Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 12, 2021

A tricky hybrid malware is in the spotlight for infecting 20,000 machines in just a span of 60 days. A blend of Monero cryptominer and ransomware, the malware came to the fore in February by masquerading as an antivirus installer. Now, in a new attempt, the malware is impersonating an ad blocker and Open DNS service to target more systems.

The threat landscape has uncovered a new form of evasion technique where threat actors are leveraging the Nim language to write their malware. The latest in the line is the NimzaLoader backdoor malware created by the TA800 threat actor gang. Another new backdoor, dubbed RedXOR, that shares similarities with multiple malware from the Winnti umbrella threat actor group, is vigorously targeting Linux systems and servers.

Top Breaches Reported in the Last 24 Hours

Norwegian Parliament hit

The Norwegian Parliament has suffered an attack for the second time in six months. The attack was carried out by exploiting a vulnerability in Microsoft’s Exchange software. This enabled the attackers to steal data.

Universities affected

The University of Central Lancashire, along with the University of Highlands and Queen’s University, was hit by a series of cyberattacks. This had affected the systems and other communication devices of these universities.

Top Malware Reported in the Last 24 Hours

New RedXOR backdoor

A new sophisticated backdoor malware dubbed RedXOR has been found masquerading as a polkit daemon to target Linux endpoints and servers. Believed to be the work of Chinese nation-state actors, the malware shares similarities with the malware associated with the Winnti umbrella threat actor.

New NimzaLoader

The TA800 threat actor group is distributing a malware loader called NimzaLoader in an ongoing highly-targeted spear-phishing email campaign. Written in Nim language, the malware is used to gain initial access to target systems. New research cites evidence that the malware loader is different from BazarLoader backdoor.

Hybrid malware

A hybrid malware that includes both cryptominer and ransomware capabilities has hit 20,000 machines in the last 60 days. The malware impersonates an ad blocker and OpenDNS service to spread across systems. In February, the Monero Miner cryptocurrency ransominer was propagated in the form of an antivirus installer.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed F5 Networks

F5 Networks has issued an advisory for four vulnerabilities impacting multiple products. These flaws can be exploited to launch DoS attacks and even remote code execution attacks. The affected products include some versions of BIG-IP and BIG-IQ.

Updates on ProxyLogon vulnerabilities

A Vietnamese security researcher has published the PoC exploit for ProxyLogon vulnerabilities affecting Microsoft Exchange servers. The vulnerabilities which, so far, have been abused to infect 30,000 organizations, are now believed to be used by at least 10 different hacking groups.

Related Threat Briefings