One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8305945 |
| Date de publication | 2023-01-31 17:27:00 (vue: 2023-01-31 18:08:35) |
| Titre | Anomali Cyber Watch: KilllSomeOne Folders Invisible in Windows, Everything APIs Abuse Speeds Up Ransomware, APT38 Experiments with Delivery Vectors and Backdoors |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cryptocurrency, Data leak, Iran, North Korea, Phishing, Ransomware, and USB malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese PlugX Malware Hidden in Your USB Devices?
(published: January 26, 2023)
Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it.
Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name.
MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer
Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows
Abraham's Ax Likely Linked to Moses Staff
(published: January 26, 2023)
Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware.
Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an |
| Envoyé | Oui |
| Condensat | $400 000 001 001: 002 002: 009 00a0 1248 190 2020 2021 2022 2023 600 abraham abuse abuses abusing access according accounts acquire acquisition active activity actor actor:abraham actor:black actor:bluenoroff actor:cobalt actor:moses actor:stardust actor:ta444 actor:xzb actors added adding additional administrator administrators advised affected against aimed all allows also alto always analysis analyst analyzed anomali any api apis application applications approach apps apt apt38 arabia are asia assets assist associated att&ck att&ck: attached attack attacker attacks attempting authentication autostart available avoided backdoor backdoors backup badpotato based basta been behavior billion bin binary black block bluenoroff boot break browser businesses bypass called campaign can cardinal certain character charts check cheesetray china chinese chollima chopper chr closely clusters cobalt code command comment: communication: compiled component compromise compromised constantly containable containing conti continuation continuing control core could country:cn country:il country:ir country:kp country:sa country:taiwan country:tw created creating credentials critical cross cryptocurrency custom customers cyber damage data database dcsrv decrypt defense delivering delivery deobfuscate/decode depth destroy detected detection detection:astraeus detection:badpotato detection:cabbagerat detection:cageychameleon detection:cardinal detection:cheesetray detection:china detection:dcsrv detection:diskcryptor detection:driveguard detection:dyepack detection:gotohttp detection:killlsomeone detection:msorat detection:plugx detection:pydcrypt detection:racoon detection:ransom detection:rantankba detection:sharptoken detection:shellcode detection:sparkrat detection:strifewater detections devices directories directory disable discovery discuss discussed disks displaying dll dollars’ domains dragonspark drive drives dropping during dyepack each eastern encoded encrypted encrypting encryption enforced engine entities escalation estimate estimates evade everything everything’s everything32 evolving exe execution execution: expands experimented experiments explained exploit exploitation explorer extension extensions extensively facing factor failsafe fake fast figure file file’s filename files financially flash floppy flow: folder folders following framework from function functions fundamental funds future glimpse golang gotohttp government group group:apt38 hacked hacking hard has hat have having hidden hijack hindering hong host html icons identity image impact impersonating incidents include including increase indicator indicators industry:government industry:signal infected infection information infrastructure infrastructure: ingress inhibit injection inside installed installer integrity intelligence inter interpret interpretation invisible ioc iocs iran iso israel israeli iteration its january june keep keys killlsomeone known kong korea larger layered leak leaked leaking least legitimate likely limiting link linked linux listener listeners lnk loader loaders loading logon logs m6699 magazine make malicious malware march masquerading massive measures mechanisms media methods million mimic minimize ministries mitre model modification modified modify monitored more moses most mostly motivated msi msorat multi multiplatform multiple mysql name nearly need network new news north not november obfuscated obfuscation object october open operates operating optimises other outright over owner/user palo panel passive password path payload perform persistence persona personal phishing phishing: picus: place platform plugx policy possibly post potential powershell practice presence privilege proactive process processes promotion proofpoint proper provide public published: pydcrypt python query racoon ransomware rantankba recently recovery recycle redirect redirects redundant region:east registry related rely remote removable removal replication researchers responders rest restore restrictions retrieve run rundll32 runtime sabo |
| Tags | Ransomware Malware Tool Threat Medical |
| Stories | APT 38 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.