One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8290724 |
| Date de publication | 2022-12-13 16:00:00 (vue: 2022-12-13 16:05:40) |
| Titre | Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
| Envoyé | Oui |
| Condensat | 0139 1675 2014 2020 2021 2022 34527 abandoned able absence abuse abusing access account accounts activity actor:dev actor:mercury actor:static actor:vice added additionally adds administration administrator administrators advised after against agent all alternative among analyst analytics analyzed and/or anomali another anti antimalware any api application applications approach approximately apt arab archived are armenia associated atera att&ck att&ck: attached attachment attack attacker attackers attacks attention attributed authentication automated autostart available avoids aware awareness azerbaijan babuk backups based baseline bat batch been behind being binance binary block boot both bypass bypasses calls campaign can card cases categorized causing certain chain changed channel charts check checkbyfirebugmethod checkbyimagemethod checkbyprofilemethod checkdevbyscreenresize checks child clicks clusters cockpit code com combine command comment: commerce commodity common communicated communication company company’s component components compromise compromised containing contains content control controlled controller copies core countries country:ir country:uk country:us create created creating credential credit cryptocurrency customers cve cyber cyberespionage data debugger december deep defcon defenders defense defenses deliver delivered delivers deobfuscate/decode dependencies depth desktop detectdevbykeyboard detected detection detection:babuk detection:hellokitty detection:syncro detection:wolfic detection:zeppelin detects dev developer device devices disable discontinued discovered discovery discuss discussed disguising distribute dll domain dubbed dumping education educational egypt elevation emirates encoding encrypted encrypting engineering escalation establish evasion event evolving exchange exe executable execute executes execution exfiltration existing exists exploit exploitation exploiting extensible facing factor fake families feedback figure file files final fingerprinting fivehands flow follow followed following fraudulent free from functions: gaining gathering glimpse google governments great group group’s group:muddywater groups had half hardening has have having healthcare hellokitty hex2dec hexadecimal hides hijack host hosted huobi identified impact impactful impair implant implement important improve include included including increases indicator indicators industries industry industry:cryptocurrency industry:e industry:education industry:healthcare industry:manufacturing industry; infected infection information infrastructure ingress inhibit initial inject injection instinct institutions instrumentation integrity intelligence inter interface interpreter investment involved ioc iocs iran iraq israel it’s iteration javascript jordan jscrambler keep kitten kitten; knowledge known large lateral launches layer leak leaked least legitimate length library limiting line link links linux listed listener loader loading location logon logs loss lowering macro macros magazine magecart major malicious malware manageable management manager manufacturing masquerading mass match mechanism memory mercury methods microsoft ministry mitre model modification modified modify monitor monitoring morphisec most msi muddywater multiple name native need network new newly news not notification november ntsd obfuscated obfuscation object objects observed ocs october off office okx old oman onclick one onehub ones only open opendrive organization other over owners page’s panel party patch pay payload payment perform persistent personal phase phishing platform plugin plugins policy potential primarily printnightmare privilege process process: processes professional profiles profiling protocol provide public published: push pushes qatar queries query ransomware recently recovery redirect redirects referrer reflective regional registered registry related rely remote remoteutilities removal remove requires researchers rest restrictions robust rogue rule: rules running runtime russian same sample sc |
| Tags | Ransomware Malware Tool Threat Medical |
| Stories | APT 38 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.