One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8303740 |
| Date de publication | 2023-01-24 16:30:00 (vue: 2023-01-24 17:06:38) |
| Titre | Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Banking trojans, DNS hijacking, China, Infostealers, Malvertising, Phishing, and Smishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022
(published: January 19, 2023)
In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains.
Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software.
MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure
Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android
Hook: a New Ermac Fork with RAT Capabilities
(published: January 19, 2023)
ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones.
Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive |
| Envoyé | Oui |
| Condensat | 001 004 120 2010 2022 2023 4sync 700 able about abuse abused abusing access accounts accounts: acquire across activity actor:apt15 actor:dukeeugene actor:playful actor:roaming actor:shaoye actor:vixen actors actually added additional addresses adds adobe ads advanced advertisement advertisements advertising adverts affairs africa all also alto always america analyst analyzed and/or android anomali anti any apk app application applications apps april apt apt15 are arsenal assets att&ck att&ck: attached attackers attacks: attempts audacity austria awareness backdoor banker banking based batloader battery been before behavior being better bid billion blender blocked blocker botnet bought boxes brand brands browser but campaign campaigns can capabilities capabilities: case caution cautious cerberus certain certificate certificates chain change changer changes channel charts check china chinese clicking clicks collective comment: companies component compromise concerned consider context continued continuously control controller copied country country:at country:cn country:de country:fr country:ir country:jp country:kr credentials cryptocurrency custom customers cyber dangerous day december default defense delivering delivery deobfuscate/decode depth detect detected detection:batloader detection:hook detection:icedid detection:moqhao detection:rhadamanthys detection:turian detection:vidar detection:wroba detection:xloader developers development device devices digital diplomatic discord discovered discuss discussed dns domain domains down download downloads drain dropper dubbed east education efm elevation emails encrypted end engine engineering engines enjoyed entities ermac especially etc evade evasion excessive execution exercises expired extra extract figure file files fill financially firewalls following foreign fork fortinet four france fraud free free/public from function germany gestures get gimp glimpse google government group group:ke3chang had half has have help hijacking holdings hook hook: hosted human hunt icedid impersonating impersonation implement implemented implements important include including infected inflated information infostealer infostealers infrastructure infrastructure: ingress initial injection input inside install intelligence interact interface invisible involves ioc iocs ios iptime iran iranian iteration its january japan javascript june ke3chang key kinds korea landing layer layering leading legitimate less likely link location logs magazine major malicious malvertising malware manipulate mantis many massive means measures mechanism mechanisms messages messaging microsoft middle million mimicking ministry misspelled mitigations mitre mobile model modified monitor monitoring moqhao most mostly motivated name named nearly need network networks new news nickel north notepad++ obfuscated obfuscation obtain one ones open operation order organization’s others out over overall pages palo panda password peaked perform permissions persistent pfsense phishing platforms playful point popular potential predecessors premium present proactively promoted prompted prompts proposed protect protection protective protocol protocol: protocols provide provided provider providers published: publishers range rapid rat rebranded received receiving recognizing redirect redirected related remains remote remotely requests researchers results rhadamanthys risk risks roaming robust rogue rounds router routers run running screen search security send senegal senegal’s seriously serve service serving settings several shaoye sharing should signals: similar similar/typosquatted simulate since slot slow smaller smishing social software some source south specific sponsored spoofing spread spyware stacking staff standards start stealer steam stores stories such summarize summary supply support system t1078 t1105 t1140 t1204 t1207 t1406 t1430 t1437 t1516 t1555 t1573 t1583 t1584 t1588 t1626 tag tags tags: take takedown target targeted targeting taurus teams telegram template text than then these threat threatfabr |
| Tags | Malware Tool Threat Guideline |
| Stories | APT 15 APT 25 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.