Zyxel Threat Intelligence (Release Date: 2021-08-02)
Release Date: 2021-08-02
ZyWALLs latest virus/malware signature update protect you against more malware and threat. See how ZyWALL defends against these threats. You can view more about their details, history, and signature information in Zyxel Encyclopedia.
Number of updated signatures: 21385
Description: Backdoor.Tofsee silently uses the user’s machine to send out spam emails. The threat can give a malicious hacker unauthorized access and control of your PC, mine for virtual currency, or execute other malicious activities.
The following could indicate that you have a copy of itself on your PC:
And then creates the following registry key to make sure this copy is executed every time when PC is started up:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSConfig" = "%USERPROFILE%random_generated_strings.exe"
Finally, the malware:
(1) Creates a new thread in the 'svchost.exe' process
(2) Adds itself as a 'trusted scheme' in Windows Firewall.
(3) Deletes the original executable file to cover its own tracks.
Description: The threat is a backdoor trojan that is related to the "trojanized" version of a third-party utility known as "CCleaner". If you have installed the infected or trojanized version of CCleaner, it's likely you'll have this threat detected on your machine.
When run, the threat may store some binary information to the registry key HKLM\SOFTWARE\Piriform\Agomo:Payload
Collects and steals information
When running, the malicious DLL payload embedded inside the binary may collect the following information:
- Computer name
- Computer DNS domain
- Computer IP address
- Installed and running processes
This information is encrypted and sent to the follow command and control (C2) address via a POST method:
Alternatively, it dynamically generates a C2 host address from the infected machine's current year and month settings.
Downloads and runs additional code
The threat can also receive a binary shellcode from its C2
server and run it. At the time of analysis, the C2 server was not
responding so we are unable to confirm what the binary shellcode includes.
Description: Windows Print Spooler Elevation of Privilege Vulnerability
CVSS Base Score: 8.8 high
CVSS Base Score: 8.8 high
Description: Windows Print Spooler Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (Source: Microsoft)
Total number of added applications: 12
Total number of updated applications: 28
Total number of applications: 3772
Applications have been added. The updated applications would be different by models. See more information via Zyxel Encyclopedia.
To make your life easier in managing your licenses for your devices, the Marketplace has been opened to buy licenses conveniently and securely.
These are the three major benefits for you as a customer when using the Marketplace:
- Get immediate license renewal
- Avoid incorrect license(s) purchased with our filtered product listing
- Review your device and license status online
- 6.9K All Categories
- 2 Education Center
- 1.4K Nebula
- 34 Nebula Ideas
- 40 Nebula Status and Incidents
- 3.9K Security
- 203 Security Ideas
- 753 Switch
- 31 Switch Ideas
- 635 WirelessLAN
- 10 WLAN Ideas
- 4.6K Consumer Product
- 105 Service & License
- 223 News and Release
- 76 Stories
- 39 Security Advisories
- 522 FAQ
- 239 Nebula FAQ
- 121 Security FAQ
- 73 Switch FAQ
- 67 WirelessLAN FAQ
- 6 Consumer Product FAQ
- 30 Nebula Monthly Express
- 45 About Community
- 32 Security Highlight