The "dark_nexus" bot is named by Bitdefender researchers. It is not a Windows malware this time. The Linux ELF format executables on IoT devices are their targets. That is, the possible victims may be routers (from Dasan Zhone, Dlink, and ASUS), video recorders and so on. There are 12 kinds of CPU architectures of embedded Linux are possible to be infected. The bots inside victims form the dark_nexus botnet. A message from the researches -
In 2019 December, IBM X-Force team published a report (https://www.ibm.com/downloads/cas/OAJ4VZNJ) detailing new variants of ZeroCleare: a data-destroying malware family attributed to Iran. According to the IBM X-Force report, there are several important points - The initial access IP address of this ZeroCleare is 184.108.40.206, which was associated with ITG13 in recent Oilrig/APT34 leaks, and as also reported by Palo Alto, was used to scan target networks and access accounts as early as the fall of 2018.
Introduction Many major media have reported this security event about New Orleans city including C/NET, BleepingComputer and others. From the information provided by these media, we are almost sure that the attacker is Ryuk ransomware. Figure 1 - C/NET news about New Orleans ransomware event Figure 2 - BleepingComputer news about New Orleans ransomware event Lionic’s Inspection on Ryuk Ransomware
Hsinchu, Taiwan – November 18, 2019 – AegisLab reviewed several CVE (https://cve.mitre.org/) entries and found the following 2018 CVE Vulnerabilities are not fixed yet. The CIRCONTROL is notified by the email on Oct 15 but no response so far. AegisLab has done the obligation to report to CIRCONTROL one month before publishing security report. Actually CIRCONTROL should begin fixing these vulnerable devices since 2018 but they did not. The header of Lionic's notifying email -
Hsinchu, Taiwan – February 1, 2014 – Lionic Corporation today announced that its research laboratory, AegisLab, collaborate with VirusTotal (http://www.virustotal.com/), Google subsidiary company, a well-known website that provides checking of viruses or malicious URL online. It uses up to 52 different antivirus scan engines to check for viruses that the user’s own antivirus solution may have missed, or to verify against any false positives. This collaboration let AegisLab Antivirus engine and URL scanner integrated into VirusTotal scanning services.
Hsinchu, Taiwan – November 1, 2013 – VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners! VirusTotal announced that AegisLab Web Guard has been integrated into the URL scanner backbone since October 31, 2013. The official announcement: VirusTotal += AegisLab WebGuard AegisLab AegisLab WebGuard is a concise malicious URL database to prevent malicious URLs, such as Drive-by-Downloads, BlackHat SEO, Fake Anti-Virus, Installer and Updates, Scarewares and etc.