One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 6785115 |
| Date de publication | 2022-09-08 08:39:42 (vue: 2022-09-08 14:06:06) |
| Titre | Lazarus and the tale of three RATs |
| Texte |  By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern |
| Envoyé | Oui |
| Condensat | $trueimpair $truereg *windows /active:yes /add /addcreate /all /alldir /allnet /allnetwork /c:20 /create /domaincreate /domaindomain /f:text /fadd /fconfigure /for=c: /format:listsecurity /frun /fscheduled /fsystem /namespace: /node: /node:localhost /q:* /rd:true /rl /ru /sc /svhostw /tcmd /tn /tr 0/board 10* 103/2 103/8080 103/mi 103/mi64 103/mm 103/pd64 103/rar 103/spr 103/t 103/update 10340 104 109 109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy 109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw 10984 11/news/page 11192 121 127 13155 133 133/bbs/board 13354 13:8080/1hxxp 145 145/apollom/jeus 145/board 145/header 145109 145213 146 149 150 154/editor/session/aaa000/support 154urlshxxp 155 162146 162:443/1 180 18118 18118:127 183 185 186 192 194/11 194/300dr 194/b 194/qq 194/ra 194/rar 194/tt 194185 1:8118 1impair 2022 210 213 221 248 2>&1account/domain 2>&1manual 2>&1query 2>&1remote 2>&1security 2>&1system 2>&1user 2^>^&1domain 3389 3389network 3389powrshell 3proxy 4/mainboard 443 484 586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730magicrat8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164fdda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a46990fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4yamabotf226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafbprocdump16f413862efda3aba631d8a7ae2bfff6d84acd9f454a7adaa518c7a8a6f375a505732e84de58a3cc142535431b3aa04efbe034cc96e837f93c360a6387d8faad 8118 94/tmp/data 9446 :// ;client ;sh ;var ability about abuse accepteula access accessing account account/domain accounts achieve acknowledges across action=allowmodify actions activated active activities activity actor actors actual actually adaptive adcomputer add addition additional additionally addomain address adfind adgroup admin admin$ administrateur administrateurs administrator administrators administratorsystem aduser advanced adversary advfirewall advisory after afterward agency ahead ahnlab ajoa aligns all allow allowmultipletssessions allows alone along already also although among amp analysis analysisin analysisthe analytics analyzed analyzing andariel another antivirus antivirusproduct any appblastgateway appdata appliance appliances applied apt arbitrary archive are around arp artifacts asheer assess assesses associated asystem att&ck attack attacker attackers attackers:c: attacks attempt2enter attempt3powershell attempts attributed attribution attributioncisco authentication authorized auto automatically available avoiding backdoor backdooring backdoors backups base64 based basically bat batch batos batsystem because been before beginning begins being below benign bespoke better between beyondin binaries binpath= block blocks both botton box breached broker builds but bypass bypassed c2: c2shxxp c2shxxps cache call called calling campaign campaign:victim campaigncisco campaigns can canada capabilities carried carry case cases center cert certhxxp chain chains changes check child chose cisa cisco class cleanup cleanuponce clearly click client cmd cmdlets code collect collected com/ez/admin/shop/powerline com/findmagicrat com/reviewhxxps com/xmlhxxp command commands common commonly communicate companies compatibility complete completely complex components componentsthe compromise compromised computer computername computers conduct conducted conducting confidence config configuration configurations configured connect connecting connectionserver connects consist consisting consists console containing contains context continued control controlled coordination copies copy corporate corresponding could coverageways covert create created creates creating creation creationsin credential credentials critical crucial current currentcontrolset currentversion custom customers cyancow cyber cybersecurity dangerous data date day days deactivation decoding decompressed decrypt defender defenders defense defenses del deleting dep |
| Tags | Malware Tool Vulnerability Threat Medical |
| Stories | APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.