SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: DoubleZero malware is just latest wiper malware to hit Ukraine during Russian invasion
Description: The Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another wiper dubbed "DoubleZero" targeting Ukrainian enterprises during Russia's invasion of the country. DoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint. This is yet another wiper discovered targeting Ukraine, in addition to previously disclosed attacks we've seen in Ukraine over the past two months, such as "CaddyWiper" "HermeticWiper" and "WhisperGate." The malware aims to overwrite all files in all drives, except for a specific list of the locations hardcoded in the wiper. It destroys non-system files first, then system-related files. Destroying system related files while the overwriting of other files is pending can create instability and may lead to bricking the system before the complete destruction of the user's files is completed. In such cases, it may be possible to recover the files from the disk that haven't been overwritten yet.
References:
- https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html
- https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html
ClamAV® signature: Win.Malware.DoubleZeroWiper-9942171-0
Title: Transparent Tribe campaign uses new bespoke malware to target Indian government officials
Description: Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using new stagers and implants. This campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate government and related organizations to deliver malicious payloads, a common Transparent tribe tactic. The group has continued to change its initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims. Notably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be easily modified, likely to enable quick and agile operations.
References: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
ClamAV® signatures:
* Vbs.Downloader.Agent-9940743-0
* Win.Downloader.TransparentTribe-9940744-0
* Win.Trojan.MargulasRAT-9940745-0
* Win.Downloader.Agent-9940746-0
* Win.Trojan.MSILAgent-9940762-1
* Win.Trojan.PythonAgent-9940791-0
* Lnk.Trojan.Agent-9940793-0
* Win.Trojan.TransparentTribe-9940795-0
* Win.Trojan.TransparentTribe-9940801-0
* Win.Downloader.TransparentTribe-9940802-0