Weekly Roundup: Dark Herring continues to target Android users, ransomware attack hits Swissport International, and more

Welcome to another edition of our cybersecurity news roundup, where we aim to become your go-to source for the latest happenings in the security landscape. Here’s what we have to offer you this time around:

Gamaredon uses 8 new malware payloads to target Ukraine

The Gamaredon Group, a Russian-linked threat group, has been employing eight new malware payloads in its recent cyber-espionage activities. The recent attacks targeted Ukrainian companies. 

The attacks began in July 2021 with the distribution of spear-phishing emails containing macro-laced Word documents. Researchers have suspected that Gamaredon is connected to Russia for a long time. 

Most of their assaults are directed against defence, security, and law enforcement institutions to collect intelligence and sensitive information from compromised computers for geopolitical purposes.

Swissport International hit by a ransomware attack

Swissport International was struck by a ransomware attack, which significantly impacted company operations, causing flight delays. 

According to Spiegel, a popular German website, the ransomware attack only affected a small portion of the corporation’s worldwide IT infrastructure. The company’s spokesperson confirmed that the security breach occurred on Thursday morning..

The company stated via Twitter that the attack has been mostly contained, while it’s trying to resolve the problem as soon as possible. 

At this point, the organization has not released any information concerning the attack like the ransomware family that attacked its systems or whether the attack resulted in a data breach. No ransomware groups have claimed responsibility for the attack on their leak sites, either.

Dark Herring affects more than 100 million Android users

Dark Herring, a fraudulent subscription campaign, has targeted over 100 million Android users worldwide. The campaign has been around for about two years. The Dark Herring campaign resulted in losses worth hundreds of millions of dollars by manipulating millions of devices via their 470 malicious apps on Google Play Store.

The apps sign users up for premium services that cost $15 per month through Direct Carrier Billing (DCB). The Dark Herring campaign’s operators cashed out these subscriptions while users were uninformed of the infection and fraudulent payments for a long time, often months.

Some malicious apps worth mentioning include Cast It, Smashex, Vidly Vibe, Upgrade, and Stream HD. They pretended to be productivity apps, casual games, utilities, and photography tools. 

Cybercriminals are using a new evasive technique to deliver AsyncRAT

Researchers have uncovered a new sophisticated campaign delivery technique that can evade multiple security vendors. The campaign distributes AsyncRAT to remotely monitor and control the affected systems.

The ongoing campaign has been active for more or less five months, with the first incident tracing back to September last year. In the majority cases, the victims are sent an email message with an HTML attachment in the form of a receipt. 

When the package is opened, the receiver is sent to a web page where they’re asked to save a downloaded ISO file. The ISO is created within the victim’s browser using the JS code integrated in the HTML receipt file rather than being downloaded from a remote server.

According to VirusTotal, the malware campaign has one of the lowest detection rates. Therefore, organizations must protect themselves by regularly auditing and upgrading their security postures.

Chinese hackers suspected behind News Corp cyber-attack

Hackers broke into News Corp email accounts and compromised the information of an unidentified number of journalists, the company disclosed recently. According to the media company’s internet security advisor, the breach was likely to acquire intelligence for Beijing’s advantage. 

News Corp said the compromise was found in late January and impacted documents and emails of a limited number of employees, which included journalists. It also credited Mandiant, a cybersecurity firm, with containing the breach.

The company, which publishes the Wall Street Journal, also stated that the attack didn’t target any of its other business units, including Storyful. HarperCollins Publishers, REA, Move, Foxtel, and News Corp Australia.