One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 7765391 |
| Date de publication | 2022-11-01 15:00:00 (vue: 2022-11-01 15:06:56) |
| Titre | Anomali Cyber Watch: Active Probing Revealed ShadowPad C2s, Fodcha Hides Behind Obscure TLDs, Awaiting OpenSSL 3.0 Patch, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DDoS, OpenSSL, Ransomware, Russia, Spyware, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)
(published: October 27, 2022)
ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).
Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP
Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity
(published: October 27, 2022)
The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop).
Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction.
MITRE ATT&CK: [MITRE ATT&CK] Replicat |
| Notes | |
| Envoyé | Oui |
| Condensat | 000 0206/dev 0243 0651 0856 0950 155 1tbps 2014 2015 2021 2022 360netlab able abuse access activation active activity actor actor:apt41 actor:deadbolt actor:dev actor:evilcorp actor:fin11 actor:luoyu actors actually addition additional address advanced advised affects after against aiming allows almost also alternative analysis: analyst analyzed and/or anomali app appearance application apply apps apt apt41 are around assessed assistance associated att&ck att&ck: attached attack attacker attacks august automated automation autorun availability available awaiting back back: backdoor based because been behind being besides best binary bitcoin blackberry block both botnet bots bumblebee business but c2s campaign campaigns can cannot case centered certain chains chance change changes charts check china clop cobalt code coded combinations command comment: common communicating communication company compromise configurations confirmation conflicting connected continually continue continuity control controlled cops copy cost countries country:cn country:ph country:ua country:us create credential criminals critical crucial cryptocurrency cuba custom cyber dashboard data day ddos deadbolt decoding decryption dedicated default defenders delivered delivering delivery denial described details detected detection:bumblebee detection:clop detection:cobalt detection:fakeupdates detection:fauppod detection:fodcha detection:icedid detection:lockbit detection:raspberry detection:reversewindow detection:romcom detection:roshtyak detection:shadowpad detection:socgholish detection:spyder detection:truebot dev device devices different discovery discuss discussed dll dns domains double down dridex drive drives dropping during dutch ecosystem elevation elf emulation enable enabling encoding encrypted engineering estimated evasion eventually evilcorp evilcorp’s evolving execution exfiltration exploit exploitable exploitation extended facilitating facing fake fauppod fauppod/raspberry fee figure file files final finding first fleece fodcha followed following from funds generating getting glimpse global grew group group:ta505 groups hack had hard has have heartbleed heavily hides hire hits http http/443 http/80 https hygiene icedid immediate impact impersonating important included increasingly industry:military infected infection infection: infections information infrastructure ingress initial injects inserted intelligence ioc iocs isolating issue iteration its january july keep key keys known larger latest layer led legally legitimate lessen level likely links linux lnk lnks lockbit logs lolbin loss low luoyu made magazine make malicious malware map mechanism media method microsoft militaries military miners mitre modify modular monitor monitoring more most multiple nas net netherlands network new newly news not november now number obfuscated obscure october offline older one ones ongoing online only opennic openssl operating operators organizations over override packet packets part part3 patch paying payload payment pdffiller per periods philippines phishing place plan plans platform police popular possible potential potentially power practices pre preannounced preferred priority probing project protocol protocol/port provide proxy public publicly published: purchase qnap ransom ransoms ransomware rare raspberry rat reaches receive receiving recent reduction registry related release releases remote removable replication report required researchers resolved responders revealed revenue reverse reversewindow risk robin romcom roshtyak routines russia russian same samples sandbox scanner scheduled scope second secure security seen segmentation sending separate september servers service services sets several severe severity shadowpad shared shares should shut signed significant signs similar similarities since some sophistication source specific spend sponsored spoofing spread spyder spyware starts stealing stealthy steps stop storage stories strike style such summarize summary surface system systems t1027 t1048 t1071 t1082 t1090 t1091 t1 |
| Tags | Ransomware Malware Hack Tool Vulnerability Threat Guideline |
| Stories | APT 41 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.