Cyware Daily Threat Intelligence, December 04, 2019

Share Blog Post

With a destructive capability to erase data from computer drives, wiper malware poses a serious threat to organizations across the world. While such types of malicious operations were previously carried out using the notorious Shamoon malware, a new disk-wiping malware named ZeroCleare has come to notice of security researchers. It has been found that the malware is particularly used against the industrial and energy sector in the Middle East. Based on the characteristics of the malware and infection process, security researchers suspect the malware to be the work of Iran-based nation-state sponsored adversaries.

The past 24 hours also saw Mozilla and Python removing malicious extensions and libraries respectively from their sites. While Mozilla pulled out four extensions of Avast and AVG which were involved in collecting users’ personal data, Python discarded ‘python3-dateutil’ and ‘jeIlyfish’ that were designed to steal SSH and GPG keys from the projects of infected developers.

Top Breaches Reported in the Last 24 Hours

Ryuk ransomware attack
T-System, a provider for end-to-end solutions for emergency care facilities in the U.S., has been hit by Ryuk ransomware. The company is working to recover from the attack that has affected its systems. The attack occurred at the end of November. The company admitted to the ransomware infection after it discovered that the files in the company site index were appended with the .ryk extension. The attackers have dropped a ransom note that offers minimum information on how the organization can pay the ransom to get the decryption key.

Top Malware Reported in the Last 24 Hours

ZeroCleare wiper malware
Security researchers have unearthed a new destructive wiper malware named ZeroCleare. The malware is being used in the Middle East, particularly against organizations in the industrial and energy sectors. It is believed that the malware is operated by Iran-based nation-state adversaries. The malware bears some similarity to the Shamoon malware.

New macOS malware
A new macOS malware sample which is believed to be the work of the North Korean hacker group Lazarus has been detected by researchers. The new sample is packaged under the name UnionCryptoTrader and is hosted on a website called ‘’ that advertises a ‘small cryptocurrency arbitrage trading platform’ but provides no download links.

Mozilla removes malicious extensions
Mozilla has removed four extensions from Avast and AVG from the Firefox site over concerns of spying users’ activities. The four extensions in questions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. These browser extensions were found collecting data with user consent.

Two trojanized Python libraries
The Python team has removed two trojanized Python libraries from the Python Package Index. These malicious libraries were found stealing SSH and GPG keys from the projects of infected developers. The two libraries were created and registered through a technique called typosquatting. The two malicious libraries are ‘python3-dateutil’ - imitates dateutil library - and ‘jeIlyfish’ - imitates jellyfish library.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft login issue
A serious vulnerability in Microsoft login systems can lead to account takeover. The bug affects the apps integrated with Microsoft accounts. The flaw can allow attackers to quietly steal authentication tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords. A patch for the issue has been issued in November security updates.

Vulnerable GoAhead servers
Two new vulnerabilities along with a two-year-old RCE flaw have been discovered in GoAhead embedded web servers. The first vulnerability is tracked as CVE-2019-5096 and is related to how multi-part/form-data requests are processed. Meanwhile, the second vulnerability is designated with an ID number of CVE-2019-5097. The flaw can be exploited by attackers to cause a DoS condition by sending a specially crafted HTTP request.

Buggy Accusoft ImageGear patched
A series of vulnerabilities that could allow attackers to execute code remotely have been patched in the Accusoft ImageGear library. The flaws impact the version 19.3.0 and have received a CVSS score of 9.8.

Top Scams Reported in the Last 24 Hours

Scary terrorism allegation scam
FTC is warning users about an ongoing scam that has been designed to scare them with money laundering and terrorism allegations. The scammers send letters with a fake yet official-looking letterhead. The message further goes on to say that the victim’s activities will be under review’ because of suspicious online and financial activities that point at terrorism and money laundering. While the letter does not make any demands, the FTC says it is just the first stage of the scam. The second stage of the attack involves a direct phone call asking the target to send money to get rid of the fake charges and monitoring.


ryuk ransomware
goahead servers
accusoft imagegear
malicious python libraries
zerocleare wiper

Posted on: December 04, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!