New malware – TinyTurla and Capoae / Fake certificate alert and dangerous TeamViewer

Welcome to Security Center – our weekly update on the most devastating cyberattacks, high-severity vulnerabilities, and biggest data leaks – precisely selected by our editors.

Don’t miss it out! Sign up now and have it delivered to your inbox each Monday to start a week safe and sound. Additionally, you will receive a portion of the hottest company news and access to selected technical articles written by our experts with advice and tricks for more effective protection of your IT infrastructure.

In the meantime, let’s check what happened in the cyber-world last week.

TinyTurla – Turla deploys new malware to keep a secret backdoor on victim machines

Cisco Talos recently discovered a new backdoor used by the Russian Turla APT group which is likely used as a stealth second-chance backdoor to keep access to infected devices even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.

The adversaries install the TinyTurla backdoor as a service on the infected machine. Attackers try to hide the malicious activities by naming the service “Windows Time Service”, like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. It also contacts the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator. It looks like due to this backdoor’s limited functionality and simple coding style, it is not easy for anti-malware systems to detect it as malware. This means that the backdoor could stay undetected for months gathering intel, and data – and no one will be any the wiser.


Hacked sites push TeamViewer using fake expired certificate alert

Threat actors are compromising Windows IIS servers to add expired certificate notification pages that prompt visitors to download a malicious fake installer. The message shown on the malicious certificate expiration error pages reads: “Detected a potential security risk and has not extended the transition to [sitename]. Updating a security certificate may allow this connection to succeed. NET::ERR_CERT_OUT_OF_DATE”. 

The method used to breach devices is not yet known. But let’s face it – many admins struggle with patching their systems on time. If it is the case – the payload dropped on infected systems is TVRAT (aka TVSPY, TeamSpy, TeamViewerENT, or Team Viewer RAT). Once deployed on an infected device, the malware will silently install and launch an instance of the TeamViewer remote control software. Then after being launched, the TeamViewer server will reach out to a command-and-control (C2) server to let the attackers know they can remotely take complete control of the newly compromised computer.


New Capoae malware infiltrates WordPress sites and installs backdoored plugin

Capoae malware uses multiple vulnerabilities and tactics to get a foothold on as many machines as possible, Malware is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called “download-monitor,” which gets installed after successfully brute-forcing WordPress admin credentials.

This new threat also takes advantage of exploits for multiple remote code execution flaws in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062), and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) to brute force a way into systems running SSH and ultimately launch the XMRig mining software. What’s more, the attack chain stands out for its persistence tricks, which includes choosing a legitimate-looking system path on the disk where system binaries are likely to be found as well as generating a random six-character filename that’s then subsequently used to copy itself into the new location on the system before deleting the malware upon execution. Word of advice? Don’t use weak or default credentials… or be ready to pay the price for keeping messy security measures.


More IT security must-reads

  1. How to fix the Windows 0x0000011b network printing error (Bleeping Computer)
  2. Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug (The Hacker News)
  3. New Mac malware masquerades as iTerm2, Remote Desktop and other apps (Malwarebytes Labs)
  4. iOS 15 lets you spy on apps that might be spying on you (ZDNet)
  5. Nagios XI vulnerabilities open enterprise IT infrastructure to attack (Help Net Security)
  6. Why You Should Consider QEMU Live Patching (The Hacker News)
  7. Large-Scale Phishing-as-a-Service Operation Exposed (Threat Post)
  8. Urgent Apple iOS and macOS Updates Released to Fix Actively Exploited Zero-Days (ZDNet)
  9. 100M IoT Devices Exposed By Zero-Day Bug (Threat Post)
  10. FamousSparrow APT group used ProxyLogon exploits in attacks on hotels worldwide (Security Affairs)