One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4538825 |
| Date de publication | 2022-05-03 16:31:00 (vue: 2022-05-03 17:06:16) |
| Titre | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
| Envoyé | Oui |
| Condensat | 2009 2014 2017 2018 2019 2021 2022 22954 22957 22958 24/7 3proxy 44228 abnormal abused abusing access accessibility accidentally account action activated active activity actor actors acts ada ada’s additional address addressed addresses adfind admin administration administrative administrator administrators adopted advanced advised affected affects after again against agent alibaba align all allowing also alternate alternative american among analysis analyst and/or anomali antivirus apache api appeared appears application applications apply april apt apt10 apt37 apts archive archives are asia assess associated association att&ck att&ck: attached attachment attachments attack attack: attackers attacks attempt attempts attributed audio august authentication automated automation available backdoor backdoors backdoors—mainly backups banking based basic basta became been behaviors being below: besides best binary black blackmine block blocking bluelight book both breached breaches broken bronze but campaign campaigns can capabilities capture case center certain chain channel charts check chen china chinese chinotto chollima clicking client clipboard cmd cobalt code collected collection com command comment: communication community companies complex complicated component components compromised computer concept conducted confidence configuration consider constant contain containing content context conti continues controller controllers copies core correspondence could country:cn country:kp country:ru country:us couple covering create created credential credentials critical crowdstrike crucial cultural custom cve cyber cybercrime cyberespionage darkseoul data december decompresses decoy defenders defense deflated deliver delivering delivers denial dental deobfuscate/decode deploy depth describe described deserialization detail detected detecting detection developed device dfir different directory discovered discovery discuss discussed distributing districts dll documents doesn’t domain double downloader downloading downloads dozen drive dropper droppers due dumping during east educate education effective efforts email emails embedded emotet employees employer enable encoding encourage encrypt encrypted energy engineering enhanced ensure environment environments epoch4 error eset especially europe evasion even example exchange exe executable executed executes executing execution executions exfiltration exiting experienced exploit exploitation exploited exploiting explorer extracting extremely facing fail fantasy feature figure file filename files final finally finds first fixed fixing flow flowcloud flowingfrog focus folders followed following foreign former formerly forms found founder four fourth from function gaining gathered generic getting glimpse global goals gold goldbackdoor google gootkit government grammar group hackers handling has have heavily help high highly hijack hijacking his hit host hour hours how http https hyperlinks icedid identified identity immediately impact implant implement include included includes including incoming inconsistencies indicator individual industries infect infection infects information infostealer infrastructure ingress initially injected injection injects input installer instead instrumentation intelligence inter internet interpreter investigated invoke ioc iocs iso iteration its itself java jdbc jollyfrog journalists june just keep korea korean korplug laid large last late later laterally latest launch layer layering leading leaking least legitimate level likely limit limits linked lnk loader loads local located log4j log4j2 log4shell logging logs lookback looked lookingfrog lookingfrog’s loosely lsass machines magazine main make malicious malspam malware malwarehunterteam malwares management manager manipulation manner march masquerades masquerading mass match material may mechanisms media medium memory messages metasploit microsoft middle military millions mimikatz ministry minor minutes mitre modify modular modules monitoring more morphisec motivated m |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline Cloud |
| Stories | APT 37 APT 10 APT 10 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.