At a glance.
- Russian cyberactivity against Ukraine.
- TeamTNT cryptomining activity.
- New Android banking Trojan.
Russian cyberactivity against Ukraine.
Recorded Future's Insikt Group is tracking Russian state-sponsored activity against Ukraine. The researchers believe that Russia will carry out DDoS attacks against Ukrainian websites and services, as well as launching cyberattacks to disrupt physical infrastructure:
"In the event of a renewed Russian invasion of Ukraine, we believe it is likely that cyber offensive actions targeting Ukraine will primarily consist of distributed denial-of-service attacks and website defacements against Ukrainian government and media organizations, internet infrastructure, and e-services used by Ukrainian citizens such as digital banking. These cyberattacks would likely aim to cause confusion, hinder communications, weaken a Ukrainian military response, and demoralize the Ukrainian population as part of a wider hybrid warfare operation."
The researchers have also observed a spike in cybercriminal activity surrounding Ukraine, which they believe will be useful for Russian state-sponsored actors:
"Insikt Group has identified a significant uptick in dark web advertisements and sales of data and network access methods related to Ukraine in the last 3 months. We identified 7 Insikt Group Threat Leads related to Ukraine in the last 12 months, with 6 of those being identified in the last 3 months. Per Insikt Group’s report “Dark Covenant: Connections Between the Russian State and Criminal Actors”, we believe it is highly likely that Russian intelligence services and law enforcement have a longstanding, tacit understanding with criminal threat actors; in some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors, either through association or recruitment."
TeamTNT cryptomining activity.
Intezer describes increased activity from the TeamTNT cryptomining gang. The group has been active since Fall 2019, and is currently targeting Kubernetes clusters. The threat actor is notable for its use of social media to take credit for its work:
"What separates TeamTNT from other major threat actors in the cryptojacking field is their public presence on the clear web. They maintain a public appearance on Twitter and frequently tweet. Based on the public persona, it can be assumed that they are based in Germany. The threat actor commonly interacts with German politicians, tweets about their ongoing campaigns, and comments on reports by the security industry. The majority of these comments are to take credit for their work. During the Spring of 2021 some campaigns were attributed to TeamTNT but the threat actor refuted that it was their work. This suggested the emergence of an imitator reusing some of TeamTNT’s older shell scripts. It remains to be seen if this will affect their activity and if they will continue to target Kubernetes clusters or if they will move on and target new cloud infrastructure."
New Android banking Trojan.
ThreatFabric discovered a new Android banking Trojan dubbed "Xenomorph" that was available in the Google Play Store and had more than 50,000 downloads. The malware posed as productivity apps, and targeted customers of fifty-six different European banks:
"Xenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be released very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates. Xenomorph is at the forefront of this change. The current version of Xenomorph is capable of abusing Accessibility Services to steal PII from unaware victims, prevent uninstallation and intercept SMS and notifications. ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android Banking trojans."