Self Assessment

Weekly Cyber-Intelligence Trends and Advisory – 30 Apr 2022

Published On : 2022-04-30
Share :
Weekly Cyber-Intelligence Trends and Advisory – 30 Apr 2022

New Malware of Lazarus Group

  • Attack Type: Malware Implant, Process Injection
  • Objective: Unauthorized Access, Payload Delivery, Defence Evasion
  • Target Technology: Microsoft Windows
  • Target Industry: Multiple including Defence
  • Target Geography: Unknown
  • Business Impact: Potential Data Loss, Potential Financial Loss

In the first quarter of 2022, a team of security researchers discovered approximately 47 organizations and institutions – including defence organizations targeted by the malware attributed to the Lazarus group. While analyzing the systems infected with the malware, researchers found that malicious behaviors came from a process “inisafecrosswebexsvc.exe” of INITECH – a security company. Upon checking the running processes history and the code of malware (SCSKAppLink.dll), it appeared that the DLL file was injected into inisafecrosswebexsvc.exe. The code of this DLL is designed to branch out depending on the host process for injection and is capable of downloading additional malware strains if injected into inisafecrosswebexsvc.exe process.

Researchers state that malware is incomplete since other branches only check for the injection status (svchost.exe, rundll32.exe, notepad.exe) and does not include execution codes.

In April, a separate team of researchers detailed an identical malware variant in an espionage campaign by the Lazarus group dubbed Operation Dream Job. The campaign was targeted at South Korean organizations with most of them operating in the chemical sector and some from IT. It appears that the Lazarus group is expanding its attack surface likely to obtain intellectual property and further North Korea’s objective.


US Department of State Offers USD 10M Reward for Information to Locate Six Russian Sandworm Members

The US Department of State is rewarding up to USD 10 million for intel that allows to identify or locate six Russian GRU hackers who are suspected members of the Sandworm APT group. This is covered by the Rewards for Justice program of the US government, which rewards people that can share information that can allow to identify or locate foreign government threat actors who conduct cyber operations against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

The six individuals are Russian officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), a division of the Russian military intelligence that was frequently involved in malicious cyber operations against US infrastructure.

This is not the first time that the US government accused these members of the Sandworm team. Back in October 2020, the U.S. Department of Justice (DoJ) charged the six individuals for their alleged role in multiple cyberattacks conducted over the past years.

According to the accusation, the GRU officers were involved in cyberattacks on Ukraine, including the attacks aimed at the country’s power grid in 2015 and 2016 that employed the BlackEnergy and Industroyer malware.

US DoJ charged the men with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.


Facebook Infrastructure Used for Credential Theft

  • Attack Type: Impersonation, Phishing, Data Theft
  • Objective: Financial Gains
  • Target Technology: Email, Facebook
  • Target Industry: IT, Social Media
  • Target Geography: Global
  • Business Impact: Potential Data Loss, Potential Financial Loss

The attackers aim to obtain user login credentials of Facebook users by tricking them into believing their account will soon be disabled. In the phishing email, the recipients are informed that their account has been reported by multiple users for certain bogus Facebook policy violations. To avoid account suspension, the users are urged to click on the link in the email which redirects them to a Facebook post where they are told to act within only 48 hours. The post contains a link to a credential phishing site disguised as an appeal form. As part of the fake appeal process, sensitive information such as name, email address, and the Facebook account password is asked from the users.

The attackers cleverly leveraged Facebook’s actual infrastructure to execute the attack by first directing users to a Facebook post. The attack was targeted toward accounts of people who manage Facebook Pages of organizations.

Unlike the usual credential phishing campaign where potential victims are directly sent to the phishing page by including the link in the phishing email itself, the attacker used valid Facebook URLs in the email which may turn out to be effective. The landing page is unlikely to raise a flag and makes it all the more convincing for potential victims or have second guesses.

Another common trait employed by attackers in these types of attacks is to create a sense of urgency. This type of technique improves the attacker’s chances of success in obtaining targeted credentials. To trigger the cognitive biases of potential victims, attackers used bogus policy violations and urged them to act within 48 hours.


WSO2 RCE Exploited in the Wild

  • Attack Type: Vulnerabilities & Exploits, RCE
  • Target Technology: Multiple WSO2 Products
  • Vulnerability: CVE-2022-29464 (CVSS score: 9.8)
  • Vulnerability Type: Unrestricted File Upload

Recently, a critical vulnerability in multiple WSO2 – an open-source technology provider, products were discovered by researchers and followed by an exploit PoC on GitHub. The CVE-2022-29464 is a type of Unrestricted File Upload vulnerability that allows a remote unauthenticated attacker to upload an arbitrary file that further leads to RCE. The products affected by the vulnerability include:

  1. WSO2 API Manager 2.2.0 and above
  2. WSO2 Identity Server 5.2.0 and above
  3. WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
  4. WSO2 Identity Server as Key Manager 5.3.0 and above
  5. WSO2 Enterprise Integrator 6.2.0 and above
  6. WSO2 Open Banking AM 1.4.0 and above
  7. WSO2 Open Banking KM 1.4.0 and above

These products are being used by numerous organizations across the globe including Fortune 500.

Soon after the vulnerability and exploit became public, multiple security vendors reported active exploitation in the wild by opportunistic cybercriminals with one researcher observing malicious implants for crypto mining deployed by the attacker. On April 25th, CVE-2022-29464 was featured in CISA KEV (Known Exploited Vulnerabilities Catalog).

During routine intelligence gathering, CYFIRMA Threat Intelligence noticed conversation in underground forums where an unknown attacker (potentially an established Initial Access Broker) developed a script to automate WebShell implants to vulnerable instances. In doing so, the attacker was able to compromise approximately 2000 servers. As per the claims, the majority of such compromised servers were further sold to threat actors running a #Botnet. The attackers still had hold of around 100 compromised servers which were sold within an hour of being advertised.


This site is registered on as a development site. Switch to a production site key to remove this banner.