One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4134740 |
| Date de publication | 2022-02-15 20:01:00 (vue: 2022-02-15 20:05:58) |
| Titre | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
| Envoyé | Oui |
| Condensat | 'upgrade “enable “gamaredon “operation “we 2013 2015 2017 2018 2021 2022 2022; 38008 4606 4674 734mb about absolutely access according accounts actinium active activists activity actor actors additional additionally advanced advised affected after against agencies aid all allow allows also alto amazon america analyst and/or android announcement anomali anti antivirus any application applications applied apply appropriate apps april apt apts are armageddon armageddon” asia ask assembling assist att&ck att&ck: attached attachment attachments attack attackers attacks audio authenticity automated autostart availability available avoid avoided aware backdoor backdoors backup backups banking based bear because been being believe believed below: best better between boot border both briefing brittlebrush bundle businesses button bypassing cabassous campaign campaigns can canary capabilities capable capture care carefully caution certain channel charts check china chollima chrome cisco cl0p clicking client code code; collection com command comment: commodity communications companies company completely compromising condition conducted conducting conjunction contacted contain contains content control cooperation copy could criteria criticality currently custom cve cyber cyberespionage cybergang data date dead decade defense defenses democratic deobfuscate/decode departments deployed depth desertdown despite destabilize detection devices different dilongtrash dinotrain direct directly directory disconnected discovered discovery discuss discussed distribution document documents doesn't doing domain donald donot download downloaded downloading downloads dprk dragon dubbed due during each easier east editing” educated emailed emails emergency employees enabled encoded01 encrypted enforcement enough ensure enterprise entities environments escalate espionage europe evasion evasive event excess execution exfiltration exist exploit exploitable exploitation fail fake february federal fictitious figure file files filesize finance first flash flaunts flubot focus focusing following foothold found france free from fsb functionality further gain gamaredon gaza geofencing germany get glimpse goals/targets gold google government group group” groups guard hackers hacking hangover has have having heavily high highly host identical identified impact impair impersonating implemented important include includes including increase india indicator individual individuals infect infection information infostealer infostealers ingress inhibit injection input installation installed installer installers installing intelligence internet interpreter ioc iocs ios iteration january jong journalists kept keylogging kim kimsuki kimsuky known korea korean landing large last lastconn latest launched law layer layering lead leader least led legitimate likely link linked links live locker logon logs lookingglass machine macro made magazine main maintain maldocs malformed malicious malware mantis masquerading may mechanisms media medusa meet member message messages method microsoft microsoft: middle military mitre mobile modify molerats more most motive mouse movement multiple name namely: nearly necessary needs network networks never new news nimblemamba normal north not note notes now now' numbers obfuberry obfumerry observed obtain occurred office official officials offline often one ongoing only open opened opening operate operated operating operation organization organizations other out outside over page pakistan palestine palo particularly party payment; people’s period permissions persistent personnel phishing phones place plan play player policies portal possible potential potentially powerpunch practices president prevention primary primitive prior process processes prompts properly protect protected protection protocol provide pterodo published: query raas ramps ransom ransomware rather rating rats reaches received receives recent recently reconnaissance recovery redirection redline redundancy |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline |
| Stories | Uber APT 43 APT 36 APT-C-17 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.