Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized ​​TP-Link Firmware, RA Group Ransomware Copied Babuk

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Data leak, Infostealers, Package-name typosquatting, Phishing, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

CloudWizard APT: the Bad Magic Story Goes on

(published: May 19, 2023)

A newly-discovered modular malware framework dubbed CloudWizard has been active since 2016. Kaspersky researchers were able to connect it to previously-recorded advanced persistent threat activities: Operation Groundbait and the Prikormka malware (2008-2016), Operation BugDrop (2017), PowerMagic (2020-2022) and CommonMagic (2022). Similar to these previous campaigns, CloudWizard targets individuals, diplomatic organizations, and research organizations in the Donetsk, Lugansk, Crimea, Central and Western Ukraine regions. CloudWizard’s two main modules perform encryption and decryption of all communications and relay the encrypted data to the cloud or web-based C2. Additional modules enable taking screenshots, microphone recording, keylogging and more.Analyst Comment: Earlier, ESET researchers concluded that the actors behind Operation Groundbait most likely operate from within Ukraine, but Kaspersky researchers did not share if they agree with this attribution. Wars and military conflicts attract additional cyber activity. All known CloudWizard indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.MITRE ATT&CK: [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | anomali cyber watch cloudwizard targets sides ukraine camaro dragon trojanized firmware group ransomware copied babuk