Weekly Cyber-Intelligence Report – ICSS - 25 Apr 2021

Lazarus Group uses a new technique to deliver RAT

  • Attack Type: Phishing, Malware Implant
  • Target Industry: Multiple
  • Target Geography: South Korea
  • Target Technology: Microsoft Windows
  • Objective: Payload Delivery, Defence Evasion, Data Obfuscation, Data Exfiltration
  • Business Impact: Data Leak, Operational Disruption, Financial
Lazarus Group uses a new technique to deliver RAT

The North Korean Threat Actor Lazarus Group has employed new techniques and custom toolsets to enhance the campaigns' effectiveness. Phishing emails accompanied with Korean-themed malicious documents turn out to be the effective weapons for such attacks. An HTA file compressed to zlib file within a Portable Network Graphics (PNG) image file is called for the macro execution. The macro converts the PNG image file to decompressed BMP file format. This evades the detection of possible security solutions. Later, HTA drops the loader RAT (stored as “AppStore.exe”).

The threat actors have grown to advance in phishing attacks by improving their operating capabilities. They have started hiding the malicious objects so that no security control can detect them. The exfiltrated data can be sold. This, in return, can lead to a considerable loss for the organization in terms of finance and reputation as well. Researchers found an encryption algorithm similar to the one used by BISTROMATH RAT. Also, and code similarities were found that resembled some known Lazarus malware families, including Destover.

Hackers from Russian Secret Service Ramps Up Cyberattacks in Ukraine Amid Fear of War. The campaign started in January and continued till mid-March. The escalation between the two nations got coincided with the campaign. Researchers were unable to identify the exact reason for the campaign. The possible reason is thought of to be the remote template domains used in the campaign.

Ukrainian National Security and Defense Council has alerted its government officials of potential cyber-attacks.

Tick APT is Linked to Chinese Military Japanese local media outlets, says the Japanese Police. The Japanese Police even cites some unidentified sources and reports about two Chinese nationals using fake IDs for registering their web servers between 2016 and 2017. These IDs were used by the Chinese hacker group Tick.

The Tick APT group has unauthorizedly accessed the networks of several organisations. The organizations are usually associated with critical infrastructure, heavy industry, manufacturing, and international relations. The Tick APT group are known to use custom malware. This malware is also called Daserf. They employ multiple commodity and custom tools. Apart from that, they even exploit vulnerabilities and make use of social engineering techniques. The group is also involved in spear-phishing and watering hole attacks. 

How to pass CISSP exam – ICSS

The Tick APT group has unauthorizedly accessed the networks of several organisations. The organizations are usually associated with critical infrastructure, heavy industry, manufacturing, and international relations. The Tick APT group are known to use custom malware. This malware is also called Daserf. They employ multiple commodity and custom tools. Apart from that, they even exploit vulnerabilities and make use of social engineering techniques. The group is also involved in spear-phishing and watering hole attacks. 

Demonstrative traces of the ability to identify vulnerability within popular Japanese corporate tool, SKYSEA Client View was shown by the attacker group. Also, the use of scan-and-exploit techniques was even demonstrated to compromise Japanese Internet-facing enterprise systems.


  • Researchers Flag More Cyber Attacks on COVID-19 Vaccine Infrastructure.

Organizations involved in the transportation, warehousing, storage, and distribution of the COVID-19 vaccine are under attacks. Threat actors began sending spear-phishing emails before the approval of any COVID-19 vaccine variant.


  • Latest Cyber-Attacks, Incidents, and Breaches – WhatsApp Pink Malware Spreading through Group Chats
  • Attack Type: Social Engineering, Malware Implant
  • Target Industry: Social Media
  • Target Geography: Multiple
  • Target Technology: WhatsApp
  • Objective: Unauthorized Access, Data Theft
  • Business Impact: Data Loss, Financial Loss

Researchers disclosed that hackers started a new technique for targeting WhatsApp users. They demand to turn on the application theme to pink along with certain ‘‘new features.” This enables the hackers to access the user's device remotely. This app impersonates the official update from WhatsApp. Researchers even highlight that the link is spread via WhatsApp groups with #WhatsappPink leading to an APK download.

