Malware patrol selected some relevant news over the past 2 weeks. Microsoft has confirmed signing a malicious driver being distributed within gaming environments. “Netfilter,” a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. Also, we observed events such as HADES ransomware operators’ continued attacks. Previously unknown financially motivated threat group using the self-proclaimed Hades ransomware variant.

For more articles, check out our #onpatrol4malware blog.

Malicious PyPI packages hijack dev devices to mine cryptocurrency

Source: BleepingComputer

All malicious packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects. Read more.

NIST Publishes Ransomware Guidance

Source: Info Security

The Cybersecurity Framework Profile for Ransomware Risk Management features advice on how to defend against the malware, what to do in the event of an attack, and how to recover from it. Read more.

Crackonosh: A New Malware Distributed in Cracked Software

Source: Decoded Avast

We looked into this report and others like it and have found a new malware we’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Read more.

Microsoft admits to signing rootkit malware in supply-chain fiasco

Source: Bleeping Computer

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. Read more.

PYSA Loves ChaChi: a New GoLang RAT

Source: BllackBerry

This Trojan has been used by operators of the PYSA (aka Mespinoza) ransomware as part of their toolset to attack victims globally, but most recently targeting education organizations. Read more.

Malicious spam campaigns delivering banking Trojans

Source: Secure List

In mid-March 2021, we observed two new spam campaigns. The messages in both cases were written in English and contained ZIP attachments or links to ZIP files. Read more.

HADES ransomware operators continue attacks

Source: Accenture

In March 2021, Accenture Security identified a previously unknown financially motivated threat group using the self-proclaimed Hades ransomware variant in cybercrime operations that impacted multiple victims. Read more.

Black Kingdom ransomware begins appearing on Exchange servers

Source: CISA

CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. Read more.