One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8288335 |
| Date de publication | 2022-12-06 17:09:00 (vue: 2022-12-06 18:06:40) |
| Titre | Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, In-memory evasion, Infostealers, North Korea, Phishing, Ransomware, Search engine optimization, and Signed malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese Gambling Spam Targets World Cup Keywords
(published: December 2, 2022)
Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu).
Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou
Leaked Android Platform Certificates Create Risks for Users
(published: December 2, 2022)
On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked.
Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature.
Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware
Blowing Cobalt Strike Out of the Water With Memory Analysis
(published: December 2, 2022)
The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me |
| Envoyé | Oui |
| Condensat | ₿eware: ₿uyer 000 100 2018 2020 2022 360spider ability abuse abused access active actively activity adding additional addresses advanced advised adware affecting after against agencies all alleged also altered alto analysis analyst analyze analyzed android anomali another api applejeus application applications apt are artifacts asked assets associated att&ck att&ck: attached attack attacker attackers attempts attention audiences augmented available back backups baidu baiduspider beacon beacons bec been besides betting bidding binary binary’s black block blocking blowing body brand business businesses bytes campaign can careful causes caution certificate certificates chain challenge changed changes charts check checkmarx china chinese chosen claiming cloudsek cobalt comment: companies complaints compromise compromised concentrate connected consider content continuation contract copying corporate could country:ae country:cn country:kp create creation cryptocurrency cryptographic cup custom customers cyber data december decoded defenders deltas deobfuscate/decode depending despite detect detection:applejeus detection:cobalt detection:koboldloader detection:lithiumloader detection:magnetloader detection:wasp developers did different difficult digital directory discord discovered discovery discuss discussed disk display dll dll’s documents doesn’t domain domains dos download downloading dubious dynamically east ecosystem efforts email employ employees encourage engine engineering enjoy entities environments especially estate evasion evasive evolution example execute execution experienced exploit extra eye facing fake features figure file files filtered financial fingerprinting firms flow following forwarding found framework fraudulent free from front function functionality further gambling gas github given giving glimpse google group group:lazarus hack had has hat have header headers help highly hijack hotels how html https httrack illegal impersonated impersonating implement import important included including indicators individuals industry:cryptocurrency industry:investment industry:oil industry:real industry:tourism infected infection information infostealers infrastructure ingress initial install installation installing intelligence internet introduce investment invisible involved ioc iocs iteration its javascript job june keep key keywords koboldloader koboldloader’s korea large lazarus leaked least legitimate library links list lithiumloader load loaded loader loaders: loading loads logs lure lures macro made magazine magic magnetloader mail major makes malicious malware may members memory meta mfa microsoft middle minimize mitre modifications modified moment monitoring more mostly msi much multi nature network new news normal north not november nudity number obfuscated obfuscates obfuscation object observed october offers office oil ole one ones only open opendrive optimization organizations oriented original other out over overwrite overwrites overwriting owners package packages page palo part passwords pay permissions phishing platform pointers points popular port possible potential preset privileged procedure process project projects prompting protect protocol provide public published: publishing pypi ransomware rapid7 redirect redirects reflective region:middle registration registrations registries related remains remove report reported requiring researchers resiliency resources respective respond risks same samples sandbox scale scanning scheduled scripts search second secure seen seo server servers service services serving shared shellcode should show showed side sideloading sign signature signed since sites slow small smb social software sogou some source space spam specified spellings sponsored sports spread stage stager stages star starjacking stealer step storage stories strike strong structure subsequent such suggested summarize summary supply suspicious switching system system32 systems t1024 t1027 t1053 t1082 t1105 t1140 t1190 t1204 t1497 t1574 table tags tags: |
| Tags | Threat Spam Malware Tool Medical |
| Stories | APT 38 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.