Go to listing page

Cyware Daily Threat Intelligence, January 07, 2021

Cyware Daily Threat Intelligence, January 07, 2021

Share Blog Post

Cybercriminals with their illegal motives combined with complex attack tactics are getting on the nerves of federal agencies, as well as security experts. Lately, two interesting changes in attack techniques deployed by TA551 and APT37 threat actor groups have come to the light. While TA551 has been found switching from Valak malware to IcedID trojan as part of its recent cyberattacks, APT37 leveraged the VBA decoding technique to hide RokRat trojan on impacted systems.

There’s more. Malware authors are now heavily relying on Golang-based Ezuri crypter and memory loader to make their code undetectable to antivirus software. The crypter, which is already in use for malware targeting Windows, is now being used for malware aiming to infiltrate Linux systems.

Top Breaches Reported in the Last 24 Hours

Nissan source code leaked
Nissan had inadvertently leaked the source code of mobile apps and internal tools due to a misconfiguration issue in one of its Git repositories. The Git server was left exposed on the internet with its default username and password combo of admin/admin.

Funke Media Group attack
Germany’s third-largest publisher, Funke Media Group, had fallen victim to a ransomware attack that affected systems in offices all around the country. As a result, subscribers were forced to receive only emergency issues of a few pages. The attack took place on December 22, 2020.

ShinyHunters sell more data
ShinyHunters is now selling databases belonging to three more Indian companies on a dark web forum. The affected companies are ClickIndia, ChqBook, and WedMeGood. Earlier, the hacker group was responsible for the data breach at Juspay.

Top Malware Reported in the Last 24 Hours

New attack tactic
Multiple malware authors are relying on Golang-based Ezuri crypter and memory loader to make their code undetectable to antivirus software. Although the tactic is widely used across Windows malware, threat actors now use Ezuri for infiltrating Linux environments.

TA551 shift from Valak to IcedID
The TA551 threat actor group, which is known for extensively using information-stealing malware families such as Ursnif and Valak, has switched to IcedID malware after mid-July, 2020. The infection chain starts with a malicious email that includes a password-protected zip archive. If a victim opens the archive, it causes the download of malicious macros that drop IcedID malware on systems.

RokRat trojan  
North Korean hacking group APT37 has been found using the RokRat trojan in a fresh wave of campaigns against the South Korean government. A VBA self decoding technique is being used to hide the malware on impacted systems.

Top Vulnerabilities Reported in the Last 24 Hours

Fortinet issues patches
Fortinet has issued security patches for several potentially serious vulnerabilities discovered in the FortiWeb web application firewall. The flaws could be abused to expose corporate networks to attacks. The flaws are tracked as CVE-2020-29015, CVE-2020-29016, CVE-2020-29019, and CVE-2020-29018.

SoftMaker Office flaws fixed
Several vulnerabilities discovered in SoftMaker Office can be abused for arbitrary code execution via malicious documents. The vulnerabilities impact TextMaker, a component in SoftMaker Office. Assessed with a CVSS score of 8.8, all of these vulnerabilities are now fixed.

Top Scams Reported in the Last 24 Hours

Impersonation scam
Scammers have been impersonating Singapore government officials in an ongoing phishing scam that attempts to pilfer banking information from users. Victims in such cases receive phone calls or messages which inform them that there are issues with their bank accounts. They are asked to verify their banking or personal details to resolve the issue.


valak malware
softmaker office
icedid trojan
rokrat trojan
ezuri crypter

Posted on: January 07, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.