One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 3791021 |
| Date de publication | 2021-11-30 11:24:48 (vue: 2021-12-13 21:05:26) |
| Titre | Recent APT37 Activity and Chinotto, a Multi Platform Infostealer |
| Texte | FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si |
| Envoyé | Oui |
| Condensat | 0199 2015 2017 2018 2545 4878 aak about access accomplished accounts acdd activity actor actors addressed adobe af3c affected after all also always analysis analyzed android any apt37 are arsenal as:vba/agent assessment associate attachments attack attackers attacks attributed available aware awareness backdoor based been being belonging besides blocked blog bypass campaign campaigns can caution chinoto chinotto client commonly compelled conduct conducted contained could coverage crafted credentials crucial cve daily damage date day delivered department design detailed details detects determine determined difficulty discovery disposal disruption distribution document documents don download due during dwelling ease educate email emails employees encapsulated encourage encouraged end engineered engineering ensure eps especially etc exploitation exploiting exploits facebook famous feasible final first flash focuses foothold fortiguard from further government group123 hangul has have having help here how hw32/frs hwp identifiable important impromptu infected inform information infostealer initial initiate interest internal iocs ips issue kaspersky keep know known korea korean labs latest limited links macro made malicious malware mechanisms medium microsoft mitigation months msj multi multiplatform mupossiblethreat nation need network never north not observed office ongoing open opening operating operation operations organization organizations other pallas patching payload performing personally personnel phishing/spearphishing/smishing pii place platform please postscript potential predetermined presence present prevent previously processor protect publicly purporting rar recent refer regular release reported reports reputation research researchers revealed risk samples scarcruft second sector security sender senders sent serious sessions several shellcode should signatures simple since smshing smsshing social socially software someone sophisticated south spearphishing specially specifically spot stage state status stolen suggested suggests system systems targeted targets templates tests texts then third those threat through time training trall treat trpossiblethreat trusted trw32/agent trw32/bsymem trw32/possiblethreatvba/agent types uac ultimately undetected unrecognized/untrusted unwanted updated usage used user users uses using utilizes variants various vectors vendor verticals very victim vsntgf20 vulnerabilities webfiltering well what which who will windows within word years zero zipped |
| Tags | Malware Threat Patching Cloud |
| Stories | APT 37 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.