One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3166543 |
| Date de publication | 2021-08-03 15:00:00 (vue: 2021-08-03 15:05:27) |
| Titre | Anomali Cyber Watch: LockBit ransomware, Phony Call Centers Lead to Exfiltration and Ransomware, VBA RAT using Double Attack Vectors, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android malware, APT, Data leak, macOS malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware
(published: July 29, 2021)
BazaCall campaigns have forgone malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. Actual humans then provide the callers with step-by-step instructions for installing malware. The BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user's device, which allows for a fast network compromise. The lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.
Analyst Comment: All users should be informed of the risk phishing poses, and how to safely make use of email. They should take notice that a phone number sent to them can be fraudulent too. In the case of infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: BazaCall, Bazaar, Ransomware
Crimea “Manifesto” Deploys VBA Rat Using Double Attack Vectors
(published: July 29, 2021)
Hossein Jazi has identified a suspicious document named "Манифест". It downloads and executes two templates: one is macro-enabled and the other is an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit is an unusual discovery.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Modify Registry - T1112
Tags: VBA, Russia, RAT, CVE- |
| Envoyé | Oui |
| Condensat | ‘target 2020 2021 26411 abilities abuses academic access accessed accessibility accessible accidental accounts acquired active activity actors actual added adding additional affected after against agents all allows along also always american among analyst analyzing android anomali anonymous anti antivirus any app appear appears application applications appropriate april apt are areas ask assaults att&ck att&ck: attached attachment attachments attack attacker attackers attacks attempting audit australia authenticity auto automate automatically available avoided awaiting backup bank’ banking bazaar bazacall bazacall: bazaloader bec been between billing bits blow bombshell both breach breaches british browser brunhilda buildings business businesses california call callers calling campaigns can capabilities careful carefully cargo case caution centers chain change channel charts check checking checkpoint cisco claims clear code: collecting command commands comment: common communication companies comprehensive compromise computing concerns connectivity constant contacted contain contains content continuity control controls convenience cookie cookies copies core could covid covidcert create created creating credential credentials crimea critical cryptocurrency cve cyber cybersecurity cyberwarfare data days debugging december defender defense delay delivered delivery department departments deploy deployed deploys depth detect detecting device devices diego directory disable disabling disclosed discloses discovered discovery discuss discussed disruption document documents domains don't double download downloaded downloading downloads drop dropper dumping during ease effective effort; elements email emails employed employees employees' enabled encoding encrypted encryption encrypts engineering environment: especially evasion every evidence evolution exchange execute executed executes execution exercise exfiltration exists experts exploit exploitation exploiting explorer external facing failsafe fast favor featured figure file files financial fixes folder following forget forgone formbook forum found four fraudulent french from full functionality furthermore future gain gives glimpse global group had hands has have health healthcare home hossein how humans ics identifiable identified impact implant implement important include: included including increase indicate individual individuals industrial industries ineffective infection info information informed injection installation installed installing instructions intelligence interest interface internet investigation ioc iocs ios iran iran’s ireland ireland's isolate issue italy iteration its itself java jazi jobs july keep keyboard keylogger keystrokes known lack landscape latest launch layer layered lead leak leaked line links linux lockbit log logs longer losing mac macos macro macros magazine main make malicious malware management march maritime mass matter may measures mechanisms messages methods microsoft misled misused mitre mobile modify monitoring months more multiple mustang named need neither net network new news nor normal northern not notice now number numbers obfuscated observed obvious often once one ongoing online opened opening operates organisations organization’s organizations other outside over paid pain panda particularly parts party passport passwords patch patched patches patients payload penetrate permissions persistence personal personally personnel petrol phishing phone phony pii pkplug place plan plist plug plugx policies poses possible post posture potential potentially powershell practice preferred presented preventing previously prior process properly protections protocol proven provide provided public published: put raas ransom ransomware rat received recipients record recover redundant reformatted registry regularly related releases relies religious rely remediate remind reminder remote removing render replacement reported request required researchers responding review reviewed risk risks running russia safel |
| Tags | Ransomware Data Breach Spam Malware Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.