Weekly Intelligence Report – 21 Apr 2023

Published On : 2023-04-21
Share :
Weekly Intelligence Report – 21 Apr 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, and Data Leak
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Cyber Espionage, and Data Destruction
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption
  • Ransomware – Play Ransomware | Malware – Zaraza
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Zaraza
  • Behavior –Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Transparent Tribe aka APT36 Targets Education Industry in India

  • Suspected Threat Actors: Transparent Tribe aka APT36
  • Attack Type: Spear Phishing
  • Target Geography: India
  • Target Industry: Education
  • Objective: Data Theft
  • Target Technology: Windows
  • Business Impact: Data Loss and Operational Disruption

In recent activity, APT 36 also known as the Transparent Tribe, targeted India’s Education sector with a spear phishing attack. The threat actor is known for targeting the Military and Indian Embassies in different countries. In this event, the threat actor was seen targeting the Indian education sector by employing spear phishing attacks. The observed attack is not very sophisticated and resembles the previous campaign. The malicious document carried by phishing mail stages Crimson RAT using Microsoft Office macros or OLE embedding. Upon opening the malicious document macro code gets executed. The macros create and decompress an embedded archive file in the %ALLUSERSPROFILE% directory (C:\ProgramData) and then execute the final payload of Crimson RAT. A few macros inserted text in the document posing as education-themed- content about India. In another technique, the threat actor used Microsoft’s Object Linking and Embedded technology. The threat actor uses a “View Document” graphic to suggest that the document content is inaccessible. This manipulates innocent users to click on the graphic, triggering an OLE package that stores and executes Crimson RAT disguised as a software update.

It is not confirmed which educational institution was targeted. Another same-lookalike campaign was observed in the previous year using the same RAT, tactic, and techniques. However, the employing of the old OLE embedding technique was observed in this attack.

The motive of the threat actors in their past campaigns has been to acquire valuable intelligence and establish dominance over India. It is likely that their current operation aims to infiltrate prestigious academic institutions such as the Indian Institute of Technology which has sensitive research programs running across the branches.

Major Geopolitical Developments in Cybersecurity

North Korean hackers after defense sector targets in Africa and Europe

DeathNote, a subgroup of North Korea’s Lazarus Group, is running an ongoing remote access Trojan (RAT) campaign. Since 2022, this campaign appears to have a particular focus on the African defense industry and targets the defense sector. Researchers report that DeathNote’s campaigns initially breached the defense companies via a Trojanized, open-source PDF reader sent via Skype messenger. Once executed, the PDF reader creates a legitimate file and a malicious file in the same directory on the infected machine. DeathNote then used a technique known as DLL side loading to install malware for stealing system information and downloaded a sophisticated second-stage remote access Trojan (RAT) called Copperhedge from an attacker-controlled command-and-control server (C2).

The same group is also believed by researchers to be behind the 2020 campaign targeting European aerospace and defense contractors, in which the threat actor utilized social media, especially LinkedIn, to deliver malicious software disguised as job descriptions or applications to gain the trust of unwitting employees. In both cases, the motive seems to be traditional and industrial espionage.

The use of ransomware is on the rise in Russia’s war against Ukraine

Researchers have recently commented on the observations that Russia’s military intelligence GRU has lately increasingly turned to ransomware as a tool of cyber warfare against the neighboring country. Researchers present the finding as a sign of weakness since GRU is the main cyber operator on behalf of the Kremlin and its tooling shift probably means it doesn’t have the resources to rely on writing or modifying custom malware.

An increase in disruptive ransomware attacks in Ukraine during the most recent phase of operations was a defining feature. This fresh wave of disruptive attacks seemed to depart from the historical pattern, even though some of the attacks resembled disruptive attacks observed in earlier rounds. The assaults conducted from October to December used GRU clusters to deploy ransomware variants on targeted networks, in contrast to earlier attempts that focused on quick turnaround operations employing CADDYWIPER variants. This change is compatible with IRIDIUM’s (Russian APT operating under GRU) Prestige ransomware distribution in Poland.

Cozy Bear on the Hunt in Europe

CERT Polska, Poland’s cybersecurity authority, has recently warned that a unit of Russia’s SVR foreign intelligence service known as Cozy Bear or APT29 is actively pursuing diplomatic targets in many nations, principally European NATO members with traditional espionage goals in mind. In all observed cases, APT29 hackers used spear phishing techniques, sending emails impersonating embassies of European countries to select personnel at diplomatic posts. An invitation to a meeting or to collaborate on documents was included in the letter. An apparent link to the ambassador’s schedule, meeting information, or a downloaded file was included in the message body or in an attached PDF document. Polish authorities advise organizations to adjust their configuration to safeguard themselves from Cozy Bear’s meddling.

Russian cyber auxiliaries hit targets in Canada

The Russian hacktivist auxiliary NoName057 has recently claimed responsibility for a distributed denial-of-service (DDoS) attack against Hydro-Québec, the largest power generation company in the province and huge exporter of electricity to the neighboring state of New York. The website of the power generation and distribution company in Québec has shut down as well as the company’s mobile app. Power generation and distribution, however, were unaffected, nor were customer data compromised. This attack was one in a series recently, where Russian cyber auxiliaries hit Canadian targets as a means of punishment for Canadian defense material support of Ukraine in its defense against Russian aggression.

Other Observations

CYFIRMA Research team observed a potential data leak related to (www[.]calamp[.]com)-CalAmp offers a range of services and products in the field of IoT, including software applications, cloud-based solutions, data analytics, telematics products, and networked services. It is headquartered in the United States of America. The leaked data includes client information, card details, and other related data.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of Global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase. the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.