Ransomware activity continues to plague businesses of all sizes. NetWalker (also known as Mailto), WastedLocker and VHD infections have occupied the attention of security professionals over the past weeks.


In this edition of the newsletter we will cover:

  • Ransomware news
  • Industry-specific news
  • Fake Android apps


Ransomware news

The FBI has published a security warning about the NetWalker ransomware and its operators targeting government bodies in the US and abroad, educational institutions, private companies, and health agencies. Victims are being lured with Coronavirus-themed phishing emails which carry malicious Visual Basic scripts. Besides encrypting files, NetWalker harvests administrator credentials and exfiltrates sensitive data.

The GPS technology giant, Garmin, has suffered a WastedLocker ransomware attack impacting some of its online services, including website functions, customer-facing applications, and company communications.

Kaspersky experts have witnessed a series of cyber raids against corporate entities, including a software development firm, an e-commerce company, and an internet service provider (ISP), that rely upon a new multiplatform malware framework called MATA to conduct data theft and to distribute the VHD ransomware.

  • MATA comes with several components that can be leveraged to infect computers running different operating systems.
  • Rogue parties can use MATA to load several plugins into the compromised system’s memory to run arbitrary commands, to manipulate files and processes, to inject DLLs, and to create HTTP tunnels on Windows devices.
  • On MacOS and Linux-based machines, MATA can be used to scan for vulnerable network and IoT (Internet of Things) devices to gain access to the victim’s network.

Recommendations: Educate employees on the risks of phishing and social engineering. Use a reputable endpoint security solution and keep it up to date. Ensure the latest OS patches have been installed. Restrict staff members from installing software applications. Deploy a strong email filtering service. Disable unnecessary services on workstations and servers. Back up critical data offline, ensuring the back-ups cannot be modified or deleted from the system where they reside.


Industry-specific news


During the investigation of a recent attack against a Middle Eastern telco company, Palo Alto’s Unit42 discovered a variant of a tool, associated with the OilRig threat actor group, which relies on steganography to hide commands and data within bitmap images attached to emails.

Utilities, Oil and Gas

Critical vulnerabilities have been detected in enterprise-grade VPN installations primarily used for remote access to operational technology networks in field-based industries such as oil and gas, water and electric utilities. The flaws can allow hackers to overwrite data, execute code, and compromise Industrial Control Systems.

Banking and Finance

The digital banking app, Dave.com, suffered a data breach which exposed the personal details of over 7 million users on a public forum. The incident had originated from the network of a former business partner, Waydev.

Experts at IBM X-Force have observed 3 PayPal domain squatting registrations related to a victim in the finance and insurance sector.


Fake Android apps

Security analysts have spotted 29 fake Android photo editing apps. These apps have been downloaded 3.5 million times from the Google Play Store and are being used in a malicious campaign named Chartreuse Blur.

Recommendations: Conduct due diligence on apps you are planning to install. Notice the roll-out date. Review the customer rating and comments in Google Play Store. Run open source internet searches for additional information. Research the company or individual that has published the app.


As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.



Amatas, Cyware, ZDNet, Kaspersky, The Hacker News, Palo Alto Networks, IBM X-Force, Info Security Magazine, Recorded Future, Bleeping Computer, FBI, Claroty, Creative Commons