Cyber Security Today, Nov. 29, 2021 – Ikea under phishing attack, evasive JavaScript loader discovered and malware found hiding in Linux calendars

Ikea under phishing attack, evasive JavaScript loader discovered and malware found hiding in Linux calendars.

Welcome to Cyber Security Today. It’s Monday November 29th. I’m Howard Solomon, contributing writer on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts


International furniture retailer Ikea has been fighting a cyberattack through its email system. According to the Bleeping Computer news service, a hacker is using the legitimate email addresses of employees to spread malicious attachments to other Ikea employees. These phishing emails may also appear to be coming from Ikea partners and suppliers. Usually the victims click on a file that contains a malicious Microsoft Excel document. To execute the document the victim has to then click on a button to Enable Content or Enable Editing. Most smart IT departments have turned off this capability because it’s how malware is spread. Employees have to be repeatedly warned that malware can come in attachments in emails that look like they are from co-workers, friends and business partners. They should be trained to always ask a knowledgeable IT worker before disabling the safety features in productivity suites like Microsoft Office.

It’s no surprise that threat actors use infected email attachments to compromise the computers of employees. But researchers at HP have discovered a new campaign that uses an evasive JavaScript loader for initially compromising computers. After infection the loader distributes a variety of remote access trojan malware, which allows an attacker to secretly access the system. The variety of the second stage of malware suggests whoever created the loader, which HP calls RATDispenser, may be operating a malware-as-a-service business. Network defenders can prevent infections by blocking executable email attachment file types like JavaScript or VBScript from passing through their email gateways. They can also change the default file handler for JavaScript files by only allowing digitally signed scripts to run, or by disabling Windows Script Host.

Drug manufacturing and research organizations in the life sciences and biotechnology sectors are being warned their IT systems may face an attack by a very sophisticated threat actor. This alert from the Bioeconomy Information Sharing and Analysis Center comes after the discovery in October of advanced persistent malware in a company. It was the second found in a facility this year. According to researchers, the first detection came following a ransomware attack. They think this particular complex malware is specifically aimed a biomanufacturing and research organizations. Researchers say organizations must ensure proper segmentation between corporate and manufacturing or operational networks. Phishing defences are paramount.

Finally, threat actors try to hide their malware in a number of places on IT systems to prevent it from being detected. Researchers at a cybersecurity company called Sansec found a remote access trojan hiding in new location in several online shopping systems: Tucked away in the calendar subsystem of Linux servers under the date “February 31st.” As you all know, February doesn’t have 31 days, so few IT security systems would detect it. The real purpose of this malware is to steal credit and debit card data of shoppers. Usually cyber crooks try to inject this kind of data-stealing malware into a browser. However, increasingly they are hiding payment card stealing malware in servers.

That’s it for now Remember links to details about podcast stories are in the text version at That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Follow this Cyber Security Today

More Cyber Security Today