Welcome to the T2 2022 issue of the ESET Threat Report!
The past four months were the time of summer vacations for many of us in the northern hemisphere. It
appears that some malware operators also took this time as an opportunity to possibly rest, refocus, and
reanalyze their current procedures and activities. According to our telemetry, August was a vacation month for the operators of Emotet, the most influential downloader strain. The gang behind it also adapted to Microsoft’s decision to disable VBA macros in documents originating from the internet and focused on campaigns based on weaponized Microsoft Office files and LNK files.
In T2 2022, we saw the continuation of the sharp decline of Remote Desktop Protocol (RDP) attacks, which likely continued to lose their steam due to the Russia-Ukraine war, along with the post-COVID return to offices and overall improved security of corporate environments. Even with declining numbers, Russian IP addresses continued to be responsible for the largest portion of RDP attacks. In T1 2022, Russia was also the country that was most targeted by ransomware, with some of the attacks being politically or ideologically motivated by the war. However, as you will read on the following pages, this hacktivism wave has declined in T2, and ransomware operators turned their attention towards the United States, China, and Israel.
In terms of threats mostly impacting home users, we saw a sixfold increase in detections of shipping-themed phishing lures, most of the time presenting the victims with fake DHL and USPS requests to verify shipping addresses. A web skimmer known as Magecart, which saw a threefold increase in T1 2022, continued to be the leading threat going after online shoppers’ credit card details. Plummeting cryptocurrency exchange rates also affected online threats – criminals turned to stealing cryptocurrencies instead of mining them, as seen in a twofold increase in cryptocurrency-themed phishing lures and rising numbers of cryptostealers.
The past four months were also interesting in research terms. Our researchers uncovered a previously unknown macOS backdoor and later attributed it to ScarCruft, discovered an updated version of the Sandworm APT group’s ArguePatch malware loader, uncovered Lazarus payloads in trojanized apps, and analyzed an instance of the Lazarus Operation In(ter)ception campaign targeting macOS devices while spearphishing in crypto-waters. They also discovered buffer overflow vulnerabilities in Lenovo UEFI firmware and a new campaign using a fake Salesforce update as a lure.
During the past few months, we have continued to share our knowledge at the Virus Bulletin, Black Hat
USA, RSA, CODE BLUE, SecTor, REcon, LABSCon, and BSides Montreal cybersecurity conferences, where
we disclosed our findings about campaigns deployed by OilRig, APT35, Agrius, Sandworm, Lazarus, and
POLONIUM. We also talked about the future of UEFI threats, dissected the unique loader we named Wslink, and explained how ESET Research does attribution of malicious threats and campaigns. For the upcoming months, we are happy to invite you to ESET talks at AVAR, Ekoparty, and many others.