One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2522336 |
| Date de publication | 2021-03-23 14:00:00 (vue: 2021-03-23 14:05:30) |
| Titre | Anomali Cyber Watch: APT, Malware, Vulnerabilities and More. |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackRock, CopperStealer, Go, Lazarus, Mirai, Mustang Panda, Rust, Tax Season, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Bogus Android Clubhouse App Drops Credential-Swiping Malware
(published: March 19, 2021)
Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one.
Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105
Tags: LokiBot, BlackRock, Banking, Android, Clubhouse
Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers
(published: March 18, 2021)
Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors.
Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
(published: March 18, 2021)
Cybereason detected a new campaig |
| Envoyé | Oui |
| Condensat | 19356 2019 2020 2021 22502 25502 25506 26855 26919 27561 27562 450 able access account accounts active actively activities activity actors additional ads adware after against ago allow also alto among analyst analysts android anomali anti anything app apple apple's application applications apps apt are around atr att&ck att&ck: attached attachment attack attackers attacks attempts attention attribute attributed audio available back backdoors banking based beacon been before behavioral being benign better binaries blackrock block bogus both burst business but campaign campaigns can card chain channel charts chat check checks click closing cloud cloudflare clubhouse cobalt code collectively combination command comment: commerce companies company complex compromised compromising conceal configuration contain containing content continues control convuster convuster: cookie copperstealer copperstealer’s copperstealers copy could crack creation credential credentials credit cryptominers current currently custom cve cyber cybereason cybersecurity dangers data date day dealing dearcry delivering delivers demonstrates deobfuscate/decode despite detect detected detection develop developed developer developers developing development devices dga dianxun disclosed discovered discovery discuss discussed disrupt distributed document documents doing domains dotnet download downloader downloading downloads drop drops dubbed dwarf earlier earliest eggshell emails enabling engineering environment eomt escalation espionage even evolving exchange execution exfiltration experience exploitation exploited exposes extension facebook fake feature figure file files filtering finance firewalls firm five flash following foothold found found: four frequent from fully further furthermore gaining general generation get getting glimpse golang golangc google grant group: guidance hackers hard has have help heuristic hide hijack hope hype ide identified image incidents include increased industry infected infection info information initial injection instagram instal installation installer installs instead integrated integrity intelligence interesting interface investigating invite ioc iocs ios iot iteration its january japanese jpg july kinds known korea korean language language's languages large layer lazarus legitimate library likely line lines link little login logs lokibot looking machines macos macros magazine magecart magento major malicious malware manipulation march marketplace masquerading maturity mcafee media method microsoft might million mimics mirai mitigation mitre mobile monitor monitoring month months more moreover most mustang named necessarily needed netgear netwire network networks new newer news next north not note now obfuscated observed official one online only opaque open operation operational organization other others outlined over owners palo panda participants password passwords past patching paths paying payload payloads people permissions phishing plans platform player point politics popular potential powerful powershell preferred premises presence previous privilege probably procedures process profit program programming project projects prompt proofpoint protocol provide providers proxylogon pua public publicly published: purport purposes quickly ransomware rats recently recognized recommend reddelta redundancy refuse regarding regularly related relationships released remcos remote required research researchers ripped rooms run running rust samples scene scheduled script scripting season securing security see seemingly sending sensitive sentinelone server servers service services several shell shells shop should similar sinkhole sinkholing sites skimmer skimming slips small smokeloader social software solution some sonicwall soon source spearphishing speed spread spy standard started steal stealer steals steganography stolen stopped store stores stories strike studio such sucuri summarize summary supply suspicious swift swiping system systems t1016 t1027 t1036 t1041 t1053 t1055 t1057 t1059 t1063 t1064 t10 |
| Tags | Ransomware Malware Tool Threat Patching Medical |
| Stories | APT 38 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.