At a glance.
- New APT41 malware uses Google Calendar for command-and-control.
- Interlock ransomware gang deploys new Trojan.
- Estonia issues arrest warrant for suspect in massive pharmacy breach.
- New England hospitals disrupted by cyberattack.
New APT41 malware uses Google Calendar for command-and-control.
Google's Threat Intelligence Group says the Chinese threat actor APT41 used a compromised government website to host a new strain of malware dubbed "ToughProgress." Notably, the malware uses Google Calendar events for command-and-control communications.
Google explains, "Once executed, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description. The operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates also hardcoded into the malware. TOUGHPROGRESS then begins polling Calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event."
Interlock ransomware gang deploys new Trojan.
The Interlock ransomware gang is using a new Trojan dubbed "NodeSnake" to target universities, BleepingComputer reports. The malware is distributed via phishing emails with malicious links or attachments. Quorum Cyber has published a report on the RAT, noting that the malware is coded in JavaScript and executed with NodeJS. The researchers state, "NodeSnake demonstrates typical capabilities expected from a modern-day RAT. It is designed for persistent access, system reconnaissance, and remote command execution. It employs multiple evasion techniques, communicates with Command-and-Control (C2) servers via HTTP/HTTPS, and deploys secondary payloads to maintain control and facilitate further compromise."
Quorum observed NodeSnake deployed against two universities in the UK within the past two months.
Estonia issues arrest warrant for suspect in massive pharmacy breach.
Estonian authorities have issued an international arrest warrant for a Moroccan national accused of hacking a customer card database belonging to Allium UPI, a major provider of pharmacy and healthcare products across the Baltic countries, the Record reports. The breach, which occurred in February 2024, exposed nearly 700,000 personal identification codes used by pharmacy customers, revealing pharmacy purchases linked to customer accounts. The incident affected data belonging to almost half of the Estonian population.
Estonia's Central Criminal Police (Keskkriminaalpolitsei) alleges that 25-year-old Adrar Khalid gained access to the database using a stolen password for an administrator account.
New England hospitals disrupted by cyberattack.
A cyber incident affecting Massachusetts-based health system Covenant Health is disrupting several affiliated hospitals in New England, WMUR reports. News Center Maine reports that St. Joseph Healthcare in Bangor and St. Mary's Hospital in Lewiston were both impacted, and St. Joseph’s has attributed the disruption to a cyberattack. WMUR says St. Joseph Hospital in Nashua, New Hampshire, is diverting ambulances to different hospitals.
Covenant said in a statement that the incident was "initiated by an outside group." The company added, "We have engaged best-in-class outside parties to assist us in determining the details of what happened and to restore full system access as soon as possible. We are working to provide health care services as normal. Patients are encouraged to keep all appointments."
