A tricky hybrid malware is in the spotlight for infecting 20,000 machines in just a span of 60 days. A blend of Monero cryptominer and ransomware, the malware came to the fore in February by masquerading as an antivirus installer. Now, in a new attempt, the malware is impersonating an ad blocker and Open DNS service to target more systems.
The threat landscape has uncovered a new form of evasion technique where threat actors are leveraging the Nim language to write their malware. The latest in the line is the NimzaLoader backdoor malware created by the TA800 threat actor gang. Another new backdoor, dubbed RedXOR, that shares similarities with multiple malware from the Winnti umbrella threat actor group, is vigorously targeting Linux systems and servers.
Top Breaches Reported in the Last 24 Hours
Norwegian Parliament hit
The Norwegian Parliament
has suffered an attack for the second time in six months. The attack was carried out by exploiting a vulnerability in Microsoft’s Exchange software. This enabled the attackers to steal data.
The University of Central Lancashire
, along with the University of Highlands and Queen’s University, was hit by a series of cyberattacks. This had affected the systems and other communication devices of these universities.
Top Malware Reported in the Last 24 Hours
New RedXOR backdoor
A new sophisticated backdoor malware dubbed RedXOR
has been found masquerading as a polkit daemon to target Linux endpoints and servers. Believed to be the work of Chinese nation-state actors, the malware shares similarities with the malware associated with the Winnti umbrella threat actor.
The TA800 threat actor group is distributing a malware loader called NimzaLoader
in an ongoing highly-targeted spear-phishing email campaign. Written in Nim language, the malware is used to gain initial access to target systems. New research cites evidence that the malware loader is different from BazarLoader backdoor.
A hybrid malware
that includes both cryptominer and ransomware capabilities has hit 20,000 machines in the last 60 days. The malware impersonates an ad blocker and OpenDNS service to spread across systems. In February, the Monero Miner cryptocurrency ransominer was propagated in the form of an antivirus installer.
Top Vulnerabilities Reported in the Last 24 Hours
Flawed F5 Networks
has issued an advisory for four vulnerabilities impacting multiple products. These flaws can be exploited to launch DoS attacks and even remote code execution attacks. The affected products include some versions of BIG-IP and BIG-IQ.
Updates on ProxyLogon vulnerabilities
A Vietnamese security researcher has published the PoC exploit
for ProxyLogon vulnerabilities affecting Microsoft Exchange servers. The vulnerabilities which, so far, have been abused to infect 30,000 organizations, are now believed to be used by at least 10 different hacking groups.