Cyware Daily Threat Intelligence, September 25, 2020

Share Blog post

Threat actors sometimes dish out new malware in order to launch large scale attacks stealthily. In the past 24 hours, security experts have come across three new malware - Pyark backdoor, Mount Locker ransomware, and Taurus Project stealer - that are being used in the wild. The Pyark backdoor, which is written in Python, is associated with the APT-C-43 threat actor group. It is being used to target military institutions in Venezuela.

Meanwhile, the Mount Locker ransomware has affected four organizations since it first appeared in July. The operators have set up a data leak site as a part of their extortion process. Talking about the Taurus Project, it is believed to be a creation of ‘Predator the Thief’ malware operators. The info-stealer is being widely used in malspam campaigns for the past several months.

Top Breaches Reported in the Last 24 Hours

Windows XP code leaked
The source code for Windows XP SP1 and other versions of the operating system have been allegedly leaked by a hacker online. The leaked collection of files, with a size of up to 43GB, was allegedly compiled for two months before being released as a torrent on the 4chan forum. The contents on the torrent include files related to MS-DOS 3.30, MS-DOS 6.0, Windows 2000, Windows CE 3, Windows CE 4, Windows CE 5, Windows Embedded 7, Windows Embedded CE, Windows NT 3.5, and Windows NT 4.

Top Malware Reported in the Last 24 Hours

Tainted apps
Several utility apps in Google Play Store have been found disguised to spread the Cerberus trojan. According to Bitdefender’s telemetry, these malicious apps have impacted users in Europe, the U.S., and Australia. Some of these apps are related to health and sports.

New Pyark backdoor
A new Pyark backdoor malware is being used actively by a threat actor group named APT-C-43 to target military institutions in Venezuela. The attack campaign has been active since 2019 and is launched through phishing emails.

New Mount Locker ransomware
A new ransomware sample named Mount Locker has managed to entrap several organizations since it appeared in July. It has stolen around 400GB of data from one of its victims and is demanding ransom in millions. The data leak site of the ransomware currently lists four victims. It uses ChaCha20 and RSA-2048 to encrypt files.

Taurus Project stealer
Researchers have unearthed several malspam campaigns that spread a new stealer called Taurus Project. The malware comes in a macro-laced document. It boasts many capabilities of the Predator the Thief malware, such as the ability to steal credentials from browsers, FTP, VPN, and email clients, as well as cryptocurrency wallets.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Fortigate VPN
Over 200,000 businesses using Fortigate VPN solution are at risk of attacks due to faulty settings in the VPN. This can allow the attackers to launch MitM attacks and fraudulently take over the victim’s connection. The problem, according to the researchers, lies in the use of default self-signed SSL certificates by companies. Meanwhile, Fortinet has no plan to address the issue currently and has, instead, suggested a workaround.

Vulnerable PulseSecure VPN exploited
The CISA has issued a notification about an attack on a federal agency. The attack was carried out by exploiting a previously known vulnerability - CVE-2019-11510 - in Pulse Secure VPN. This allowed the attackers to gain unauthorized access to files including passwords.

Cisco released patches
Cisco has released a barrage of security patches to fix flaws on networking hardware running Cisco IOS XE software. Twenty-nine of the Cisco bugs are rated high severity, with 13 rated medium in severity. The most noteworthy are a number of vulnerabilities opening the door for remote, unauthenticated attackers to execute arbitrary code on targeted systems.

 Tags

pyark backdoor
fortigate vpn
taurus project stealer
pulsesecure vpn
mount locker ransomware

Posted on: September 25, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!