Go to listing page

Cyware Daily Threat Intelligence, March 18, 2021

Cyware Daily Threat Intelligence, March 18, 2021

Share Blog Post

Bad, old trojans are back in new financial phishbait campaigns to pilfer sensitive information from users. While one campaign targeting U.S. taxpayers is distributing Remcos and NetWire trojans, the other campaign that appears to be from the IRS is being used to propagate the Dridex trojan.

Rising malware threats against macOS look grim as researchers have detected another new malware dubbed XcodeSpy that targets Xcode projects. The ultimate goal of the malware is to spread custom EggShell backdoors.

Satori botnet is on a new attack spree, with the addition of a new exploit that abuses an RCE vulnerability in Iteris’ Vantage Velocity field unit.

Top Breaches Reported in the Last 24 Hours

More details on the Parliament attack
A group of Chinese state-sponsored hackers known as APT31 has been held responsible for a cyberattack on the Finnish Parliament that disrupted its IT systems. The attack, which took place in 2020, had also allowed attackers to gain access to the email accounts of some members of the Parliament.

Earth Vetala campaign
Researchers have uncovered a campaign dubbed Earth Vetala that was aimed at UAE and Kuwait government agencies. Linked with the MuddyWater threat actor, the campaign used ScreeC0nnect and RemoteUtilities tools to gain control over systems.

103 GB data exposed
Around 103 GB worth of data belonging to New Jersey-based Descartes Aljex software was left exposed due to a misconfigured AWS S3 bucket. This affected more than 4,000 people that included customers, company employees, sales reps, and people working for third-party.

Top Malware Reported in the Last 24 Hours

XcodeSpy is a new malware that targets Xcode projects used in macOS for developing Apple software and applications. The ultimate goal of the malware is to spread custom EggShell backdoors. So far, two variants of EggShell have been detected, one of which shared an encrypted string with XcodeSpy.

Trojan attacks
Researchers have analyzed an active campaign that targets U.S. taxpayers with an intent to spread NetWire and Remcos trojans. The campaign leverages the U.S. tax season to lure victims. Other key elements of the campaign include the abuse of legitimate cloud services, use of steganography to conceal payloads, and exploitation of legitimate OpenVPN clients.

Dridex spotted
A phishing campaign that impersonates the IRS has been spotted distributing the Dridex banking trojan. The email uses the agency’s official logo and a spoofed sender domain of IRS[.]gov that claims to offer an application for financial assistance.

Fake Telegram app
Threat actors are using Google Ads to distribute a fake version of the Telegram desktop app. Three links spoofing Telegram’s website have been detected so far. One of these sites was used to spread AZORult trojan.

Satori spreads its tentacles
An investigation reveals that Satori botnet has added a new exploit that abuses a remote command execution vulnerability (CVE-2020-9020) in Iteris Vantage Velocity field unit version 2.3.1, 2.4.2, and 3.0. The botnet scans port 23 of random hosts and tries to login with its embedded password dictionary when port 23 is open.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Tutor LMS plugin
The popular WordPress plugin, Tutor LMS, is riddled with several security vulnerabilities that can open doors to information theft and privilege escalation. Five of these flaws are related to SQL-injection flaws and at least one high-severity bug stems from unprotected AJAX endpoints.


tutor lms plugin
mirai variant satori
remcos trojan
netwire trojan
fake telegram app

Posted on: March 18, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.