One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 59 |
| Date de publication | 2016-02-24 14:00:00 (vue: 2016-02-24 14:00:00) |
| Titre | Operation BlockBuster unveils the actors behind the Sony attacks |
| Texte | Today, a coordinated coalition involving AlienVault and several other security companies led by Novetta is announcing Operation BlockBuster. This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group. The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment in 2014.Part of our research on this actor was presented at the Kaspersky Security Analyst Summit (SAS) in Tenerife, Spain on February 9th, 2016 as a joint talk between AlienVault and Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group. This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection. We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema. |
| Envoyé | Oui |
| Condensat | “server “www “~ ”choosing 2009 2013operation 2013wild 2014 2014operation 2015 2015besides 2016 6585 9th :wwwimages2 @#$ ^&* able across actions activity actor actors addition addresses adobe adobetag affected after agent alienvault all allowed also amazon analysis analyst analytics analyze analyzed announcing another api appears apple application are armed attachments attack attackers attacks attribute attributed available backdoored based bat batch beap been behaviors:using behind being betrad between blockbuster blockbusterin busy but c&c campaign campaigns can cert certain characteristics choose choosing clear client client:indicators clienthello cluster coalition code collaborated com” com/pulse/56cdb68f4637f27567167dce/ comaccounts comad comapi comapps comb comby comcsc comdaw comextended comfls comimages coml comlogin communicate communicationsthis comon comp companies compixel comprehensive compressed compromise compromiseas compromised coms coms1 comsb comsc comsecure comsecureir comsecuremetrics comsignin comskydrive comsrv comssl comsstats comstartpage comsupport comsupportprofile comurs comus comwindowslive comwww consist contain containing contains continued coordinated created cve cyber darkseoul data decoy delete demandbase desktop destructive details detect different disrupt distributing dns document documents documentsfake domain don’t dropper droppers duuzer dynamically ebay ebayrtm ebaystatic encryption encryption/shared entertainment entities especially espionage essl eventually exact example examples exchange:https://otx exhibiting exploitshangul extension fact families february fields files find finding findings fireeye following found from function functions functionsthe gave generating global google government group group’s gstatic guidance hand hangul hard has have hello help highly how hwp identified iesnare images imp implement includes including including:sony indicators industrial industry infect infection information infrastructure initial initiative installersit involving ioc’s items joint kaspersky kaspersky’s key keysone korea launched launching lazarus least led leverage libraries licdn like likely link linkedin list live load logmein looks made main mainly makes making malicious malware methods microsoft mimics misspelled more most msmpsnare msn multiple name name” named names naver netverify network not novetta obfuscate obfuscation observed obtained occasions office often omtrdc one open operation operations opportunity optimost oracle order organizations other packet packet: packets part passive password payloads paypal paypalobjects perform pictures pivot political positron postini potentially presented previous processing processor project’s protected protocol public published quantserve quite randomly range read recommend release remote report reported research resource responsible reuse reused reuses rsa rules same sample samples sas schema scope scorecardresearch scriptsthis security seem september several sfx share shared sharing signatures similar simple since sinkhole skeleton skype skypeassets slightly software some sony south spain spearphishing ssl static stats stop string suite summit suspected talk targeting team technique tenerife than theft them threat tls today tools toolset troy ttp’s unveils use used user uses using utilize utilized validation value values variants vary vector verisign version victims vulnerability want way website:operation when which whois wide wipers word xor yahoo yara zeroday zip |
| Tags | Medical |
| Stories | Yahoo APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.