious actors.

‘Anomalous’ Spyware Stealing Credentials in Industrial Firms

Researchers have observed spyware campaigns on industrial enterprises that deploy different variants of off-the-shelf spyware tools to steal email account credentials and conduct financial fraud or sell them on dark web marketplaces. Along with using different commodity malware, the threat actors evade detection by using the compromised corporate mailboxes as C2 servers for additional attacks, and the actors will use the employee credentials stolen through spear-phishing to infiltrate and move laterally in a network. Examples of the malware deployed in the campaigns include AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot.

Impact: A spyware campaign utilizing different commodity malware is targeting industrial enterprises to steal employee credentials.

Recommendation: Always follow best security practices when facing suspicious emails and messages. Please review the CISA Phishing Tip Sheet for more recommendations at https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Phishing%20Tip%20Sheet.pdf 

New MoonBounce UEFI Malware Used by APT41 in Targeted Attacks

At the end of 2021, researchers discovered the MoonBounce Unified Extensible Firmware Interface (UEFI) malware, the “most advanced UEFI firmware implant found in the wild”, and by planting malicious code within the firmware, it is able to remain undetected from antivirus and other security tools on the OS level. The new malware has been linked to a Chinese-speaking threat group due to an investigation done in a compromised network where the APT41-linked ScrambleCross malware and unique certificates from APT41’s C2 servers were discovered. The group’s main goal is to establish a lengthy foothold within a network and exfiltrate data back to its C2 servers to conduct cyberespionage.

Impact: With a significant increase in sophistication, MoonBounce and future UEFI malware may become a bigger threat for organizations.

Recommendation: IOCs will be dispersed to the TIGR Threat Feed. To learn more, please visit https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

New BHUNT Malware Targets Crypto Wallets and Passwords

A novel modular malware, dubbed ‘BHUNT’, has been discovered targeting Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin crypto wallets to steal cryptocurrency, passwords, and security phrases. BHUNT is notable for its stealth by using Themida and VMProtect, virtual machine packers that obstruct researchers from reverse-engineering and analyzing the malware. The malware has been observed in multiple nations globally, and has likely been delivered to compromised systems through KMSpico, a tool for illegally activating Microsoft products.

Impact: The sophisticated BHUNT malware has been observed targeting cryptocurrency wallets globally

Recommendation: Do not install software to your device outside of a trusted app store or certified vendor. Avoid downloading pirated software, cracks, and illegitimate product activators.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.