This bulletin provides an overview of four critical vulnerabilities observed during December 2020, some of which are known to have been actively exploited, and it is recommended that organizations apply all necessary security updates and/or mitigation steps to prevent the exploitation of.

First identified in late 2016, 'Trickbot' evolved from being a well-established banking trojan into a malware-as-a-service (MaaS) threat utilized by both cybercriminals and nation-state threat actors for predominantly financially motivated campaigns. Supporting modular components, Trickbot campaigns will differ based on the requirements of the MaaS 'customer' with many being used to steal personal and financial data as well as deploying ransomware threats, such as 'Conti' and 'Ryuk', to victims.

Following the attack on FireEye, the US Department of Homeland Security (DHS) has issued an Emergency Directive (ED) regarding a backdoor being exploited in SolarWinds Orion products, versions 2019.4 through 2020.2.1 (inclusive). Based on file signatures, FireEye considered this campaign to have started around March 2020, potentially affecting up to 18,000 organization worldwide.

Analysis of a recently detected phishing kit, targeting a retail bank based in the Philippines and submitted to VirusTotal, led to the identification of a low-sophistication method used by threat actors in an effort to phish for usable one-time passwords (OTP) along with account credentials.

First identified in 2018, 'Ryuk' is a known malware often dropped on a system by other malware, most notably TrickBot and Bazaarloader by using a Spear Phishing lure or other systems access gains via Remote Desktop Services. Ryuk demands payment via Bitcoin cryptocurrency and directs victims to deposit the ransom in a specific Bitcoin wallet.

IcedID stealer (Also known as BokBot) was first discovered at the end of 2017, believed to be a resurgence of the NeverQuest banking Trojan. It is a modular banking trojan that uses man-in-the-browser (MitB) attacks to steal banking credentials, payment card information and other financial data. The stealer possesses relatively sophisticated functionality and capabilities such as web injects, a large remote access trojan (RAT) arsenal and a VNC module for remote control.

This blog provides an overview of the situation surrounding the release of the source code, and supplementary 'injection' files, for the Android banking trojan 'Cerberus'.

This blog summarizes the findings of an investigation into the current status of the Brazilian threat group known as 'Prilex' who came to prominence in late 2017 and early 2018 for their ATM jackpotting and point-of-sale (POS) terminal attacks. Whilst the group were believed to have been active since 2014, a distinct absence of 'chatter' and reporting of their activity since 2018 seemingly suggested that the group had ceased operations.

These vulnerabilities were observed to be critical in October 2020. Cyberint's Research Team recommends to patch and take the necessary steps immediately.

First identified as active in November 2012, 'njRAT', also known as 'Bladabindi' or 'Njw0rm', is a well established and prevalent remote access trojan (RAT) threat that was initially created by a cybercriminal threat group known as 'Sparclyheason' and used to target victims located in the Middle East. Undoubtedly following the source code leak, reportedly in May 2013, njRAT has become widely available on the cybercriminal underground with numerous variants being released over the years.