In this second half of March, we observed an interesting email campaign by a threat actor we track as TA800. They distributed a new malware we are calling NimzaLoader. Also, another ransomware gang has started to target vulnerable Exchange servers with another ransomware, called the Black KingDom.

For more articles, check out our #onpatrol4malware blog.

NimzaLoader: TA800’s New Initial Access Malware

Source: ProofPoint

Proofpoint researchers observed an interesting email campaign by a threat actor we track as TA800. This actor has predominantly used BazaLoader since April of 2020, but they distributed a new malware we are calling NimzaLoader. Read more.

Internet Crime Report 2020

Source: IC3

In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cybercriminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree. Read more.

SilverFish Group Threat Actor Report

Source: Prodaft

The PRODAFT Threat Intelligence (PTI) team discovered a highly-sophisticated group of cybercriminals targeting exclusively large corporations and public institutions worldwide, with a focus on the EU and the US. Read more.

New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor

Source: SentinelLabs

his year has brought two disturbing new trends into prominence: the targeting of developers and the use of supply chain attacks to infect broad swaths of customers. Read more.

Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)

Source: JPcert

VSingle is an HTTP bot which executes arbitrary code from a remote network. It also downloads and executes plugins. Once launched, this malware runs Explorer and executes its main code through DLL injection. Read more.

Websites Hosting Cracks Spread Malware, Adware

Source: TrendMicro

We investigated a number of websites with cracks and pirated software that starts an infection chain to multiple pieces of malware and adware, including CopperStealer and LNKR adware. Read more.

Purple Fox Rootkit Now Propagates as a Worm

Source: Guardicore

During the last few weeks, the Guardicore Labs team has been tracking a new campaign distributing the Purple Fox malware. Purple Fox was discovered in March of 2018 and was covered as an exploit kit targeting Internet Explorer and Windows. Read more.

Black Kingdom ransomware begins appearing on Exchange servers

Source: Sophos

Following the DearCry ransomware attacks reported on last week, another ransomware gang has also started to target vulnerable Exchange servers with another ransomware, called Black KingDom. Read more.

Threat landscape for industrial automation systems. Statistics for H2 2020

Source: SecureList

Starting with the second half (H2) of 2019, we observed a decline in the percentages of ICS computers on which malicious objects were blocked. This was observed in industrial control systems (ICS). Read more.