By Securonix Threat Research team
Securonix Threat Labs has been continuously monitoring threats targeting and leveraging the crisis in Ukraine in recent weeks and seen a significant increase in cyberthreats. MuddyWater, HermeticWiper and SandWorm are actively being used to launch cyberattacks, including DDoS attacks targeting financial institutions, cyber espionage campaigns and infrastructure.
MuddyWater Targets Organisations Worldwide
(Originally Published on: February 24, 2022)
Authorities from US and UK have released a detailed advisory about the recent cyber espionage campaign of MuddyWater which is allegedly state sponsored by Iran and works in the interests of MOIS. In this current campaign they have been mainly targeting government and private organisations from industries including telecom, defense, oil and gas located in Asia, Africa, Europe, and North America. This time they have come up with a variety of malwares ranging from PowGoop, Small Sieve, Mori and POWERSTATS and they have used their most preferred threat vector which is spear phishing campaigns in which they wheedle their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network.
HermeticWiper Malware Targets Ukraine
(Originally Published on: February 23, 2022)
On the evening of February 23, 2022, the State Service of Special Communication and Information Protection of Ukraine declared that a number of government and banking institutions had undergone a massive DDoS attack. Soon after this announcement, the ESET Research team discovered a new data wiper malware (Win32/KillDisk.NCV) that attacked the Ukraine-wide computer network with the objective of destroying data and causing business disruption. The initial analysis of data wiper malware suggests that it is an executable file signed with a likely stolen certificate issued to Cyprus based company Hermetica Digital Ltd. Hence, the researchers named malware as ‘HermeticWiper’.
Sandworm From Russia Uses Cyclops Blink Malware
(Originally Published on: February 23, 2022)
Authorities from US and UK have come across a new strain of malware dubbed as Cyclops Blink which is said to be a replacement of a very infamous malware called VPNFilter which created havoc by infecting half a million routers a few years back. This malware has been attributed to a famous APT group called Sandworm who is formally connected to Russia’s GRU unit and was associated with a major power outage in Ukraine in 2015. Cyclops Blink has been deployed since 2019 and has already been infecting the WatchGuard Firebox manufactured by Seattle based firm WatchGuard and possibly infecting SOHO routers too.