One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4094313 |
| Date de publication | 2022-02-08 16:00:00 (vue: 2022-02-08 16:06:07) |
| Titre | Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis |
| Envoyé | Oui |
| Condensat | 2016 2018 2019 2022 365 abort abusing access according account accounts active actively activists activity actors addition additional adds advanced agencies agent all allowing allows also alternate among amounts analyst analyzed android androrat anomali anomalous antivirus appear application applications apt apt29 apt35 apt36 apts arbitrary archive are arsenal ask assessing assist atera att&ck att&ck: attached attachments attack attackers attacks attempt attempts attributed audio authentication autostart available avoid aware back backdoor backdoors backup based basis batloader bazarloader beacon bear bear’s because been before begin behavior behind being believed belonging best better between binary bleepingcomputer blend boot border both breach breached browser business bypass called campaign campaigns can canarytokens cannot capabilities capable caprarat capture carefully case caused chain channel channels charming charts check chosen cisco client clusters cobalt colleagues collected com combination command commands comment: commodity common communicate communicating companies company component comprehensive compromise compromised conducting configuration confirmed connections considering contact contained contains conti continually continue continued continues continuity control cookie cookies costs cozy create credential credentials crimson crowdstrike current cyber cybereason cyberespionage cybersecurity daily data dating dazzlespy decryptor defense defenses deliveries delivering delivery democracy demonstrate deployed deployment depth desktop details detect detection detects device devices different difficult discovered discovery discuss discussed disguise disrupted disruptions distribute distributes distributing documents does doing domain domains dormant download downloaders downloading dubbed dumping earth easier educated education educational efforts email emails employ employed employees employing encoding encrypted end enforcement engine england ensure entities environment eset especially establish event evolving exe executables execute executed executing execution exist expect exploitation external fail families february fetch figure files final focus following food foreign forge found frameworks frequently from function functionality funded furthermore gamaredon get giant glimpse goldmax google government governmental great grocery group group’s groups guidelines has have hide hit hole hong host how however http identified identify impact impair implant important including incorporate increasingly indian indicator industry infect infected inform information infrastructure injection input installation installed installing instance institution instruction intelligence intended interesting internal interpreter intezer inventory investing ioc iocs ips iran iran’s iranian iteration its itself january karkaddan kenyon kerberos key keychains keylogging keys killing kitten knowing known kong large laterally law layer layering least legitimate lengths leopard leverage like links linux located logon logs machine macos macros magazine maintenance make maldocs malicious malware management managers manipulation masquerade masquerading material may mechanisms method mfa micro microsoft mid military ministry mitre modified modify monitors more motivated move muddywater mythic names network networks new news nist nobelium normal not note notification obfuscated observed obtain office often once only open operated operating optimization organizations osx other others out outside pakistan paramount parked party password patch path payload payloads payment payment; pdf pdfs permission permissions persistence persistent personnel phishing phosphorous phosphorus place play point poisoning policies policy possible posture potential potentially powerless powershell prevent prevention previously primary primitive prior private pro proceed process processes produce producer profitable protected protocol provide proxy public published published: raas ransom ransomware rat rats reach redundancy registry rel |
| Tags | Ransomware Malware Threat Conference |
| Stories | APT 35 APT 35 APT 29 APT 29 APT 36 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.