Zyxel Threat Intelligence (Release Date: 2021-08-02)

zyxel_Lin
zyxel_Lin Posts: 69  Zyxel Employee
First Anniversary Friend Collector
edited November 2021 in Security Highlight

Release Date: 2021-08-02

ZyWALLs latest virus/malware signature update protect you against more malware and threat. See how ZyWALL defends against these threats. You can view more about their details, history, and signature information in Zyxel Encyclopedia.

1.Virus/Malware

Number of updated signatures: 21385

Highlight

Name: Backdoor.Tofsee

Description: Backdoor.Tofsee silently uses the user’s machine to send out spam emails.  The threat can give a malicious hacker unauthorized access and control of your PC, mine for virtual currency, or execute other malicious activities.

The following could indicate that you have a copy of itself on your PC:

  • %USERPROFILE%random_generated_strings.exe

And then creates the following registry key to make sure this copy is executed every time when PC is started up:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSConfig" = "%USERPROFILE%random_generated_strings.exe"

Finally, the malware:

(1)  Creates a new thread in the 'svchost.exe' process

(2)   Adds itself as a 'trusted scheme' in Windows Firewall.

(3)  Deletes the original executable file to cover its own tracks.

Name: Win32.Floxif

Description:  The threat is a backdoor trojan that is related to the "trojanized" version of a third-party utility known as "CCleaner". If you have installed the infected or trojanized version of CCleaner, it's likely you'll have this threat detected on your machine.

When run, the threat may store some binary information to the registry key HKLM\SOFTWARE\Piriform\Agomo:Payload

Collects and steals information

When running, the malicious DLL payload embedded inside the binary may collect the following information:

  • Computer name
  • Computer DNS domain
  • Computer IP address
  • Installed and running processes

This information is encrypted and sent to the follow command and control (C2) address via a POST method:

  • 216.126.225.148

Alternatively, it dynamically generates a C2 host address from the infected machine's current year and month settings.

Downloads and runs additional code

The threat can also receive a binary shellcode from its C2 server and run it. At the time of analysis, the C2 server was not responding so we are unable to confirm what the binary shellcode includes.
(Source: Microsoft)

2. Intrusion Detection

CVE-2021-1675

Description: Windows Print Spooler Elevation of Privilege Vulnerability

CVSS Base Score: 8.8 high

CVE-2020-34527

CVSS Base Score: 8.8 high

Description: Windows Print Spooler Remote Code Execution Vulnerability

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (Source: Microsoft)

3. Application Patrol

Total number of added applications: 12

Total number of updated applications: 28

Total number of applications: 3772

Applications have been added. The updated applications would be different by models. See more information via Zyxel Encyclopedia.


To make your life easier in managing your licenses for your devices, the Marketplace has been opened to buy licenses conveniently and securely.

These are the three major benefits for you as a customer when using the Marketplace:

  • Get immediate license renewal
  • Avoid incorrect license(s) purchased with our filtered product listing
  • Review your device and license status online