One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4668209 |
| Date de publication | 2022-05-17 15:01:00 (vue: 2022-05-17 15:05:59) |
| Titre | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
| Envoyé | Oui |
| Condensat | different “charming 0056 0798 0802 11882 12812 13379 2013 2014 2016 2017 2018 2018; 2019 2020 2021 2022 31196 31206 31207 34473 34523 44228 45046 5591 672 about abuse abusing access account achieves activates active activities activity actor actors additional additionally addresses adds administration advanced advised affects after agencies agent alibaba all allows also always analyst analyzed anomali anti antivirus apache appear application applications approach april apt apt34 apt35 arabia are are: articles associated async asyncrat att&ck att&ck: attached attachment attachments attack attackers attacks attempt august automotive available awareness azorult backdoor backup bangladesh banking bargains base36 based basic bazarloader been behind being believed below: benefits between bgh big binaries bitlocker bitrat bitter blackberry blackmail block blocked bodies bokbot boldenis44 bot bring called campaign campaigns can capabilities capture car cdn cell certain chacal change channel charity charming charts cheap: check checked checkpoint checks chen china cisco cleaning client clipboard cloud cobalt code command commands comment: commodity common communicates communication companies conducts configuration configure conspirators content conti continues control copy costa country country:bd country:cr country:de country:es country:in country:ir country:it country:jo country:ru country:uk country:us covid create creates creating credential credentials credibility cripled critical crypter cryptomining crystal crystalcoder curl custom cve cyber cyberespionage dark darkcrystal darkcrystalrat data dcrat dcrat’s dcratseller dealership dealerships debugged debugger debugging december declared declares decrypts deeds defenders defense defenses demand denial denying deobfuscate/decode department depending deployed depth describe designed detect detection detects develnext developer developer’s development dga diavol difficult diplomatic dirt dirty discord discovered discovery discuss discussed disk distributing distribution dnetloader dns dollar dollars domain domains done down download downloader downloads dozens dropped dropping dump dumping dynamic east eastern editor effective email emails embedded emergency employ employees enable encoding encrypted encryption end endpoint engineer engineering ensure enticing entities entries environment equation equipment espionage european evasion even every example exchange executable execute execution exercises exfiltrated exfiltration explode exploit exposed facing fake fall families fast feasible features february figure file files final financial financially finishing finite focused folder following foreign found framework fraud from frp frpc functions future game gathered generated generator german germany github glimpse golang government grim group groups hands hard hardcoded harvests has have health helix help hides high highly hijacking hollowing hours how however hta html hunting hygiene icedid ide identifiable identified identifying illusion impacket impact impair impairs impersonating impersonation impersonation/phishing implement implemented important include includes including increase increasingly india indian industry infected info information informed infostealer infrastructure ingress inhibit input integrated integrator intelligence interests interface internal interpreter investigation involve involves ioc iocs iran iranian iso italy iteration its java javamail jordan jordan’s jphp july just justice jvm keep keys kingdom kitten kitten” knowledge known language large larger late lateral launched layer layered layering leaked least legitimate libraries likely line link list loaded local located log4j log4j2 log4shell logging logs long low lowest lsass lunar lures maas mac machine machines macro macroses magazine main maintained make maldoc malicious malware manipulation manufacturers many march mass may meaning measures mechanisms media memory mersenne messaging method methods microsoft mid middle military millions ministry |
| Tags | Ransomware Malware Tool Vulnerability Threat Conference |
| Stories | APT 35 APT 15 APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.