Cyber Intel Brief: June 16 – 22, 2022


Avos Ransomware Group Expands with New Attack Arsenal

What You Need To Know:

Cisco Talos details an incident involving an Avos ransomware affiliate that lasted from approximately February 7 to March 8 in a recent report. It was determined that the initial infection vector was an “ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways (UAG), which was vulnerable to the Log4Shell vulnerability.” Additionally, it was determined that the threat actors employed several tools, including Mimikatz, Cobalt Strike, Sliver, SoftPerfect Network Scanner, and PDQ Deploy, to deliver the ransomware. Furthermore, there was evidence that multiple threat actors had compromised the network in separate campaigns.

Threat Actors

APT ToddyCat

What You Need To Know:

Kaspersky recently observed a cluster of activity, starting in December 2020, against entities in Europe and Asia. Kaspersky is unable to link the activity to any known threat groups and are referring to the unknown perpetrator as “ToddyCat.” During their investigation, Kaspersky identified two previously unknown malware families, “Samurai backdoor” and “Ninja Trojan.” According to Kaspersky, the activity initially targeted government organizations in Taiwan and Vietnam before February 2021. After, Kaspersky identified victims in multiple countries, including India, Thailand, and United Kingdom, amongst others due to the publication of the ProxyLogin vulnerability. 

Threat Actors

Client-Side Magecart Attacks Still Around, but More Covert

What You Need To Know:

Malwarebytes recently discovered infrastructure linked to Magecart ecommerce credit card skimmers. Furthermore, Magecart has also expanded their operations to target the WordPress plugin WooCommerce. Additionally, Malwarebytes discovered credit card skimmer code that has anti-VM checks hosted on two previously reported domains. Since the publishing of the report, these two domains do not have the VM checking code and it is unclear why the code was removed.


Resurgence of Voicemail-Themed Phishing Attacks Targeting Key Industry Verticals in US

What You Need To Know:

Zscaler recently observed a threat actor sending voicemail notification-themed emails in a recent phishing campaign, targeting organizations in “software security, US military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain.” The emails are delivered with an HTML attachment that, once clicked, redirects the recipient to a malicious website and entices them to enter their Office 365 or Outlook credentials. Additionally, each URL is formatted specifically for the targeted individual and organization.


Rise of .LNK (Shortcut File) Malware

What You Need To Know:

McAfee recently published a report that covers three recent malware campaigns that detail the tactics and techniques used by threat actors to deliver .LNK files to drop Emotet, IcedID, and Qakbot malware on targeted victims’ devices. The three campaigns used a .LNK file combined with PowerShell, CMD, or MSHTA to drop additional malware.

Social Engineering

2022 Social Engineering Report

What You Need To Know:

The 2022 Social Engineering Report from Proofpoint examines how services like Google Drive and Discord are regularly misused, how millions of messages encouraging callers to dial certain numbers are part of attack chains, and the effectiveness of thread hijacking and other social engineering methods. 

You can read the full report from Proofpoint here and the accompanying blog post here.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog