One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8307984 |
| Date de publication | 2023-02-07 17:23:00 (vue: 2023-02-07 18:07:01) |
| Titre | Anomali Cyber Watch: MalVirt Obfuscates with KoiVM Virtualization, IceBreaker Overlay Hides V8 Bytecode Runtime Interpretation, Sandworm Deploys Multiple Wipers in Ukraine |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Malvertising, North Korea, Proxying, Russia, Typosquatting, Ukraine, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
(published: February 2, 2023)
In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer.
Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators.
MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | |
| Envoyé | Oui |
| Condensat | –dprk 001 001: 002 002: 003 004 005 006 007 0082 2021 2022 2023 27925 34527 37042 3proxy 4034 4096 abstraction abuse abused abusing access accompanied account accounts achieve acted active activity actor:uac actors actually add additional ads advanced advertised advised aes after against agencies agents allows also always amsiscanbuffer analysis analyst and/or anomali anomalies another anti antivirus any api appended application apt archive are arsenal associated associating att&ck att&ck: attached attack attacker attackers attacks attempted august authentication authorization automated autostart available avast awareness awfulshred backdoor backups base based baseline basic beaconing bearing been before being better bidswipe biggest binary block blocker boot booted breaker broken browsers but bypass bytecode bytenode bytes c++ cab caddywiper camouflaging campaign campaigns can capabilities: capable capture case caution cert certificates chain channel charts chats check class clear clicking client cobalt code collected collection collection: command comment: communicated company complained component component: compressed compromise computer configuration configurations conflict confuserex connection connections consider contained continues controls controls: cookie copies could country:in country:kp country:ru country:ua create created creation credential credentials critical custom customer customization cve cyber cyberarmyofrussia cyberespionage data date debugger debuggers december decided decoy deep default defenders defense deleting deletion deliver delivery deobfuscate/decode deploy deployed deploys desktop destruction destructive detected detecting detection detection:sdelete detection:swiftslicer detection:wingo/killfiles develop development different directory disable discovery discovery: discuss discussed disguising document documented domain domains double download downloader drivers dropbox dtrack dubbed dumping: each earlier education effects email emergency employs enables encoding encryption end engaging engineering engines english error especially establish evasion events evolve exe executable executable: execute execution execution: exfiltration explained exploit exploited exposure extension external extra facing family features february figure file files final first five folder folder; followed following formbook/xloader formware free freebsd french from function functions gam gambling gaming gathering get gigabyte glimpse golang google gpo grease group group:lazarus group:sandworm groups gru guards handling has have having healthcare hides history homograph host host: houdini ice icebreaker ide idn ignition images impersonated in’s incidents including incorporate india indicator indicators industries industry industry:defense industry:engineering industry:gambling industry:gaming industry:healthcare industry:manufacturing industry:mass industry:research industry:universities information information: infostealer infrastructure ing ingress inhibit initial initialization ins install installers instinct intelligence interface internal interpretation interpreted interpreter interpreter: intrusion ioc iocs items iteration its january javascript joes jspfilebrowser jspspy keep kernel key keys kinds known koivm korea land languages latest layer lazarus leak legitimate length likely limited link links linux lnk loader local location logon logs looking lsass machine macro magazine mail maldocs malicious malvertising malvirt malware malware:awfulshred malware:bidswipe malware:caddywiper malware:dtrack malware:formbook malware:grease malware:houdini malware:icebreaker malware:jspspy malware:malvirt malware:wso malware:xloader malware:zerowipe manufacturing mark mask masquerading masquerading: match media medical memory methods microsoft microsoft’s military minimize misspelled mitre modify monitor monitored monitoring most msi msiexec multi multiple name names namespace native net network new news node non north not november ntqueryinformationprocess ntquerysysteminformation obfuscated ob |
| Tags | Threat Malware Tool Medical Medical |
| Stories | APT 38 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.