One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 7451988 |
| Date de publication | 2022-10-14 01:24:52 (vue: 2022-10-14 09:05:44) |
| Titre | Guloader Spam Indiscriminately Sent to State Elections Board |
| Texte | Recently, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement - Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections (9I-100622-PSA). The focus of the PSA was to inform the public of the potential manipulation of the midterm election cycle in the United States by foreign agents using social engineering and social media disinformation tactics to influence voters and to sow discord as well.Around the same time of the announcement, FortiGuard Labs observed a Guloader campaign being sent to an elections body in the United States. Although there is no sign that they were specifically targeted, we want to highlight what's involved in these attacks given the 2022 U.S. midterm elections in November. The infection vectors are simple malicious spam that do not rely on exploiting a vulnerability or macros.FortiGuard Labs found a campaign from a purported industrial equipment manufacturer in Indonesia, containing a malicious ISO attachment. Figure 1. Email used in this spam campaignISO email attachments are often used to avoid detection by security solutions. Clicking on the attachment triggers the ISO file. Once mounted, an EXE file-a GuLoader malware variant-becomes visible. The victim then needs to run the "Requisition order-PT. LFC Teknologi,pdf.exe" executable manually to start the infection routine. Figure 2. GuLoader file in the mounted ISO fileThis file is digitally signed via an untrusted root certificate, seen below.Figure 3. Digital signature information for "Requisition order-PT. LFC Teknologi,pdf.exe".The GuLoader payload is a so-called first stage malware that has been seen in the wild for the past few years. It is designed to deliver a second stage payload that can be tailored to the attacker's liking. Some reported second stage payloads include Remote Access Trojans (RATs), infostealers, and ransomware.This particular GuLoader variant reaches out to 195[.]178[.]120[.]184/sMHxAbMCsvl181[.]java, which was no longer available at the time of the investigation. However, we believe the java file to either be a decryption key or a payload download. Another, GuLoader sample (SHA2: 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e) was submitted to VirusTotal on September 14th. This sample accesses 195[.]178[.]120[.]184/uFLBwGvx55[.]java and available OSINT suggests that the payload is the Azorult infostealer. Azorult is capable of exfiltrating data such as passwords from browsers, email, and FTP servers, and harvesting files with extensions specified by an attacker. It can also collect machine information such as user and computer name, installed programs, Windows version, and installed programs. Such stolen information can be a precursor to future attacks.Based on the traits of the GuLoader sample, FortiGuard Labs tracked down additional files involved in the same malicious spam campaign. The attacker mostly used IMG and ISO attachments along with file names in English, German, Spanish, Turkish, and Chinese. Taking a look at VirusTotal, submissions of the attachments are from the US, Czechia, China, Turkey, Germany, UK, Israel, Ireland, and Hungary. The GuLoader variant was also submitted to VirusTotal from the US, Bulgaria, Canada, China, the United Arab Emirates, and Korea. The email delivered to a board of elections in the United States was sent to a publicly available webmaster address. This indicates that the attacker sent these malicious emails to as many recipients as possible in the hope that someone would manually execute the malware. This is the first step to a potential compromise of machines related to the elections board of this United States state, and will allow the attacker to obtain a foothold to obtain unauthorized data for dissemination or simply various angles of disruption (ransomware, wiping, extortion, etc.) and even worse, perhaps sell access to an adversary for financial gain.Fortinet ProtectionsFortinet customers are already protected fr |
| Envoyé | Oui |
| Condensat | 100622 120 14th 162970957d591f4652c635a18a7f11bb2f06de08f263f9d467e6fe0c4d6aa00f• 178 184/smhxabmcsvl181 184/uflbwgvx55 195 2022 21d01928ac971c2a228a2d9e7e188aa4a07783924b84e66af618e3155eb282eb• 28712de9f03560d66c60812052b514c6a78d41287a03fb3cfdd066741ebc81dc• 3a1b 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e• 70856a79551c2e921db13eb757834a8bcb4a808ad5414e00ba207f7f132cc69f• 71186a72ce8b23242674c50e305fe2a1b98605d434d4af6f4190c9bb696e2388• 74c91f5ce079fcfdf8ec9813ec3e37c63a46e0d397b8ec31c89ca6bf17fe9229• 857364a9a903444a86b2f8d129c00bb5727beabcee4c1a8103b561ead678956f• 9ac2c9bce0561cb760098b252f3096cf1222e35bfdc1d380b1dc654dd81ed641• 9e147e27260eafbc680958cd72cf32143a426d245c29b09efdd78746752e6471• 9f245c6d31b3e8b7389053d954121927093a592b08bc02f3bac2516e78aa5808• access accesses actors additional address adversary aeca53c38a1bc40b7a53d5fcf7adceda97ac54ac56af1f161763c622c8e70d4f• agency agents all allow along already also although angles announcement another antivirus aow arab are around attachment attachments attacker attacks available avoid awareness azorult b531a9e5b9ba3e10ec2ac3428e0a9835b9468943580df0894483ee9a91377294• b990b2e60ff7d5cbb74d1e42c87b08c722cc1db380608b58f2c8d4e51e8a1402• based bat/starter bb374bed2c79ac878b6626a1537f6f7869ab6176fba4e0f5cb16f11a255a285b• becomes been being believe below blob blocks blog• board body browsers bulgaria bureau called campaign campaigniso campaign• can canada capable certificate cf7188027fdf9e58695083342a2217ab861354ce960b324f4f59cbd350569a6c• china chinese chino cisa clicking client collect com/e65x/ compromise computer containing customers cybersecurity cycle czechia d3d3a37db592226da6dcece19a2344e8a942b197001078fbdb518f262287e48f• data ddf7d6b4d3b9677c5801cf1a7889c7396cce76752c593417b381e5abaf4bd1a5• decryption deliver delivered designed detect detection digital digitally discord disinformation disruption dissemination distribute distributed dldr• down download e8ba90c9d071f49c4c8761ce1fcdd44f1d672c891a8625a1b2352a047bfd2b42• e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45eemail e929eddc1a4fa72a448d92b73ec8a4d4497bf8b1f937606f69a6ff831a66b45enetwork either election elections email emails emirates encounter end engineering english equipment etc even exe executable execute exfiltrating exploiting extensions extortion fbi federal figure file files filethis filtering financial first focus following follows:the foothold foreign forticlient fortiedr fortiguard fortimail fortinet fortiphish found free from ftp funeralprogramsshop future gain german germany given guloader gwinaz harvesting has have help highlight hope how however hungary identified identify img include includes indicates indiscriminately indonesia industrial infection influence inform information infostealer infostealers infrastructure installed internet investigation involved iocs iocsfile ireland iso israel issued java joint js/agent js/starter key kngpdrp korea labs learn lfc likely liking lnk/agent longer look machine machines macros malicious malware manipulation manually manufacturer many media mentioned midterm module mostly mounted multiple name names needs network niu not november nse nsis/injector observed obtain often once order organizations osint out particular passwords past payload payloads pdf perhaps phishing php• possible potential practices precursor pro/pl341/index program: programs proper protect protected protectionsfortinet psa public publicly purported ransomware rats reaches real recently recipients reinforce related rely remote report reported requisition root routine run same sample samples second security seen sell sent september servers service services sha2 sha2: shop/pl341/index sign signature signatures signed simple simply simulation simulations social solutions some someone sow spam spanish specifically specified stage start state states step stolen submissions submitted such suggest suggests tactics tailored taking targeted teknologi t |
| Tags | Spam Malware Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.