Week 43 | 24th – 28th October 2022

Key Issue: Large-scale domain typosquatting campaign delivers commodity malware
Cybercriminals: Ransomware groups persistently target the healthcare sector
Nation-State: Indian nation-state sponsored group SideWinder further develops its tools

KEY ISSUE:

This week our key issue focused on an unknown threat actor that was observed impersonating 27
brands in order to distribute various malware to its victims. Typosquatting is a technique used by malicious
actors to trick unsuspecting victims into visiting fake websites by impersonating domains of legitimate brands
using a domain and format that appears similar to the authentic website. The campaign leveraged over 200
domains by misspelling or adding a letter to the legitimate domain to distribute malware disguised as a range
of downloads including social media applications, internet browsers, and popular cryptocurrency platforms.
Visitors to the malicious domain unknowingly downloaded Vidar, an information-stealing malware that was also
distributed on sites impersonating Microsoft’s Visual Studio Code and Brave web browser. In addition to
information-stealing malware, the cybercriminals deployed other malwares with a range of functions including
information theft relating to cryptocurrency wallets, remote access trojan (RAT) malware, and Agent Tesla
keylogger. Due to the varying malware deployed for different functions and the range of impersonated brands,
the objective of the malicious actor was likely to identify which malware and target is the most profitable,
indicating that we are likely to see an increase in typosquatting campaigns using aspects from this campaign.