One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8039573 |
| Date de publication | 2022-11-16 03:26:00 (vue: 2022-11-16 04:09:59) |
| Titre | Anomali Cyber Watch: Amadey Bot Started Delivering LockBit 3.0 Ransomware, StrelaStealer Delivered by a HTML/DLL Polyglot, Spymax RAT Variant Targeted Indian Defense, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Infostealers, Maldocs, Phishing, Ransomware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
KmsdBot: The Attack and Mine Malware
(published: November 10, 2022)
KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations.
Analyst Comment: Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7
Massive ois[.]is Black Hat Redirect Malware Campaign
(published: November 9, 2022)
Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&A sites.
Analyst Comment: WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads
LockBit 3.0 Being Distributed via Amadey Bot
(published: November 8, 2022)
Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey B |
| Envoyé | Oui |
| Condensat | #shortandmalicious: “kanzas 000 100 2018 2021 2022 2fa 666 about abuse access achieves activity actor actors actors’ actually added additional address admin administrator administrators ads affected against ahnlab aims aliases alternating amadey analyst analysts android anomali anti any apks application applications apt are arm64 att&ck att&ck: attached attachments attack attackers attacks audio authentication average avoid azov backdooring based basic been being belong benign best black bot botnet bulletproof but byte bytes camera campaign can car cautious certain channel charts check choice chunks class click code combinations command comment: commodity common company computer conceal concern connections consisting contact containing continue control conversations cookie core country:in country:kr crack cracked credential credentials cryptominer curiosity current cyber cyfirma cytec data date dcso ddos dedicated default defence defense deliver delivered delivering delivers delivery denial deobfuscate/decode deployed destroying destroys destruction detected detection detection:amadey detection:azov detection:kmsdbot detection:lockbit detection:smokeloader detection:spymax detection:strelastealer determine development discovered discuss discussed displays distributed distribution dll document documents does domain dormant download downloads drops dubbed dumping during educated either email emails employees enable enabled encoded encrypt encrypted engineering especially estimate executable executed executing execution exfiltration exploit extensions facing fake figure file files finds first flow following found from function functionality functions gaming garbage get gets glimpse golang google group has hat hesitancy highly hijack hijacking hosted hosting href html html/dll http image impact implementing improving included including india indian individuals industries industry industry:car industry:defense industry:gaming industry:technology infected infection infections infects information infostealer infostealers ingress initiating injection integrity intelligence internet interpreter ioc iocs iso iteration itself journalists july kansas keep key kmsdbot kmsdbot: known korea korean larger layer legitimate likely list llc lnk loader location lockbit locks logged login logs long lookout luxury machine macro macros magazine mail maldocs malicious malware manufacturers manufacturing masquerading massive media messenger method mine mips64 mitre modified monero more named names nation network never new news non not note november obfuscated obfuscation occur october often ois once one open opening option other outlook over overcome overwriting packets page panel part password patches pdf per perform performing permissions persistence personnel phishing php pirated png poisoning polyglot polymorphic ports pose post potential powershell present programmed protocol provide public published: q&a query ransom ransomware rat reality recently recognize redirect redirecting redirects related remote researchers resource restricted restrictions result retrieve risks run runs russia russian same sandbox scanning scripting search second secure security seen self senders sent seo september servers service shellcodes should since sit site sites smokeloader social software some source south spam sponsored spreads spymax ssh standard start started state stealing steals storage stories stranger strelastealer strelastealer’s such sucuri summarize summary supplying suspicious systems t1003 t1027 t1041 t1059 t1071 t1105 t1140 t1190 t1485 t1486 t1496 t1498 t1566 t1574 tags: target targeted targeting tcp/udp teams technology template then therefore these those threat threats through thunderbird time tool topics: train training transfer trending trojan trust trying twice two type:apk type:cryptominer type:ddos type:dll type:docx type:exe type:html type:infostealer type:iso type:lnk type:loader type:php type:ps1 type:ransomware type:wiper types ukraine unknown until untrusted updated url use used user username users usin |
| Tags | Threat Ransomware Spam Malware Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.