One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 6091651 |
| Date de publication | 2022-08-02 15:17:00 (vue: 2022-08-02 16:06:20) |
| Titre | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
| Envoyé | Oui |
| Condensat | ‘stay 001 011 2013 20150 2016 2017 2018 2020 2021 2022 22026 22047 22049 28550 30020 30194 31199 31201 36948 able abuse access according account accounts achieve achieving acrobat across active activity actor actors actually add adding additional additions address addresses adequately administer administrative administrators adobe advanced advertising advised affected after against aggressive alerts all almost also alternative although always america analyst analyzing anomali another antivirus antsword any aol app appeared appears application apt apt28 apt37 arbitrary archive archived are artifacts asked assembly asus att&ck att&ck: attached attachment attack attacker attackers attacks attention attribute attributed attribution austria austrian authentication automated autostart available avoid backdoor backdoors based bear becomes been before being believe believed below: beneath benign between binaries bios blackdoored boot bot breached browse browser browsers browsers: built business businesses but bypass cache called campaign campaigns can capabilities capability capture cards categories chain chains change channel charts check china chinese chipset chisel chollima chopper chrome chromium clear clever client code cold collected collection comicstrand comicstrand: coming command comment: companies complex complicated component compromise compromised concentrating concluded connected connectivity consideration content context continues control controlled cookie cookies cooperating copies core corelump corruption cosmicstrand could countries country: country:at country:cz country:kp country:kr country:pa country:pl country:uk country:us covert craft/reengineer create creates creating creation credential credentials credit cresting crypto cryptocurrency cryptographic csrss current customers cve cyber cybercrime cyberespionage cyble czech dangers data database date day days decrypt decrypts defenders defense define democratic deobfuscate/decode deploy deploying deployment deploys designs despite detail detect detectable detected detection detection:backdoor:msil/owastealer detection:backdoor:msil/suspiismodule detection:corelump detection:jumplump detection:win32/suspgacinstall developed developer developers device devtools dhl directory disable discord discovered discovery discuss discussed display distribution dll dlls documents donald down downloader downloading downloads dprk dsirf dubbed ducktail ducktail: due dump dumping during earlier edge educated either elevation elsewhere email emails employ enable enabled encoding encrypted end endpoint enhanced enjoying ensure entry environment equally espionage established estate europe european evasion every everything evidence excel exchange exclusively exe executable executed execution exfiltrate exfiltrates exfiltrating exfiltration expand exploit exploitation exploiting exploits export exposure extensible extension extensions extra extract extracts facebook facing factors false fancy fancybear favor features figure file files final finance financial financially firmware first flag flashing flow followed following follows forum found four fraud free from functionality gather generate gigabyte github gives glimpse global gmail gmbh goal good google group h81 hack hackers hand handlers harden hardening has have hence here heroku hide highly hijack hire host hosted however identified iis image images impact implant implants important improved improving include including incoming inconclusive increase indicator indicators individuals industrial infected infection inform information infostealer infrastructure ingested ingress initial inspects installation installed instances instead intelligence interaction interface internet interpreter introduce involves ioc iocs iran issue iteration its itself jong jpg july jumplump kaspersky keep kernel key kim kimsuky kingdom knotweed knotweed: known konni korea korean language late later latest latter law layer layers leader leading leads leaked least legitimate less level leverage leverages limit linked links lnk loads lo |
| Tags | Malware Tool Vulnerability Threat Patching Guideline Cloud |
| Stories | APT 37 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.