Go to listing page

Cyware Daily Threat Intelligence July 20, 2021

Cyware Daily Threat Intelligence July 20, 2021

Share Blog Post

It’s raining malware and so are fake software alerts and spoofed emails that are used to distribute them. In the past 24 hours, researchers have unearthed two new malware strains named MosaicLoader and Dmechant that are distributed via cracked software installers and phishing emails, respectively. While MosaicLoader is being used to deliver various malicious payloads to an infected system, Dmechant is designed to steal crypto wallet information and credentials from the victims’ infected devices.

Besides new malware threats, some existing malware such as Buer Loader and Shlayer macOS trojan have also resurfaced in different malspam campaigns. Buer Loader is dropped via a malicious Excel document and Shlayer is propagated via a fake Flash Player update.

Top Breaches Reported in the Last 24 Hours

Cloudstar hit
Cloud-based IT provider Cloudstar was hit by ransomware that affected its systems. The incident was discovered on July 16. Presently, only the Office 365 mail services, the email encryption offering, and some of the support services are fully operational.

Hackers stealing identities
Cybercriminals are taking advantage of the recent tragic condo collapse incident in South Florida to steal the identities of deceased members. The attackers are relying on the news to get access to stolen identities that can be used for further cyberattacks.

Aruba breached
Italian web hosting firm Aruba has disclosed a data breach that exposed customer billing and personal data. The data includes names, tax codes, physical addresses, telephone numbers, and email addresses.

More details on Iran’s railroad system attack
More details on Iran’s railroad system attack have emerged recently. It appears that attackers had penetrated the system at least a month earlier than the actual date of attack (July 9).

Top Malware Reported in the Last 24 Hours

New MosaicLoader malware
A new malware strain dubbed MosaicLoader is being distributed to target systems via cracked installers. The malware includes several anti-analysis techniques to slip past antivirus software. The malware’s wide-ranging capabilities can enable attackers to maintain unauthorized access to victim computers and propagate sets of sophisticated malware such as Glupteba.

Buer Loader delivered
A malicious spam campaign, which uses the names of DHL and Amazon, lures users into opening a malicious Microsoft Excel document that drops a new version of Buer Loader. The Excel document is signed with an XLL file extension, rather than the standard XLS file extension. The malware variant is written in Rust and uses Rust crates/libraries.

New Dmechant malware
Dmechant is a new malware that is being distributed via phishing emails. The malware is designed to steal crypto wallet information and credentials from the victims’ infected devices. The spam email looks like an urgent order reminder from a purchase manager.
Remcos RAT spotted
Researchers have tracked a malspam campaign that delivers Remcos RAT via financially-themed emails. The types of attachments that are used to lure users are related to transaction invoice, appraisal report, payment advice, etc. 

Shlayer malvertising campaign
Malvertising campaigns delivering Shlayer malware for macOS are still ongoing. In one of the recent campaigns tracked by researchers, it has been found that the malware is using fake Flash updates and social engineering tactics to trick victims.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco discloses R-SeeNet flaws
Cisco has disclosed details about several critical vulnerabilities affecting a router monitoring tool R-SeeNet provided by Advantech. An attacker can exploit the vulnerabilities to execute arbitrary JavaScript code by luring users into clicking on specially crafted HTTP requests. The flaws affect R-SeeNet version 2.4.12. The vendor has addressed the flaw by releasing new versions.

Juniper patches flaws
Juniper has patched critical flaws affecting its product portfolio. The most important of these is tracked as CVE-2021-0276, which scored a CVSS score of 9.8. An attacker can exploit it by sending specially crafted packets to cause a denial of service or execute code remotely.

Top Scams Reported in the Last 24 Hours

Malicious takes down a scam
Microsoft has taken down 17 malicious domains that were part of a BEC campaign targeting their Office 365 customers. These domains were designed to resemble legitimate businesses. The scammers had used these domains—ccpedu[.]com, junctionfuelings[.]com, 1verk[.]com, tattersails[.]com, cupidconstruct1on[.]com, and thegiaint[.]com—as part of an extensive network that appears to be based out of West Africa.

IRS scam
Threat actors are launching dozens of fake American Rescue Plan Act signup sites to harvest credentials and personal information from users. The fake sites look exactly like government websites and ask for names, social security numbers, and photos of drivers’ licenses from users.


buer loader malware
dmechant malware
shlayer macos malware
remcos rat

Posted on: July 20, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite