Malware patrol selected some relevant news over the past 2 weeks. Microsoft has confirmed signing a malicious driver being distributed within gaming environments. “Netfilter,” a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. Also, we observed events such as HADES ransomware operators’ continued attacks. Previously unknown financially motivated threat group using the self-proclaimed Hades ransomware variant.
For more articles, check out our #onpatrol4malware blog.
Malicious PyPI packages hijack dev devices to mine cryptocurrency
All malicious packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects. Read more.
NIST Publishes Ransomware Guidance
Source: Info Security
The Cybersecurity Framework Profile for Ransomware Risk Management features advice on how to defend against the malware, what to do in the event of an attack, and how to recover from it. Read more.
Crackonosh: A New Malware Distributed in Cracked Software
Source: Decoded Avast
We looked into this report and others like it and have found a new malware we’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Read more.
Microsoft admits to signing rootkit malware in supply-chain fiasco
Source: Bleeping Computer
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. Read more.
PYSA Loves ChaChi: a New GoLang RAT
This Trojan has been used by operators of the PYSA (aka Mespinoza) ransomware as part of their toolset to attack victims globally, but most recently targeting education organizations. Read more.
Malicious spam campaigns delivering banking Trojans
Source: Secure List
In mid-March 2021, we observed two new spam campaigns. The messages in both cases were written in English and contained ZIP attachments or links to ZIP files. Read more.
HADES ransomware operators continue attacks
In March 2021, Accenture Security identified a previously unknown financially motivated threat group using the self-proclaimed Hades ransomware variant in cybercrime operations that impacted multiple victims. Read more.
Black Kingdom ransomware begins appearing on Exchange servers
CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. Read more.