A counterfeit app is designed to impersonate some of the most trusted brands. Rogue Mobile Apps have turned out to be a constant problem for several businesses. App stores are trying to protect their users from such malicious apps. Increased digitization and increased social media reach have become a supportive factor in manipulating users to use the Rogue Mobile Apps increasingly. Distributed multiple Android malware was detected in Triangulum and HeXaGon Dev. The threats even including crypto miners, key loggers, and sophisticated P2P (Phone to Phone). Also, the mobile RATs.


  • Vulnerabilities and Exploits – Pulse Connect Secure Vulnerabilities Expose VPN Solutions to Attackers
  • Target Industry: Defense and others
  • Target Geography: US
  • Target Technology: Pulse Connect Secure
  • Vulnerabilities: CVE-2021-22893 (CVSS Base Score: 10)
  • Vulnerability Type: Authentication Bypass, Remote Code Execution (RCE)
  • Impact: Confidentiality (High), Integrity (High), Availability (High)
  • Suspected Threat Actor: Keyhole Panda, UNC2630, UNC2717

Researchers even highlighted the ongoing exploitation to be state-sponsored. Twelve different malware families were tracked. Keyhole Panda, UNC2630 and UNC2717 are a few to name. The vulnerabilities included CVE-2019-11510, CVE-2020-8260, CVE-2020-8243. CVE-2021-2289 was a newly detected flaw. Cybercriminals are targeting pre-existing vulnerabilities in VPN solutions. 

Looking for the best Cyber Security Service providers?

Since the global pandemic, there has been a rise in the number of uncertainty of economic reforms. There has also been a rise in cyber security attacks. These have been taken into consideration by Cyber crime organisations and have been looking out to avoid such things by explaining people not to indulge in any phishing activities. As many links that looks genuine can also lead to devastation like data breach, it shows that today there is a need of improving the security infrastructure of organisations.

Indian Cyber Security Solutions have been working with an aim of providing a Hack Free Security services to organisations. We impart our services like Web Application Penetration Testing, Mobile Penetration Testing and Network Penetration Testing.

Why choose us?

  • Cyber Insurance - 70% of the project cost will be paid back to the client if any cybersecurity incident is recorded & proved on the same scope of work where ICSS had performed the VAPT.
  • VA & PT - ICSS performs both VA- Vulnerability Assessment and PT- Penetration Testing for all clients.
  • Non Disclosure Agreement - This agreement states that if any critical data of the client is exposed, tempered or used for any promotional activity without any written consent of the client, ICSS will be held responsible and can be sued in the court of law. ICSS singes NDA with every client before the audit / VAPT.
  • Zero False Positive Report - ICSS provides manual-based testing along with tool-based testing which reduces the false positive report to maximize accurate identification of critical level vulnerabilities.

With our achievement towards corporate services Indian Cyber Security Solutions has been acknowledged by Business Connect India as the "Top 20 Tech Brands of 2021". organization aiding technology-based risk management and cybersecurity solutions across the globe. It is a unit of GreenFellow IT Security Solutions Pvt Ltd thriving to deliver optimum cybersecurity solutions to government and private enterprises all over the world. The company has served over 200 clients with its diligence and efforts. Indian Cyber Security Solutions aims at providing Vulnerability Assessment and Penetration Testing services making cybersecurity convenient for every organization.

  • Reference

https://www.cyfirma.com/news/weekly-cyber-intelligence-report-25-apr-2021/


DOES THIS ARTICLE HELPED YOU?

Stay updated and connected with Indian Cyber Security Solutions. Follow our social Medias (Facebook, Instagram, LinkedIn, YouTube) to get all updated and latest technology related news. We are the largest cybersecurity training & service provider in India. For any query feel free to contact us at 1800-123-500014 or write us at [email protected]