April 2022: Cyberattacks and malware to watch closely

No rest for cybercriminals. The last few weeks prove it again. Attackers are investing, diversifying, and using ever more devious techniques.

TEHTRIS offers you a short tour of the campaigns and malware that are making the news, and that will require our full attention.

Cyber Gangs, the mafias of the future?
Cybercriminals are happy to go without a break



Enemybot is a new DDOS botnet based on Gafgyt, targeting routers (Seowon Intech, D-Link, Netgear, Zhone) and IOTs.

It appeared in mid-March and takes advantage of the anonymity of the Tor network to host its server.

How it works?

It borrows several modules from the original source code of Mirai and LolFMe. Their preferred methods remain brute force attacks and vulnerability exploitation.

Involved platforms

Unix (IOT)

Impact and risks

Adversaries can take control of vulnerable systems. The tool is used for DDOS.

Adversary behind Enemybot

Keksec (aka: Necro or Freakout), they are known for their attacks targeting cloud service providers and for their cryptojacking campaigns.

They are relatively new in the cybercriminal panorama as they have been active since 2022.

Cryptorom : The return

The attack itself is not new, it has already claimed many victims in Japan, in China and South-East Asia in 2021.

It arrives today in Еurоре еt in North America.

It differs today by perfecting the technique, and using a new platform, other than Android, taking advantage of two new iOS features.


Global social engineering campaign. This is a well-organized scam operation based on fraudulent financial applications.

The operation abuses the Apple “TestFlight Signature” service to increase the number of victims and bypass the App store protection.

How it works

Does love make you blind? The Cryptorom campaign is based on this adage. The operation consists of approaching victims on dating sites (Bumble, Tinder, Facebook Dating and Grindr) or chatting with them on messaging platforms (WhаtѕАрр), and then once trust is gained, enticing them to download a crypto currency trading app (identical to Соіnbаѕе, RоbіnНооd, Віnаnсе оu Віtfіnех). Of course the application is fake. Once installed, the victim is trapped.

Involved platforms

iPhone, legitimate iOS features such as TestFlight and Web Clips.


Victims are tricked into having their savings diverted to the attackers.


The group behind this campaign has been active since 2021.

Serpent (snake): The new backdoor


This is a targeted email campaign discovered by our colleagues at Proofpoint, aimed at France. The sectors of construction, real estate and government entities are concerned.

How it works:

The operation starts, as is often the case with a phishing attack.

It is a Word document containing macros, informing about the RGPD rules. The execution of the macros leads to the activation of a PowerShell script, which in turn allows the installation of a Chocolatey utility (Chocolatey is used to escape detection), but that’s not all, the campaign also relies on steganography. This is a technique to hide information in an image, in this case, it was Swiper the Fox (aficionados of Dora the Explorer will have recognized it).

All these ingredients allow the snake to achieve its goals without being detected.

Involved platforms



Allows the attacker to take remote administration, command, and control (C2), data theft.


This would be an APT that has not yet been identified. It seems that the motivation is espionage, access to data.



AsyncRAT is a remote access tool designed to remotely monitor and control other computers. It is an open source tool, which is often used for malicious purposes.

In recent months, cyber security researchers have noticed an increase in these campaigns, which seem to exploit a new version of 3LOSH RAT.

How it works:

Intrusions often start with phishing (again), which is not always detected by anti-malware. This highlights again the importance of having a good detection technology, TEHTRIS with its EDR technology ensures that your environment is secure.

The operation in question here is to use ISO disk images to provide AsyncRAT, LimeRAT.

Involved platforms



Create a remote link between the hacker and the victim’s device. The objective is to spy on and steal data.



IcedID is a Windows malware active since 2017, it is not brand new, but it continues to make headlines. Initially it was known for its ability to steal bank credentials, then it was used to hack a domain to spam emails to spread IcedID. It usually used Office documents to drop malware.

Here it is again at the end of March: IcedID was hidden in a .zip attachment of an email sent to a Ukrainian oil company.

The operation targets energy, health, legal and pharmaceutical organizations.

How it works?

For once, the campaign starts with…a phishing email that looks legitimate. This contains a .zip archive (protected by a password). The actors behind this campaign use ISO files with a Windows LNK file and a dynamic link library (DLL). Once the file is executed, IcedID is deployed.

Involved platforms

Microsoft Exchange


The attacker uses the Trojan to perform a ransomware attack


Although attribution is difficult, there are strong indications that TA551 and TA577 are responsible.

Threat… and a solution

There is no respite for the security teams, who continue to protect your infrastructure.

TEHTRIS is also here to help. Our solutions are specifically designed to monitor your infrastructure, to detect any anomalies in behavior and to control access, thanks to our highly automated technology.

Our XDR solutions are essential to a comprehensive security strategy.

Choosing TEHTRIS means choosing technological solutions adapted to the needs and constraints of your system. Our will? to reach a more complete and customizable level of security to help you face the unpredictable.

For more information, our teams are at your disposal:

[1] General Data Protection Regulation