One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 7298043 |
| Date de publication | 2022-10-04 18:08:00 (vue: 2022-10-04 19:08:29) |
| Titre | Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: DLL side-loading, Influence operations, Infostealers, North Korea, Ransomware, Russia, and Social engineering. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Royal Ransomware Emerges in Multi-Million Dollar Attacks
(published: September 29, 2022)
AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.
Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566
Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering
ZINC Weaponizing Open-Source Software
(published: September 29, 2022)
Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.
Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | |
| Notes | |
| Envoyé | Oui |
| Condensat | $105 000 2022 516210 517 541715 928110 able about abuse abusing access accounts achieve activation activity actor:bronze actor:pkplug actor:raspberry actor:royal actor:stately actor:zinc actors additional address advanced advertising advintel advised after ahnlab all alleged also alto analyst analysts and/or anomali anti antivirus applaunch application apts archive archived are assets att&ck att&ck: attached attachment attack attacker attacks audience august avaaz available avast aware awareness banking based been behavior being benign binaries binary bitser blackcat bleepingcomputer block bots brands brazil brute built buried but callback calls campaign campaigns can cancel canceling capabilities captive cases caught causing chain change charts chechia check china china’s chm cmd code coldstealer comment: communication company compiled compromise concerned confusion connected connection contained continue contractors controlled conversations convince coordinated corporate country:br country:cn country:cz country:de country:in country:kp country:ru country:uk country:us covinces cracked created credentials critical criticizing current custom customers cyber czechia dat data decoy dedicated defenders defense defenses deliver delivered delivers delivery depending describe described detect detection:azorult detection:blackcat detection:bokbot detection:cobalt detection:coldstealer detection:danabot detection:downloader detection:eventhorizon detection:fargo detection:formatloader detection:gcleaner detection:glupteba detection:mallox detection:nullmixer detection:plugx detection:predatorthethief detection:pseudomanuscrypt detection:redline detection:royal detection:smokeloader detection:vidar detection:zeon detection:zetanile development developments dictionary different digital directories directory disbuk discovered discovery discuss discussed discussions disinformation displaying distributed distribution distrust dll dlls dollar domains doubting down download downloaded downloader downloading downloads dozen dozens dreamsecurity dropped dropper dropping drops each early educated efforts elections emails emerges employee employees enable encrypted encryptors end engine engineering entropy establish established establishing evasion even eventhorizon exclusion exe exe/regsvr32 executed executes executing execution experienced exploit exploitation exposing extension extensions extracts eye: fabookie facebook facing families fargo february fight figure file files final find first flow focus folder: folders following food force format formed free frequency from further future gain germany glimpse globeimposter government group group:lazarus group:mustang groups growth had has help high hijack honeymyte host hostile hta html hunt hunting icedid impact impair impersonating implement implementing important improving inauthentic include included includes including india indicators individual individuals industry:aerospace industry:defense industry:media infected infection influence information infostealer infostealers infrastructure ingress inhibit initial injected injection instagram install installer installs intelligence ioc iocs iso iteration its itself january june kaspersky keep kingdom kitty known korea larger lazarus leaves legitimate leveraging lgoogloader linkedin list livejournal loaded loader loading logs long look low machine magazine magicline4nx malicious mallox malware manage manually many masqueraded masquerading mass match may means media meets messages messaging meta method microsoft middle midterm million mitre modify monitor more most mshta multi mupdf/subliminal mustang naics names nations native need net network networks new news non north not nsis nullmixer nullmixer: number numbers obfuscated occurrences often one online only oodles open operated operations opportunities optimization org organizations original other out outdated over own palo panda party password past patches payload pdf phase phishing phone placed platform platforms policies polyglot pose potential powershell preferred premi |
| Tags | Ransomware Malware Tool Threat Medical |
| Stories | APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.