Zyxel Threat Intelligence (Release Date: 2021-12-14)

zyxel_Lin

This article focuses on rogueware. Part 2 and 3 will be included in the December Monthly Threat Report covering Intrusion Detection and Application Patrol update. You can view more about their details, history, and signature information in Zyxel Encyclopedia.

 Part 1 Virus/Malware Spotlight
(Number of updated Virus/Malware signatures:380)

According Gartner report, nearly 95% of ransomware attacks are preventable, but ransomware still continues to cause massive disruption to organizations. Zyxel keeps malware detection up-to-date. Currently, Zyxel detects and removes the threats including Trojan.Downloader.Bredolab and Trojan.Rajbot.GenTrojan.

Highlight (partial)

Name: : Trojan.Rajbot.Gen

Trojan.Rajbot.Gen.1 is identified as unauthorized activities that affected OS. It is initiated by the criminal hackers and usually enters into the user System silently as a suspicious code. The malware can slow down System and Network performance speed and gathers your all-sensitive data  from your OS. Also, encrypts your crucial files so you are not allowed to access. It is strongly recommended to remove the malware manually from affected devices. Now you can easily prevent the infiltration of Trojan.Rajbot.Gen.1 with the help of Zyxel security protection tool.

Name: Trojan.Downloader.Bredolab

Trojan.Downloader.Bredolab is trojan infection that are known to download rogue antivirus suits. It’s a rogue security software, also known as rogueware, has become a serious PC threat in recent years. It may be downloaded via malicious web sites.

What is rogueware?

Rogueware is a form of malicious software generates misleading alerts or scanning reports to manipulate users into believing that they have a virus. Pressure the users into purchasing for providing a fake removal tool, which introduces malware to the computer. The hacker are paid a fee for every successful installation.

How does it work?

The trojan-downloader runs every time when Windows starts based on the following entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ "RunGrpConv" = "1"

The files downloaded are encrypted from the following websites and will be decrypted by the trojan-downloader before the execution on the infected device.

·http://mud***.ru

·http://davidbred***.ru

Part 2 Intrusion Detection 
(Updated: 11/Cover Total: 5503) 

Highlight

CVE-2020-1301

Base Score: 8.8 high

Windows SMB Authentication Reflection Remote Code Execution

This vulnerability is in the Microsoft Server Message Block 1.0 (SMBv1). An attacker gain the access to execute code on the target server when they successfully exploited the vulnerability. An authenticated attacker could release a crafted packet to a targeted server.

CVE-2020-16875

Base Score: 7.5 high

Windows scripting engine code execution

A remote code execution vulnerability exists in Microsoft Exchange server. It failed to verify the cmdlet arguments. Hackers can exploit this vulnerability by sending a specially crafted email. Successful exploitation will allow hackers to remotely execute arbitrary programs. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.

Part 3 Application Patrol
(Added Application:13/ All Application: 3822)

To make your life easier in managing your licenses for your devices, the Marketplace has been opened to buy licenses conveniently and securely.

These are the three major benefits for you as a customer when using the Marketplace:

•Get immediate license renewal

•Avoid incorrect license(s) purchased with our filtered product listing

•Review your device and license status online