Go to listing page

Cyware Daily Threat Intelligence, March 11, 2021

Cyware Daily Threat Intelligence, March 11, 2021

Share Blog Post

A tricky hybrid malware is in the spotlight for infecting 20,000 machines in just a span of 60 days. A blend of Monero cryptominer and ransomware, the malware came to the fore in February by masquerading as an antivirus installer. Now, in a new attempt, the malware is impersonating an ad blocker and Open DNS service to target more systems.

The threat landscape has uncovered a new form of evasion technique where threat actors are leveraging the Nim language to write their malware. The latest in the line is the NimzaLoader backdoor malware created by the TA800 threat actor gang. Another new backdoor, dubbed RedXOR, that shares similarities with multiple malware from the Winnti umbrella threat actor group, is vigorously targeting Linux systems and servers.

Top Breaches Reported in the Last 24 Hours

Norwegian Parliament hit
The Norwegian Parliament has suffered an attack for the second time in six months. The attack was carried out by exploiting a vulnerability in Microsoft’s Exchange software. This enabled the attackers to steal data.

Universities affected
The University of Central Lancashire, along with the University of Highlands and Queen’s University, was hit by a series of cyberattacks. This had affected the systems and other communication devices of these universities.

Top Malware Reported in the Last 24 Hours

New RedXOR backdoor
A new sophisticated backdoor malware dubbed RedXOR has been found masquerading as a polkit daemon to target Linux endpoints and servers. Believed to be the work of Chinese nation-state actors, the malware shares similarities with the malware associated with the Winnti umbrella threat actor.

New NimzaLoader
The TA800 threat actor group is distributing a malware loader called NimzaLoader in an ongoing highly-targeted spear-phishing email campaign. Written in Nim language, the malware is used to gain initial access to target systems. New research cites evidence that the malware loader is different from BazarLoader backdoor.

Hybrid malware
A hybrid malware that includes both cryptominer and ransomware capabilities has hit 20,000 machines in the last 60 days. The malware impersonates an ad blocker and OpenDNS service to spread across systems. In February, the Monero Miner cryptocurrency ransominer was propagated in the form of an antivirus installer.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed F5 Networks
F5 Networks has issued an advisory for four vulnerabilities impacting multiple products. These flaws can be exploited to launch DoS attacks and even remote code execution attacks. The affected products include some versions of BIG-IP and BIG-IQ.

Updates on ProxyLogon vulnerabilities
A Vietnamese security researcher has published the PoC exploit for ProxyLogon vulnerabilities affecting Microsoft Exchange servers. The vulnerabilities which, so far, have been abused to infect 30,000 organizations, are now believed to be used by at least 10 different hacking groups.


nim language
ta800 threat actor gang
winnti umbrella threat actor group
monero cryptocurrency miner
redxor backdoor
norwegian parliament

Posted on: March 12, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.