Catalans targeted by Pegasus spyware. OldGremlin targets Russian organizations. Emoticon activity.


In one look.

  • Catalans targeted by Pegasus spyware.
  • OldGremlin targets Russian organizations.
  • Emoticon activity.

Catalans targeted by Pegasus spyware.

Researchers from the Citizen Lab at the University of Toronto found that at least 63 people associated with Catalonia were targeted by NSO Group’s Pegasus spyware, while four other people were affected by Candiru spyware. The researchers don’t make a definitive attribution, but they suspect the Spanish government is behind the activity:

“The hack covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organizations (NGOs). The government and elected officials of Catalonia have also been widely targeted, from the highest levels of the Catalan government to members of the European Parliament, to lawmakers, and their staff and family members.We do not conclusively attribute the targeting to any specific government, but there is ample circumstantial evidence pointing to the Spanish government.

Citizen Lab notes that Pegasus used a no-click exploit against a previously undisclosed vulnerability affecting iOS versions prior to 13.2:

“We have identified signs of a previously undescribed zero-click exploit, which we call HOMAGE. The HOMAGE exploit appears to have been used in the last months of 2019 and involved a zero-click iMessage component that launched a WebKit Instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream search for a Pegasus email address The WebKit Instance in the com.apple.mediastream.mstreamd process retrieved the JavaScript scaffold we retrieved from an infected phone The scaffold was retrieved from /[uniqueid]/stadium/goblin. After performing tests, the scaffold then grabs the WebKit exploit from /[uniqueid]/stadium/eutopia if the tests pass.”

OldGremlin targets Russian organizations.

Group-IB observed a Russian-speaking ransomware gang dubbed “OldGremlin” targeting organizations in Russia. The group uses news-themed spear-phishing to gain access to their victims’ networks:

“After the initial attacks, it became clear that OldGremlin prepares its phishing emails very carefully and monitors the news closely. Their choices for email topics included remote work during the pandemic, the protests in Belarus and a request for an interview from a well-known financial journalist working for a Russian media outlet, called RBC.

“Another feature of OldGremlin is that the group conducts multi-stage targeted attacks using sophisticated tactics and techniques. For example, they did not email their TinyCryptor ransomware directly; instead, they first gained remote access to the victim’s machine, which was used as a springboard to perform reconnaissance, collect data, and then move laterally across the organization’s network.”

Emoticon activity.

Kaspersky describes recent phishing campaigns spreading the Emotet banking Trojan. The researchers discovered that the malware could now download sixteen additional modules:

“The current set of modules is capable of performing a wide range of malicious actions: stealing emails, passwords and login data from various sources; sending spam. All of these modules, except except those for Thunderbird, in one form or another, have been used before by Emotet. However, there are still modules that we have not yet been able to obtain. Additionally, our telemetry shows a significant growth in the number of users attacked in March.

Check Point found that Emotet is still the most widely distributed malware strain, “affecting 10% of organizations globally, double from February.” Emotet’s numbers have recently been boosted by widespread Easter-themed phishing campaigns.

Previous The best museums and galleries in Sheffield and South Yorkshire and what makes them fun to visit
Next Museums and historic sites published on April 20, 2022 - West Central Tribune