One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4436863 |
| Date de publication | 2022-04-12 19:06:00 (vue: 2022-04-12 20:07:33) |
| Titre | Anomali Cyber Watch: Zyxel Patches Critical Firewall Bypass Vulnerability, Spring4Shell (CVE-2022-22965), The Caddywiper Malware Attacking Ukraine and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Caddywiper, Colibri Loader, Gamaredon, SaintBear, SolarMaker and Spring4Shell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New SolarMaker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
(published: April 8, 2022)
Palo Alto Researchers have released their technical analysis of a new version of SolarMaker malware. Prevalent since September 2020, SolarMaker’s initial infection vector is SEO poisoning; creating malicious websites with popular keywords to increase their ranking in search engines. Once clicked on, an encrypted Powershell script is automatically downloaded. When executed, the malware is installed. SolarMaker’s main functionality is the theft of web browser information such as stored passwords, auto-fill data, and saved credit card information. All the data is sent back to an encoded C2 server encrypted with AES. New features discovered by this technical analysis include increased dropper file size, droppers are always signed with legitimate certificates, a switch back to executables instead of MSI files. Furthermore, the backdoor is now loaded into the dropper process instead of the Powershell process upon first time execution.
Analyst Comment: Never click on suspicious links, always inspect the url for any anomalies. Untrusted executables should never be executed, nor privileges assigned to them. Monitor network traffic to assist in the discovery of non standard outbound connections which may indicate c2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: SolarMaker, Jupyter, Powershell, AES, C2, SEO poisoning
Google is on Guard: Sharks shall not Pass!
(published: April 7, 2022)
Check Point researchers have discovered a series of malicious apps on the Google Play store that infect users with the info stealer Sharkbot whilst masquerading as AV products. The primary functionality of Sharkbot is to steal user credentials and banking details which the user is asked to provide upon launching the app. Furthermore, Sharkbot asks the user to permit it a wide array of permissions that grant the malware a variety of functions such as reading and sending SMS messages and uninstalling other applications. Additionally, the malware is able to evade detection through various techniques. Sharkbot is geofenced, therefore it will stop functioning if it detects the user is from Belarus, China, India, Romania, Russia or Ukraine. Interestingly for Android malware, Sharkbot also utilizes domain generation algorithm (DGA). This allows the malware to dynamically generate C2 domains to help the malware function after a period of time even i |
| Notes | |
| Envoyé | Oui |
| Condensat | “windowstyle /windowsapps 0056 0342 14th 1st 2020 2021 2022 21st 22963 22965 4444 4th ability able about access achieve achieved acquire act action active activity actor acts adding addition additional additionally address administrative administrator advanced advisory aes affecting after against agencies algorithm all allow allows also alternatives alto always analysis analysis: analyst android anomali anomalies anomalous another any app apparently appears application applications approach appropriate apps april apt archives are armageddon array asked asks assets assigned assist assistance associated att&ck att&ck: attached attachment attachments attack attacking attacks attempt attempts august authentication authority authorized auto automatically available awake awareness back backdoor backdoors bank’s banking barbie barbie: barbwire based basic bear bearded become becomes been before befriend befriended/connected belarus best between blacklisted bleeding block both browser built but bypass bypassing c://users caddywiper call called campaign can card catfish catfished cert certificate certificates cgi chain chaining changing channel charts chat check checks china chrome cipher class clever click clicked client cloud code colibri com combines comes command comment: common communicate communication communications components compromised computer configuration conflict connections containing contains content control controller conversations could country:ro country:ru country:ua creates creating creators credentials credit criminal critical crypto cryptocurrency cryptomining customers cve cyber cybereason damage data december defense delete deletes deleting delivered demonstrates deobfuscate/decode depth destruction destructive details detect detected detection detects determine devices dga differ different directory discovered discovery discuss discussed display documented documents domain domains down download downloaded downloader downloads downtime drive drives drop dropper droppers dropping drops dynamic dynamically earlier east education effectively elephant elephant’s email emails embedded emergency enable encoded encrypted engineering engines equipment escalating escalation especially evade evasion evasive even everythingislife everythingislife: executables execute executed executes execution exfiltration exists explicit exploit exploitation exploits expression extensions: extensive facing fact features february fetch figure file files fill final firewall firewalls first flow following found four framework frameworks from full function functionality functioning functions furthermore gaining gamaredon generate generation geofenced getcachedintrospectionresults glimpse google goverment government grant granting graphql graphsteel grimplant group grpc guard: has have header headless help hidden” hijack hijacking however html http hygiene implementation implemented important include increase increased india indicate indicator individuals infect infected infection info information informed ingress initial injection input inserted inserts inspect install installed installing instead intelligence interestingly interface internet interpreter intezer ioc iocs israel israeli iteration its itself java jupyter keywords known labs language last launched launching layer legitimate less lettered limit link linked links loaded loader local logs lure lures machine machines macroses made magazine main maintain make makes malicious malware malware’s malwarebytes management manner many march masquerading may mechanism media messages metasploit method middle military mining misconfigured mitigation mitigations mitre modify monitor more morphisec move moving msi multiple must named names needed needs network never new news nocturnus non nor not now obfuscated obfuscation objects obscure observed occupy off official officials oldest once one online only open opening operated operation organization organizations organize other out outbound outside over owner/user palestine palestinian palo parameter |
| Tags | Malware Tool Vulnerability Threat Patching |
| Stories | APT-C-23 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.