One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8169179 |
| Date de publication | 2022-11-22 23:47:00 (vue: 2022-11-23 00:06:41) |
| Titre | Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Signed malware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads
(published: November 17, 2022)
From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.
Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows
Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment
(published: November 16, 2022)
From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.
Analyst Comment: Evasion through URI fragmentation hides the token value from traff |
| Envoyé | Oui |
| Condensat | “from 0118 0569 2019 2019: 2022 abuse abusing access acquiring across activity actor actor:billbug actor:dev actor:from actor:frwl actor:spring actor:thrip actor:uac actor:z adfind adobe ads advanced advised affected after agencies airlines akamai alternated alternative america analyst analyzed anchor anomali anomalous another anydesk approach approaches apt arabia are asia asian asking associated att&ck att&ck: attached attack attackers attacks august authentication authorities authority available backdoor backdoors backups based batloader beacon because been before behavior being between billbug billbug: binaries block blossom bogus brands brazil broker browser bumblebee but bytes campaign campaigns can canada capture card cert certificate certificates certutil charts check china club cobalt code comes command comment: computer configuration conflict connection consider contact costco countries country:br country:ca country:ch country:cn country:de country:in country:it country:kp country:mx country:ru country:sa country:ua country:us credentials credit critical custom customers cyber cyberespionage dangerous data decrypted decryption decrypts defenders defense defenses defraud deliver delivering delivery delta deobfuscate/decode depth detect detected detecting detection:batloader detection:bumblebee detection:cobalt detection:dtrack detection:gozi detection:hannotog detection:icedid detection:nsudo detection:royal detection:sagerunex detection:somnia detection:stowaway detection:vidar dev dick digital discloses discover discovery discuss discussed disk distribution does domains double download downloaded dragon dtrack dubbed educating effects eight either email emergency employees enable encrypted entry europe evasion executable executed execution exfiltration: exposure fake fee figure file files final finds first flash following forms four fragment fragmentation fraud from frwl germany github glimpse google government gozi group group:lazarus group:lotus hannotog has hash heavily hides highly holiday hosted html identifier impact impair impersonated including incoming india indicators information infrastructure ingress initial input inside inspection installation installer intelligence interpreter invited ioc iocs italy iteration its javascript keitaro key kit known korea large lateral latin lazarus leading learn led legitimate likely limiting links local logs lotus love love” magazine major malicious malvertising malware march mark messaging mexico microsoft mid military minimize mitre modified more movement msi multiple named nbtscan netscan network new news next ngrok nircmd north not november number obfuscated october offline offset onedrive options organizations organizations’ password payload payloads payment personal phishing ping placing plan platform player point poisoning port possibility potential powershell premium prepare pretenses protected protection provide proxy public publicly published: range ransomware rclone reconstruct redirect redirecting regarded regarding region:asia region:europe region:latin region:north related reported repositories researchers resource response responsible retrieves risk route royal running russia sagerunex sam saudi scam scams scanner scripting second seen self sensitive sent sentiment seo september server service services several shellcode shoppers should signed signs since size software somnia sophisticated source special specific sponsored spring stage stages starting starts state states stealer stealing stealthily stick stop stores stories strike such summarize summary switzerland symantec system t1005 t1016 t1027 t1056 t1059 t1090 t1105 t1140 t1204 t1486 t1489 t1555 t1561 t1562 t1566 tags: target targeted targeting targets team teamviewer techniques telegram these thorough threat threats three thrip through token tokens tool tools tools: topics: tracert tracking traffic transfer treated trending try turkey turned type:backdoor type:hacktool type:loader type:ransomware type:stealer type:vhd type:wiper typosquatted uac ukraine ukrainian under |
| Tags | Threat Ransomware Malware Guideline Tool Medical |
| Stories | APT 38 |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.