One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3904146 |
| Date de publication | 2021-12-29 16:00:00 (vue: 2021-12-29 16:05:42) |
| Titre | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
| Envoyé | Oui |
| Condensat | $30 $30m “blist “dridex “lost 000 2021 4104 44228 44515 45046 45105 ability abnormal abuse accepting accepts access accounts active actively activity actor actors acts actual actually addition additional address addressed addresses adhere advanced affects affiliate after against ago all alleged allowed allowing allows also analysis analyst and/or anomali anonymous another anpr anti anyswap aol apache apache’s appears application applications approximately apt apts arbitrary are argument ask asks att&ck att&ck: attached attachments attack attacker attackers attacks attempting attempts attention audit auditing auditor august authentic authentication authenticity automatic autostart avoid banking based because been before behind being below below: best between binary bitrat bitsadmin black blist blister blister’s block blockchain blocking boot bootstrapping both brand breach british brokers broughthotshot bug build bulletin: bureau but bypass called campaign campaigns can capabilities central certificate chain charming charts check checksum china christmas cipher circle claims clop clop’s close cobalt cobaltstrike code coding coin command comment: commit common companies company company’s completes component compromise compromised compromising computer concealing conducting confidential confirm connected contact contacted contain context conti contracts could covid create credential credentials crims critical critterfrenzy cross cryptocurrency cto’s customers customized cve cyber dacoll dai danderspritz dark dashboard dashboard: data database day days december decentralized decrypted dedicated deep deeply defenders defense defi delivery demand denial deobfuscate/decode department deposited depositfor depth desktop detect detecting detection dex dialog dicedealer difficult: directory disclosed discord discovered discuss discussed display disrupt dive divebar documents does doesn’t domain domains dos dos; doublefeature download downloading dresses drew dridex drivers drop dropping dumping dunemessiah during education efficient elastic elby email emails embedded emotion employees employs enabled encrypted endpoint enforcement engineering ensure entering entice enumerate enumerating equation equationdrug errors especially europe evade evasion excel exchanged exchanges exe execute executes execution explicitly exploit exploitation exploited exploiting exploits external extra extremely eye facebook facing fail fantom fbi fbi: fear features: federal fee field figure file filed fileless files finance financial findings firewall firm fix fixed flaw flewavenue flow focus following follows fool forensic formatting formerly found four framework frameworks fraud free frequently fresh friday from full function funds gained gang gathering generated generic glimpse gmail goals: government grayfish great grim grim’s group group’s groups growing guarantee guard hackers had hafnium has have having healthcare heavily held help helps her hiding hijack hijacking his home host hosted hosting html hunting hxxp://facebook hxxps://d32831ea3827 identified identify identities images immediate impact impersonate impersonating impersonation impersonators implant important including including: incomplete increase indeed infecting infection information infrastructure ingress initially injection input insists instagram installations instances instead intelligence interacts interface internet intrusion investigation io/ io/login ioc iocs iran issued issues it’s it; iteration its java jndi job just keep killsuit kisu kitten known korea lagos largely larger lateral latest law lawsuit layering ldap leak leaked learning least legit legitimate lengths libraries library like line links lived llc llc” loader loading local localhost locations log log4j log4j2 log4shell logging login logon logs long looks lookups looping low lures machine macro magazine mail maintain major make makes maldoc malicious malspam malware managed manageengine management manipulation manufacturing map map |
| Tags | Ransomware Malware Tool Vulnerability Threat Conference |
| Stories | APT 35 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.