One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3057627 |
| Date de publication | 2021-07-13 15:00:00 (vue: 2021-07-13 15:05:25) |
| Titre | Anomali Cyber Watch: Global Phishing Campaign, Magecart Data Theft, New APT Group, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data Theft, Malicious Apps, Middle East, Phishing, Targeted Campaigns, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Global Phishing Campaign Targets Energy Sector and Its Suppliers
(published: July 8, 2021)
Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE).
Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055
Tags: FormBook, AgentTesla, Phishing, Europe, Middle East
SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military
(published: July 7, 2021)
SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | |
| Envoyé | Oui |
| Condensat | 1675 2012 2016 2019 2021 2fa 34527 >website ability able access according accordingaccodring account across actionrat actions active actively activities activity actors adapt addition additional adds admins ads advanced advised affected after against agent agenttesla aggressively aimed alienbot all allakore allow allows also always amongst analyst analysts android anomali another anti any app appear appears apple application applications apps apt apt36 apts arab are asia assets att&ck att&ck: attached attachment attachments attack attacker attackers attacking attacks attempts attribution authentication authority automated available avast avoid backdoored backup band banking based becoming been before behind being best binaries binary blank both breach breached break breaking brute bruteforced bruteforcing bug bypass cab campaign campaigns can capabilities capture card case cases caught certificate certification cetarat chain changed channels charts check clast82 client cloud cobalt code coming comment: commerce communication companies company complex compliance compromised concatenation constant contact containing contains copy coverage crackers create created credentials credit criminals critical cues current custom customer customers cve cyber cybercriminals cyberespionage data date decrypt defend defense deliver delivers deobfuscate/decode deployed depth detarat detection did difficult disable discovered discovery discuss discussed distinguish domain downloaded downloading downloads dozen dubbed due easily east educated eight electronics email emails emergency emirates employees enable encoded encoding energy ensure enterprise environments epicenter escalation established europe evade even every evolve example executable executed execution exfiltrate expanded exploit exploitation exploited external facebook facilitated facing factor fail favor figure file files finance flaw focus following force formbook forums found fraud frequent from fully functionality further furthermore gas generate generator germany given glimpse global goal google government group groups harboring hard harvest harvested has have helping hidden host hosting how href= https://decoded identified identify image img img/iso/cab immediately: incident include including india india's indian indicator industrial industry infection information informed infostealer infostealers injection input install installations installed installer installers instead intelligence intended intezer involves io/luigicamastra/backdoored ioc iocs iso it's it’s iteration its joker july kaspersky keep keeping kept keyloggers known korea kpm latest lavao layer layering least legitimate level like lilith linked llo loaded locations logs long look macos made magazine magecart magento maintained maintenance making malicious malware manager managers margulasrat masquerading may measure mechanisms media memory mersenne method methods microsoft middle military million mitre mobile mongolia mongolian monitored monpass monpass/ more mrat much multiple must name need negative network networks new news nine njrat nodachi not notified number numbers obfuscated obtain occurs offered official officials oil once one only opened order out paramount party password passwords patch patched payloads per persistent personal phishing phone place planning platform play point policy pop pos possible potential potentially precaution prevent prevention print printnightmare privilege privileges procedures process processes projectm properly protection protocol provide proxy pseudo public published: python random reading recently redundancy regulations related released remote removal repopulated reports reputation require requirements researchers response restore reverserat risks roughly run runtime safe safety sale same scanned secondary seconds sector security seed selling separately served server service set several severity should shows sidecopy signed since software soon sophisticated south spearphishing specifically spoofed spooler standard states stay steal stealing stegano |
| Tags | Malware Threat |
| Stories | APT 36 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.