One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5436667 |
| Date de publication | 2022-06-28 19:11:00 (vue: 2022-06-28 20:06:11) |
| Titre | Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: API hammering, APT, China, Phishing, Ransomware, Russia, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed
(published: June 24, 2022)
ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.
Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware
There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families
(published: June 24, 2022)
Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.
Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: malware:BazarLoad |
| Envoyé | Oui |
| Condensat | 174a 2020 2021 2022 23rd 26855 30190 31749 31749: 365 44228 443 44832 45046 45105 abuse access active activities activity actor actor:avos actor:pirate actor:toddycat actor:tropic actors addition additional additionally address adversary aes affecting afghanistan after against agency aim aims all allows already alternative alto always analysis analyst anomali anomalous anti antivirus any api app application approach apt apt23 apt28 ar22 arbitrarily arbitrary are argument arguments armed around arsenal article asec asia asked assist atlantic att&ck att&ck: attached attachment attachments attack attacking attacks attempting attempts authenticated authentication avoid avos avoslocker backdoor based bazarloader bear been before behavior being benign best bizzaro boasts bomber both but bypassing byte call calls campaign campaigns can captcha capture cases caution change channel charts check checkpoint china chinese choice chrome cisa cisco claim click client closely code coerce come command commands comment: common complete complicated component compromise concept conduct configd confuse confuses contacts contain contained containing contains contents control controller cookie copied copy copyright correct correlating council count countries covert created creates credential credentials critical cryptominer custom cve cyber cybersecurity data date ddos december decision decrypted deep defense defenses degree delay delete deobfuscate deployment depth desktop detect detected detecting detection diagnose diagnostic different difficult directory directs discovered discuss discussed disguised disrupt distributed dive docs document documented documents domain download downloading downloads downtime dropper dubbed during each earliest easily edge education effectively elevation email emails embedded employs encoded encoding encrypted encryption endpoint enforced ensure entered entering entities enumeration escalation europe evade evasion exchange exe executable executables executed executes execution exfiltrated exfiltration expands exploit exploitation exploitations exploiting extreme facilitate facing fake families fancy fear features february feign figure file files firebox firefox first fixed flow follina following form forward four from ftpget ftpput function functionality functions gain glimpse global group group:apt23 group:apt28 groups had hammering hardcoded has hash hashes hasty have healthcare heavily help high hijacking html i/o identified identify illegitimate imap impact impair implementations import include includes including increase india indicator indicators indonesia industries infect infection information infrastructure infringed infringement initial initially injection injects input input/output inside insight installed installs instead instruction instructions intelligence interpreter inverted investigations involved ioc iocs iran iteration japanese javascript june kaspersky keylogging keys kingdom kyrgyzstan language large late lateral launch legitimacy legitimate level likely linked loader local lockbit log log4j logged login logs loop loops low lure machine magazine magecart mail maintains make makes making malaysia malicious malware malware:avoslocker malware:bazarloader malware:lockbit malware:ninja malware:phishing malware:samurai malware:tclient malware:xmrig malware:yahoyah malware:zloader malware; malwarebytes management mandarin manner manufacturing many masquerade match material mechanism memory microsoft military mimic minimal minimize mitre model monitor monitoring more mostly movement msdt multiple musical named names network networks never new news nim ninja note notepad november now nsis nuclear null obfuscated obfuscates offset often once one only onto onward open opened opening operated operating operations opportunity organizations over oversee pac pakistan palo panda passed password passwords past patch patched patches pdf persistence personal phishing phones picture pirate plain platform policies policy port portal ports possible potential powerful powershell presence presented pres |
| Tags | Ransomware Spam Malware Tool Vulnerability Threat |
| Stories | APT 28 APT 23 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.