Go to listing page

Cyware Daily Threat Intelligence, December 02, 2021

Cyware Daily Threat Intelligence, December 02, 2021

Share Blog Post

The hide-and-seek game between security experts and threat actors is becoming complicated as the latter continue to refine their evasion techniques. In a concerning revelation, a malware campaign launched against Canada, the U.S., Australia, and some EU countries has come to the light after almost two years. The campaign leveraged fake installers of popular software as bait to distribute malware such as AZORult (later replaced with RedLine stealer), MagnatBackdoor, and a malicious MagnatExtension. In another instance, Emotet came wrapped in Windows App Installer packages that pretend to be Adobe PDF software.

What more? Customers of eight Malaysian banks fell victim to a phishing attack that was circulated via a malicious app masquerading as a housekeeping service. Online retail stores are also at risk of attacks as a new NginRAT comes disguised legit Nginx process.

Top Breaches Reported in the Last 24 Hours

Healthcare suffers a data breach
Los Angeles-based Planned Parenthood suffered a ransomware attack that affected the personal details of its 400,000 patients. The incident occurred in October after a hacker installed malware in October and exfiltrated personal details related to patients. The attack is under investigation. 

Attacks against air-gapped networks 
A new report reveals that nation-state threat actors are increasingly using 17 malicious frameworks to attack air-gapped networks. Some of the known threat actors are DarkHotel, Ramsay, USBStealer, Fanny, Agent.BTZ, and Mustang Panda. All the malicious frameworks can be used against Windows operating systems. 

BlackByte gang’s latest attack
BlackByte ransomware operators are the latest threat actor group to leverage ProxyShell vulnerabilities. The flaws are exploited by attackers using an attachment containing the encoded web shell. 
Top Malware Reported in the Last 24 Hours

Malware distribution campaign discovered
A two-year-old malware distribution campaign has been found targeting users across Canada, the U.S., Australia, and some EU countries. The campaign uses fake installers of popular software as bait to trick users into downloading malware on their systems. The malware includes AZORult (later replaced with RedLine), a MagnatBackdoor, and a malicious MagnatExtension.  

Emotet’s new attack campaign
The Emotet malware is now distributed via malicious Windows App Installer packages that pretend to be Adobe PDF software. These packages are sent through stolen reply-chain emails that appear as a reply to an existing conversation. These replies tell the recipient to ‘Please see attached’ and contain a link to a malicious PDF. 

Malicious app steals banking information
A fake Android app masquerading as a housekeeping service was used to steal online banking credentials from the customers of eight Malaysian banks. The app was promoted through fake websites and social media accounts. Maybank, RHB, Public Bank, and BSN are some of the victim organizations. 

NginRAT targets eCommerce servers
The new NginRAT hides on Ngnix servers to target eCommerce servers in Europe and North America. The RAT is being used to conduct server-side attacks to exfiltrate payment card data from online stores. Hiding on Nginx servers renders the trojan invisible to security solutions. 

Top Vulnerabilities Reported in the Last 24 Hours

Mozilla rolls out patches
Mozilla has rolled out security patches to fix a critical security flaw in its Network Security Services (NSS) cryptographic library. The flaw can be potentially exploited by attackers to crash a vulnerable application and even execute arbitrary code. Tracked as CVE-2021-43527, the flaw is related to a heap overflow vulnerability and affects NSS versions prior to 3.73 and 3.68.1 ESR.

Faulty plugin patched
A cross-site scripting flaw in the Variation Swatches plugin could let attackers tweak an important setting on WordPress sites. The flaw can further allow attackers to inject malicious web scripts and take over sites. Tracked as CVE-2021-42367, the flaw has been patched in the new 2.1.2 version of the plugin. 


azorult infostealer
malicious android app
variation swatches plugin

Posted on: December 02, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.