top of page

Security Brief: CICYBER Week of November 22, 2021

Week of Monday, November 22, 2021 | Issue 53

Keanna Grelicha, Counterintelligence and Cyber (CICYBER) Team

Rogue Malware[1]

Date: November 22, 2021

Location: Global

Parties involved: Microsoft; Trend Micro; Squirrelwaffle; other Unknown Threat Actors

The event: Threat actors are using a spam campaign to steal emails to infiltrate the security software of Microsoft Exchange Servers. Trend Micro, a cybersecurity software company, investigated previous spam campaigns connected to Microsoft Office documents and identified a threat actor named Squirrelwaffle. ProxyLogon and ProxyShell are names given to flaws in the Microsoft Exchange Servers that allow the hacker to manipulate access privileges, bypass security, and remotely attack the system’s software. Microsoft released updates and security patches for ProxyShell in May and July 2021. Continued vulnerabilities in ProxyLogon and ProxyShell allowed for the intrusions, sending malicious code and spam messages through the domains of targets who open the infected emails.[2]

The implications:

  • Trend Micro’s investigation on the hackers’ tactics and attacks would very likely provide Microsoft with material to set up deterrence measures for future spam campaigns. The tactics used in the malware spam campaign very likely demonstrate users are unaware of scams which increases human error. If Microsoft does not provide users with guidance on how to protect their accounts and report scams and malicious activity in emails, attacks will very likely continue to affect Microsoft servers. If fewer employees are susceptible to malicious emails, the number of attacks will likely decrease and allow for control of irregular activity in the servers.

  • Microsoft’s updated security patches very likely did not address every vulnerability because Squirrelwaffle and other threat actors hacked the system. If vulnerabilities are still present, Microsoft will very likely establish new patch updates, as they have done in the past, to ensure that the detection and prevention firewalls are secure against any vulnerable entry points in the server. If Microsoft controls the activity, it would likely enable monitoring of malicious behavior in the server or email domains that would likely lead to earlier deterrence against future attacks.

Date: November 23, 2021

Location: Brazil

Parties involved: Brazilian banks; IBM X-Force; Unknown Hackers

The event: Intelligence threat investigative firm, IBM X-Force, discovered BrazKing, an Android remote access trojan (RAT) that was targeting Brazilian banking applications (apps). This RAT was first identified as PixStealer in 2018. The RAT allows hackers to steal account credentials and access victims’ accounts and transactions. BrazKing malware’s new capabilities to log keystrokes and extract passwords allows hackers to initiate fraud attacks by gathering the authorization details. Once the system is infected, the malware monitors the movement of the apps on the device and collects data to then use for financial fraud.[3]

The implications:

  • BrazKing is likely more sophisticated than its predecessor PixStealer because of its new abilities to monitor keystrokes and login movements. Logging movement on the banking system very likely creates security vulnerabilities for customers. The movement very likely provides the login credentials that would almost certainly allow access to transaction details in the account, likely leading to financial fraud. If open entry points in the system remain unsecured, the ports would likely allow for future RAT attacks to continue.

  • The hacker’s ability to use the RAT to steal account credentials would almost certainly result in identity theft or fraud of bank app users. If the hackers gain sensitive information, app users could very likely deal with ransom charges if hackers act with financial motives. Fraud or financial loss could likely lead to user mistrust in the bank. With increased mistrust, the bank would very likely suffer reputational damages.

Date: November 25, 2021

Location: Iran

Parties involved: US; Iran; Microsoft; Iranian Threat Actor

The event: A flaw in the Microsoft (MS) Windows MSHTML server engine allowed a new Iranian hacker to exploit the system and conduct a phishing campaign. These attacks come after Microsoft patched an access vulnerability in the system in September 2021. The phishing campaign included Microsoft Word document attachments embedded with malware in emails sent to victims. The victims were individual targets in the US and Iran. Most of the targets were Iranians living in the US who used Microsoft PowerShell in their accounts. The PowerShell script is a configuration program in Microsoft that manages the user’s activities in the system. The malware attacked the PowerShell script that holds and transmits sensitive information the threat actors could steal.[4]

The implications:

  • Targeting victims with administrative access rights almost certainly demonstrates that Microsoft’s current two-factor user-granted access rights (2FA) in the account settings does not ensure security for users. The option for users to enable or disable 2FA very likely allows hackers to test different user accounts to find those that are easily accessible with less login information needed. Because 2FA is optional, future attacks will very likely remain successful, targeting vulnerable users to enter Microsoft systems.

  • Iranian threat actors’ ability to steal user-sensitive data through the PowerShell script in the MSHTML server very likely indicates that the previous Microsoft patches did not secure all vulnerabilities in the systems. The Iranian threat actors’ attack could very likely inspire other hackers to conduct an attack if the server entry points remain accessible through phishing campaigns. Microsoft’s lack of effective patch updates to secure entry points very likely increases the chance of future attacks succeeding against user accounts. Future attacks could very likely damage Microsoft’s reputation and ability to manage security flaws within their servers to deter other threats.

The Counterterrorism Group (CTG) is the leading intelligence, security, and investigations company in the world. We are resourceful, innovative problem-solvers that are always on your side against terrorists, or other people intending to do harm to your situations that require something different. Our team of professionals has over 20-years of experience analyzing intelligence data gathering information on terrorists where others have failed. We also use our know-how for anticipating developments in terrorist attacks by using human asset reports to collect vital intel before it happens so you don't get caught without a plan. To find out more about our products and services visit us at

________________________________________________________________________ The Counterterrorism Group (CTG)

[2] Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns, The Hacker News, November 2021,

[3] More Stealthier Version of BrazKing Android Malware Spotted in the Wild, The Hacker News, November 2021,

[4] Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware, The Hacker News, November 2021,



bottom of page