One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2593638 |
| Date de publication | 2021-04-06 16:57:00 (vue: 2021-04-06 17:05:42) |
| Titre | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
| Envoyé | Oui |
| Condensat | 'securielite 2019 2020 2021 27170 27171 a41apt access accounts active activities activity actor actors acts advanced advantage adversaries aimed ajax all allow along also always analysis analyst analysts anomali another any appear application applied approximately april apt apt10 apt10: archive are asia asking assessments att&ck att&ck: attached attachments attack attacks attempt attempts authors avoid aware back backdoored badblood badblood: banking basic because been before began belonging best between block breach bring but byod bypass called campaign campaigns can capabilities central change charming charts cheat cheater: cheating check china chinese claims classic clicking cobalt code codes colleagues collection comment: communicating company compromised configuration configured connect contact control could credential credentials critical cryptor cve cyber cycldek data december defence defense deletion deliver depth designated detect detected developing device different directory discovered discovery discuss discussed dll docs document download downloaded downloader downloads dropped dubbed early ecipekac education effective email emails employees enable encoded end engineering engines enumerate environment escalation example executable exercises existing expect exploitation exploits extent external extracting failsafe fake figure file files finally first focus following form from game games gaming generally generates genetic get glimpse google government group groups had hancitor hancitor’s has have help hidden hijack history hosts how however hunter icmp identify ids important inbox include includes incorporate indication industries industry infected infection inform information initial injection innovating install intelligence internet involves ioc iocs ips iran israel israeli iteration its january june kitten korea korean krysiuk late launched layer layered layering leap left legitimate lesser leveraged likely link linked linkedin links linux loader loading located logs long lot luckymouse: machine macros magazine maintenance malicious malicious/spam malspam malware man1 managers march masquerading mastered may mean measures mechanisms medical message methods mid military mitigate mitigations mitre mod modding modifications mods module money months more moskalvzapoe multi need network neurology new newly news noisy north not notification observed offensive offers often once oncology open opened operations order organizations origins other overall own packed page particularly patch patches payload payloads pen persistent personnel phishing phosphorus ping piotr pivot place players point policies port possible potential powershell practice presented prevent previous previously privilege process professionals profiles properly protections protocol provide published: pulse quasarrat query ransom reach reality recent recommend reconnaissance redundant registry related rely remote report reported represent requests requirement research researcher researchers result return reviewed risk robust rules rundll32 running scan scanned secops secure securielite security seemingly self send sending senior servers services sessions several shellcode shift short should side sideloaded significant signing single social sodamaster software solutions some sometimes soon sophisticated sources speaking spear spearphishing specializing specific spectre sponsored staff stages standard states steal stealer stealing stolen stories strangers strike such sufficient summarize summary suspect symantec's system t1012 t1016 t1018 t1036 t1055 t1057 t1068 t1071 t1073 t1078 t1082 t1085 t1086 t1107 t1108 t1116 t1133 t1210 t1219 ta453 ta511 ta543 tag tags: target target; targeting targets team teams techniques tensions term tests thailand them then these threat threats took tool tools topics: traffic training trending triad trying turkey twitter types underestimated united unpatched update use used user user's users uses using usually valid various vb6 video vietnam virus visual vpn vulnerabilities vulnerability watch wat |
| Tags | Malware Tool Vulnerability Threat Conference |
| Stories | APT 35 APT 10 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.