Cyware Daily Threat Intelligence, November 25, 2020

Share Blog Post

TrickBot continues to remain the talk of the town in the cybersecurity landscape. Researchers have uncovered two new versions of the powerful trojan—2000016 and 100003—that include a new C2 server based on Mikrotik routers and packed modules. So far, the new versions have been used in attacks in the U.S., Malaysia, Romania, Russia, and Malta.

Not only TrickBot, but the past 24 hours also witnessed new versions of PlugX RAT and a Linux Proxy trojan. While the new variant of PlugX RAT is associated with a cyber espionage campaign carried out by the TA416 threat actor group, the new Linux Proxy version is linked to the Stantinko group compromising Linux servers in a widespread cyberattack campaign.

Top Breaches Reported in the Last 24 Hours

Ritzau news agency affected
Ritzau news agency disclosed that it has been targeted in a cyberattack early this morning on November 25. Following the attack, the firm has shut down its servers to prevent further damages. The threat actor and the reason behind the attack are yet unknown.

Belden discloses data breach
A data breach incident at specialty networking solutions provider Belden has affected the data of some current and former employees, as well as limited company information. However, the firm revealed that the breach did not impact production in manufacturing plants, quality control, or shipping. The company’s investigation into the incident is ongoing.

Top Malware Reported in the Last 24 Hours

TrickBot rolls out two new updates
TrickBot has rolled out two new updates—2000016 and 100003—that include a new C2 server based on Mikrotik routers and packed modules. Version 2000016 was active only about three weeks after agencies took down TrickBot. However, it was removed with the release of version 100003 on November 18. So far, the new versions have been used in attacks in the U.S., Malaysia, Romania, Russia, and Malta.

PlugX updated
Chinese threat actor group, TA416, has recently begun ramping up its activities with a new version of PlugX RAT written in Go language. The variant includes obfuscation techniques to avoid detection by security tools and hide the attackers’ espionage activity.

New Linux Proxy trojan strain
A new version of a Linux Proxy trojan related to the Stantinko group has been detected masquerading as an Apache HTTP Server. The malware is believed to be part of a broader campaign that takes advantage of compromised Linux servers.

Fake Minecraft apps
Scammers are taking advantage of fake Minecraft apps to deliver abusive ads on victims’ devices. While some of the malicious apps have been removed by Google, there are still five apps—Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE, and Darcy Minecraft Mod—that are still available on the Play Store.

Top Vulnerabilities Reported in the Last 24 Hours

MobileIron flaw exploited in the wild
A remote code execution flaw in MobileIron Core and Connector products is being exploited by a number of cybercriminals to intrude into networks across government, healthcare, and other sectors. The flaw, tracked as CVE-2020-15505, can allow attackers to execute arbitrary code on a vulnerable system.

Top Scams Reported in the Last 24 Hours

Impersonation scam
Cybercriminals are impersonating government agencies offering federal assistance to steal personal information from U.S. citizens. Bad actors are sending out messages purporting to be from federal government entities offering financial aid or unemployment assistance during the pandemic. For one malicious campaign, the cybercriminals had lured victims with a fake government program that claimed to offer up to $5,800 in cash payments.


mikrotik routers
linux proxy trojan
ritzau news agency
plugx rat
fake minecraft apps

Posted on: November 25, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!