Deadliest Computer Viruses – 2021

1. CDPwn

CDPwn is a series of vulnerabilities in Cisco Discovery Protocol due to improper validation of Cisco Discovery Protocol messages. By sending a specially crafted packet to a vulnerable device, an unauthenticated, adjacent attacker could achieve remote code execution or create a denial of service condition.

Don’t Ignore this, five high rated Cisco vulnerabilities labelled as CDPwn. When exploited by the attacker these four remote codes and one denial service will allow threat actors to take full control over all the Cisco devices.

These vulnerabilities are named as CVE-2020-3119 is a stack overflow vulnerability, CVE-2020-3118 is a format string vulnerability, CVE-2020-3111 is a stack overflow vulnerability in the parsing function, CVE-2020-3110 is a heap overflow vulnerability in the Cisco 8000 8000 series IP camera, and CVE-2020-3120 The denial of service vulnerability.

Cisco notes in their advisories that because Cisco Discovery Protocol is a Layer 2 protocol, an attacker “must be in the same broadcast domain as the affected device.”

2. WinRAR Code Execution

Malicious hackers wasted no time exploiting a nasty code-execution vulnerability recently disclosed in WinRAR, a Windows file-compression program with 500 million users worldwide. The in-the-wild attacks install malware that, at the time this post was going live, was undetected by the vast majority of antivirus product.

The flaw, disclosed last month by Check Point Research, garnered instant mass attention because it made it possible for attackers to surreptitiously install persistent malicious applications when a target opened a compressed ZIP file using any version of WinRAR released over the past 19 years. The absolute path traversal made it possible for archive files to extract to the Windows startup folder (or any other folder of the archive creator’s choosing) without generating a warning. From there, malicious payloads would automatically be run the next time the computer rebooted.

On Thursday, a researcher at McAfee reported that the security firm identified “100 unique exploits and counting” in the first week since the vulnerability was disclosed. So far, most of the initial targets were located in the US.

3. Shadow Hammer

In ShadowHammer, a sophisticated group of attackers modified an old version of the ASUS Live Update Utility software and pushed out the tampered copy to ASUS computers around the world, said Kaspersky Lab. The Live Update Utility, which comes preinstalled in most new ASUS computers, automatically updates the set of firmware instructions that control the computer’s input and output operations, hardware drivers, and applications. The modified tool, signed with legitimate ASUSTeK certificates and stored on official servers, looked like the real thing. But once it was planted, it gave the attackers the ability to control the computer through a remote server and install additional malware.

4. Gustuff

Gustuff now has a lower static footprint, because it no longer contains hardcoded package names, and allows operators to execute scripts using internal commands — it relies on JavaScript for that — which is a novelty in the Android malware space.

Initially, Gustuff was based on the Marcher banking Trojan, but the new variant has lost some of those similarities, the security researchers say.

The malware continues to use malicious SMS messages for infection and mainly targets users in Australia, meaning that token-based two-factor authentication and security awareness remain the best defence against it.

The new campaign was observed at the beginning of October, with the updated malware variant continuing to leverage targets of little interest to send propagation SMS messages — each target sends around 300 SMS messages per hour.

5. Emotet Malware

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via a malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. 

6. Ryuk Ransomware

Ryuk is a sophisticated ransomware threat that has been targeting businesses, hospitals, government institutions and other organizations since 2018. The group behind the malware is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

Ryuk is almost exclusively distributed through TrickBot or follows infection with the Trojan. However, not all TrickBot infections lead to Ryuk. When they do, the deployment of Ryuk happens weeks after TrickBot first shows up on a network. This is likely because attackers use the data collected by TrickBot to identify potentially valuable networks for Ryuk.

7. Cyborg Ransomware

CYBORG is malicious software discovered by GrujaRS. This malware is classified as ransomware and is designed to encrypt data and demand ransom payments for decryption tools/software. During the encryption process, files are renamed with the “.petra” extension. For example, “1.jpg” becomes “1.jpg.petra” and so on for all compromised files. An updated variant of CYBORG ransomware appends the “.lazareus” extension. Once this process is complete, CYBORG stores a text file (“Cyborg_DECRYPT.txt”) on the desktop and changes the wallpaper.

The text presented on the desktop wallpaper informs users that their data has been encrypted by CYBORG. To learn more, victims are instructed to read the “Cyborg_DECRYPT.txt” file, which contains the ransom message. It states that encrypted files can be restored if a ransom is paid. The payment is the equivalent of 300 USD in the Bitcoin cryptocurrency.

8. CryptoMix Clop Ransomware

A new variant of the CryptoMix Clop ransomware family claims to target entire networks instead of individual users’ machines.

Security researcher MalwareHunterTeam discovered the variant near the end of February 2019. In their analysis of the threat, they noticed that the ransomware came equipped with more email addresses than previous versions of CryptoMix Clop. They also noted that those responsible for the crypto-malware applied slight variations to their creation’s extension.

Once executed, the variant begins by terminating various Windows services and processes. Doing so enables CryptoMix Clop to disable anti-virus software running on the computer. It also helps it close all files, thereby placing them in a state where they are easy to encrypt.

9. B0r0nt0k Ransomware

Ransomware can be defined as malware or malicious software. It is more convoluted than a typical malware that locks the computer, usually by encryption and it only decrypts after the payment is received.

The sole motive for ransomware attacks is mainly monetary. Things are a bit different when it comes to ransomware where you are made acquainted that an exploit has intervened and instructions are extended for how to recover from the attack. Usually, in such a case, a virtual currency like bitcoin is demanded to hide the identity of the cyber-criminal.

10. Yatron Ransomware

Ransomware news is out that a new kind of Ransomware-as-a-service (RaaS) variant is on the prowl on the dark web which is spreading widely by using the EternalBlue NSA exploits.

Dubbed as ‘Yatron Ransomware’ the said malware is being promoted on Twitter by its creator. And a security researcher with the name ‘The Shadow’ was the first one to alert the world on this issue.

The highlight of Yatron Ransomware is that it deletes the encrypted data of the victim if the demanded ransom of $300 in BTC isn’t paid within 72 hours.

However, a source from Bleeping Computer said that the malware extension can be easily terminated by using a tool like Process Explorer which is run with admin powers.

Technically speaking, Yatron is being spread via P2P, USB and LAN networks via the EternalBlue and DoublePulsar exploits- similar to that of WannaCry. It is reported to be spreading through the network of Windows Machines via SMBv1 vulnerabilities that were long ago patched.

Leave a Reply