One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 6354068 |
| Date de publication | 2022-08-16 15:06:00 (vue: 2022-08-16 15:06:36) |
| Titre | Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, China, Cyberespionage, India, Malspam, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT-C-35: New Windows Framework Revealed
(published: August 11, 2022)
The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules.
Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059
Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows |
| Envoyé | Oui |
| Condensat | “new 0796 11882 11884 1472 1732 200 2007 2010 2013 2016 2017 2019 2020 2021 2022 24481 24521 35: 620 ability abuses access accessibility achieve activating active actively activity actor actors added addition additional address adfind adjustments” admin adopted advanced afghanistan after agencies agent algorithms all allow always analyst android anomali anti antivirus any api app appealing appear application applications apps apt arbitrary archive are asks assets assist att&ck att&ck: attached attachment attachments attack attacker attackers attacks audio august auto automation autostart avoid axie babuk back backdoor backdoors background backup backups banking based become beginning being belarus below: benign binance bitter blockchain bluesky boot bridge bug bureaus burntcigar business but cached call came campaign can capabilities capture careful carefully case cash cell certain certificate chacha20 channel charts chat check china cleafy clear clfs clicks client code collect collected command commands comment: common communication comprehensive concept connect connection consider contacts contained context conti continue continues continuity continuous control controlled controller corruption costly cotsam cotx could countries country:af country:by country:cn country:es country:ge country:in country:it country:kp country:ph country:pk country:ru country:ua country:uk country:us crafted creates credential credentials crypto cryptocore cryptocurrency cryptomimic cuba currency current curve25519 custom customisation cve cyber cyberespionage cyble dangerouspassword data debridge debugging decryption defenders defense defenses delivered deobfuscate/decode departments deploying deployment deploys describe described design desktop detect detected detection detection:w32/conti detection:win32 detection:win64 develop developed developing device directed directing directory discovered discovery discuss discussed dll dnsep document documents dollars domain donot down download downloading downloads dracarys drive driver dubbed due dumping early easy editing editor efforts elevation email emails emerging employees enable enables enabling encrypt encrypted encryption encrypts endpoint engines ensures enterprises equation escalation especially establishes ethereum evade evasion even events evolving exchange execution exfiltrates exfiltration existed exists exploit exploitation exploited extracting failing fast faster figure file files finally finance financially fingerprinting firebase five flow folder followed following forge found framework from full fully fund funds furthermore general generated germany glimpse google government greetings group hackers hacking handle hardening has have help high hijack host host’s how html http icmp impact impair implement implementation important includes increased india indian indicator industrial industry infection infinity information ingress injection input inside install installation installed institutes institutions intelligence internal interpreter involved ioc iocs italy iteration its itself juicypotato keep kerbercache kerberos kernel key kingdom korea labs ladon lapsus lateral latest launched launder layer lazarus leads leak least legitimate like likely limiting line link links list lnk local log logging logic logon logs logtu lsass machines macos macros macroses magazine main maintain makes malicious malspam malware manages march masquerading may mechanisms media memory microsoft military million mimicking mimikatz ministries mitigated mitre mixer mixing mobile modified module modules more morphisec most motivated movement msoffice multi multithreading native nbtscan ncctrojan need net netlogon network new newest newly news non north not novel nrpc number nvidia obfuscated obfuscation objects observed obtain office official often once ones only opened opening order organization organizations other over owner/user pack pakistan pakistani party password patched payment pdf performing permissions permissions: persistence philippines phishing phone phones place p |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline Medical |
| Stories | APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.