First observed in 2021 and advertised as a standalone version on various cybercriminal forums, Mars is an information stealer mainly targeting Windows victim credentials and cryptocurrency wallets including 2FA plugins and any essential system information. Mars is also capable of loading any type of file by downloading and executing them from a given drop-zone. Over the past several months, Mars took the place of a solid info stealer.

AvosLocker is a relatively new ransomware written in C++ that was first seen in June 2021. Their business model is ‘Ransomware-as-a-Service’ (RaaS), and even though they have been operating for less than a year now, they’ve been successful overall when it comes to victims. The group openly and publicly tries to recruit new members to its team and operates a TOR leak site, showcasing the latest victims, as all other ransomware groups do.

Over the past months, Cyberint Research Team observed a new group that emerged on several underground forums. What seemed to be “yet another info stealer seller” has turned out to be something far more interesting. As the group is named Jester Stealer, that were, at first, selling a fairly sophisticated info stealer (Figure 1). Other evidence suggests that there is much more to it. Cyberint Research Team discovered a developing threat group that gets their claws into whatever they can find.

Moving into 2022, looking back at the plentiful year of 2021, regarding security, we at the Cyberint Research Team will try and shed some light on the upcoming year: the key security risks and threats, and what we feel will change in the coming year. We will focus on the actions required to be as vigilant and protected as possible.

Subscriptions-based services are a reality we all are getting used to; most people no longer buy physical media for example, opting to use streaming services for movies and music. This has numerous advantages like letting us explore new artists and genres without additional costs and commitment. Yet, while best known for its implementation in the digital world, subscription payment models are slowly but surely being adopted by more and more industries.

Ransomware remains a growing and increasingly problematic threat to organizations across all industries. Posing a significant and increasing threat throughout 2021, ‘Big game hunter’ ransomware campaigns, orchestrated by highly sophisticated organized cybercriminal groups, continue to compromise and extort high-value ransoms from victim organizations across all industries.

Following December 9th, 2021, the news of a Log4j Remote Code Execution (RCE) vulnerability began to grow (Figure 1). In addition to various malware families that already have utilized this vulnerability and added it to their delivery methods arsenal, more vulnerabilities related to this case were published, making Log4j, once simple Java-based logging utility, “the talk of the internet” these days.

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified, (Dubbed “Log4Shell” by researchers), affecting massive amounts of servers all over the world. As this vulnerability gains high traction worldwide, it’s important to note, that not only internet facing java applications are vulnerable, as user input can traverse to another non-internet facing machines and exploit these as well.

Known to be one of the most useful popular and dangerous threats, Emotet, firstly seen in 2014, is a Malware-as-a-Service (MaaS), that used to operate as a banking trojan targeting banks in Germany, Austria and Switzerland. Since 2017, Emotet has done a shift into a loader and took parts in campaigns, setting up for Trickbot delivery, deployment of ransomware such as Conti and Ryuk, and other malwares such as QuakBot, Azorult, SilentNight and more.

True Login phishing kits are continuously being developed by threat actors to improve their TTPs in luring victims. By using true login kits, the phishing operators have a higher chance of making potential victims believe they are logging into the real website. True login kit developers are abusing publicly available APIs of the banking company to be able to query login information to be shown to potential victims, in turn luring the victim even further into the operations.