SOC News: Article

One Article Review

Accueil - L'article:

Source	Anomali
Identifiant	4508976
Date de publication	2022-04-26 16:24:00 (vue: 2022-04-26 17:07:44)
Titre	Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More
Texte	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, CatalanGate, Cloud, Cryptocurrency, Information stealers, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 \| [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] User Execution - T1204 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Windows Management Instrumentation - T1047 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Process Injection - T1055 \| [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 \| [MITRE ATT&CK] Credentials from Password Stores - T1555 \| [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 \| [MITRE ATT&CK] Steal Web Session Cookie - T1539 \| [MITRE ATT&CK] Unsecured Credentials - T1552 \| [MITRE ATT&CK] Remote System Discovery - T1018 \| [MITRE ATT&CK] System Owner/User Discovery - T1033 \|
Envoyé	Oui
Condensat	“bureau “electronic “gamaredon “lazarus “operation 1024 108a 121 121국 121” 134 200 2003 2008 2009 2012 2013 2015 2016 2017 2019 2020 2021 2022 20th 30th 31207 31979 33771 34514 348 3568 3900 400 aa22 abnormal absolutely abuse access according account accounts acquired across active actively activity actor actors acts addition additional additionally address administration administrative advanced advertised advisory aegis affecting affects after against agencies agent agents air alarm alert algorithm alibaba aligns all allowed allowing allows alphv also alternative alto always amazon analyst android anomali anti application applications apply apps april apt apt38 apts arbitrary archive are armageddon armageddon” around att&ck att&ck: attached attachments attack attacker attackers attacks audio audit august authentication authenticode automatic autostart aware aws backdoor backup banking based basic bcm bear because been begin beginning being believe believed below: best between bigger binaries binary bitcoin black blackcat blackcat/alphv blackmatter blockchain bluenoroff bmc boot both brazil browser buffer built bureau bureau” bureau’s business but bypass campaign campaigns can candiru capabilities capture carefully catalan catalangate catalangate: catalans catalonia cetus chains characters charts check chollima cipher citizen civil click cloud cloudwatch cobalt code coinbase collected command comment: common companies companies’ company’s compared composed compromise compromised computer conducted conducting configuration configure confuserex connections context continues control controls conversation cookie copies country:br country:es country:kp country:ru country:tr country:ua country:us couple crafted credential credentials criminals cross cryptocurrency cryptojacking cryptomining currently cve cyber cybereason cyberespionage darkside data day ddos deception decryption decryptor defender defense defenses defensive defi delivering delivers delivery democratic denial denotes deobfuscate/decode deobfuscation deploy deploys depth describe desktop destruction destruction/disk details detect detecting detection developed development devices different digests directory disabling discourage discovery discuss discussed distributed division docker does dollars domain download downloaded downloader downloads dprk drive drop droppers dubbed due during editing education efficient electron electrum elevation email emails embedded enabling encrypt encrypted encryption end enforcement engage engaged engages engineering english ensure enterprise entertainment entities entity environment environments especially espionage european evasion even eventually every evolves exact exactly exchange excluding executables execute execution exfiltration exodus exploit exploits explorer expose exposure extensive extortion extortionists facing factor fail fake fbi feature february federal figure file files finance financial first fly focus followed following forge formed forum found four framework free frequently from function functionality fungible gain gained gaining gamaredon gap general german get ginzo glimpse goes gold government governmental gpos gps group group” guardrails guidance hacker had has have head helix help highly hijacking hildegard homage host how human hydro identify imessage impact impair impairing implement important include included includes including index indicators individual individuals industries industry infection infections information infrastructure ingress inhibit initial initializing initially injection input installation installer installers installing instrumentation intelligence intense interacting interest interpreter investigate investigation involving ioc iocs ios isolate issue issued iteration its itself jamming javascript joint july jurists kaspersky keep kerberos kernel key keys kismet knowledge known korea korea’s korean kubernetes lab land large lateral latest law layer layering lazarus lead least led legislators
Tags	Ransomware Malware Tool Vulnerability Threat Guideline Medical
Stories	Uber APT 38 APT 28
Notes
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ne semble pas avoir été repris sur un précédent.