One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8299602 |
| Date de publication | 2023-01-10 16:30:00 (vue: 2023-01-10 17:08:25) |
| Titre | Anomali Cyber Watch: Turla Re-Registered Andromeda Domains, SpyNote Is More Popular after the Source Code Publication, Typosquatted Site Used to Leak Company\'s Data |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Artificial intelligence, Expired C2 domains, Data leak, Mobile, Phishing, Ransomware, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
OPWNAI : Cybercriminals Starting to Use ChatGPT
(published: January 6, 2023)
Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool.
Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware.
MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System
Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP
Turla: A Galaxy of Opportunity
(published: January 5, 2023)
Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022.
Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated |
| Envoyé | Oui |
| Condensat | “less 001 001: 002 003 004 005 011 2013 2018 2021 2022 2023 7zip about abuse abusing accessibility acquire activated active activity actor:alphv actor:blackcat actor:blind actor:unc4210 actors added adding additional address adhere advanced advised affected after agencies agency alias all alleged allegedly allows alphv also alternative america analysis analyst android andromeda anomali anti any app application applications apps apt archive are art artifacts: artificial assessed assets associated asymmetric att&ck att&ck: attached attachment automated autostart available avoiding azure backdoor backup bank banking base based basic been binary blackcat blend blind blindeagle block books boot botnet brand built burlanubank but campaign can capabilities capabilities: capable certain certificate chains channel channel: charts chatbot chatgpt chatgpt: check clean clearnet click cloned code collected colombia columbia comment: comments commodity communication company compromise compromised concerned connections containable continues continuously conversational convincing could country country:co country:ec country:ru country:ua craxsrat create created creating creative cryptographic cryptography customers cyber cybercriminals cypher dangerous data data: days debugger december decrypt defense deletion deobfuscate/decode deployed detected detection:craxsrat detection:cypher detection:kopiluwak detection:quasarrat detection:quietcanary detection:raspberry detection:spymax detection:spynote detection:trojan detection:tunnus determine deutsche developer digital directory discord discover discovery discuss discussed domain domains double downloaded downloader downloading drive dubbed dynadot eagle ecuador email emails employs enable enabling encrypted encrypting encryption engineering europe evasion even evolving examining execution execution: exfiltrate exfiltrated exfiltration existing expanded experiment experimenting expired explained exposing extensive facebook fake features figure file files financial financially find fingerprinting first folder following forum framework fraud from ftp function fundamental galaxy gang generated generating generative geolocation github gives glimpse google government graphic great group group:apt group:turla groups guardrails has have having help hidden hide hop host host: hsbc humans hunting impact impersonating include including increase indicator indicators industry industry:banking industry:financial infected infection infections information infrastructure infrastructure: ingress injection innovating install installation institutes institutions instructions insurance intelligence invited ioc iocs iteration its itw january java keeping keys kinds known kopiluwak kotak land last later latest layer leak leaked less limit limiting link links living lnk local located location locationmanager logon logs low lures made magazine malicious malware manner marketed measures mechanism meterpreter mind mitre mobile modified modify monitor more most motivated moved mshta multi multiple name names need network new newer news non not number obfuscated obfuscation october off official often old onion openai opportunity opwnai organization organizations other out outlining outputs over overlook own owner/user paramount pay payloads permissions personal phishing phishing: picus: place platform play point points pool popular portuguese potential powershell pre premium prevent previous previously prior private process processes produce profiled profiling programming prompts proper protection protocol protocol: protocols provide proxy proxy: public publication publish published: purported pushed python qnap quarter quasarrat query quietcanary ransom ransomware raspberry rat rdp received receiving reconnaissance recovery refine refused regarding region:europe region:south registered registering registry related released releasing relies removal request researchers responses rest restore review revolutionary risk risks robin rogue rules run rundll32 runs russia same sample samples scheduled schemes se |
| Tags | Ransomware Malware Tool Threat |
| Stories | ChatGPT APT-C-36 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.