One Article Review
| Source |  Contagio |
|---|---|
| Identifiant | 8311492 |
| Date de publication | 2023-02-18 03:02:00 (vue: 2023-02-18 08:05:58) |
| Titre | Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples) |
| Texte |  2023-02-18Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) is an Advanced Persistent Threat (APT) group believed to be based in Russia. Their primary targets have been diplomatic and government entities in Europe, particularly Ukraine, and the United States. They have also targeted various industries, including defense, energy, and technology. Download the full collectionEmail me if you need the password (see in my profile) (209 MB. 218 samples listed in the hash tables below).The malware arsenal collected here includes:Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)Graphiron BackdoorOutSteel (LorecDocStealer)BabaDedaCobalt Strike (Beacon)SaintBot DownloaderWhisperGate WiperAPT Group DescriptionAPT Group aliases:UAC-0056 (UA CERT)Ember Bear (Crowdstrike)Saint Bear (F-Secure)UNC2589 (Fireeye, IBM)Lorec53 (NSFOCUS)TA471 (Proofpoint)Nodaria (Symantec)Nascent Ursa (Palo Alto)LorecBearBleeding Bear (Elastic)DEV-0586 (MIcrosoft)The group is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.The group primarily targets Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations.The group is known for using various malicious implants such as GrimPlant, GraphSteel, and CobaltStrike Beacon, as well as spear phishing attacks with macro-embedded Excel documents.In January 2022, the group performed a destructive wiper attack on multiple Ukrainian government computers and websites, known as WhisperGate.The Lorec53 group is a new type of APT group fi |
| Envoyé | Oui |
| Condensat | 2022 2021 2022 2023 graphiron infostealer is the their +microsoft+security+blog +nsfocus 0035 0056 0056attacks 0082 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21dahermeticransom:apt 0586 08 symantec: graphiron: 0xcc 10tactic: 127 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033acidrain:apt 13th 18ember 1mb 2021 2022 2022both 2022disables 2022overwrites 2022supports 2022written 2023 209 218 2>&1uses 30190 3237 40444 443 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382isaacwiper:apt 828 93+a+new+cyber+threat+in+ukraine 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9aloadedge :apt :persistence ability about abuses access access: accessing achieved acrobat across act acted acting actions active actively activities activity actor actor: actors acts added adding additional addresses addressesthe admin$ adobe advanced aes affecting after against agent algorithm algorithmcreates aliases:uac all allowing allows along also alter alternating although alto amazonaws american among amount analysis analysts analyzed android another anti any app appears april apt apt+lorec53+group+launched+a+series+of+cyber+attacks+against+ukraine+ archive are arguments armageddon arsenal arsenalgraphirongraphiron asprotectexfiltrating assemblies assesses asset assets assigned associated attached attachment attachments attack attacker attackers attackoverwrites attacks attempt attempts attributed attribution: authentication authored autoit automatically autorun autorunthe available awareness babadeda babadedacobalt backdoor backdoorgrimplant backdooroutsteel bait baits bank bare base64 based bat batch beacon beacon: bear became been before behind being belarus believed below bias binaries binary bitcoin bitdefender black blacklist blacklisted bleeding bleedingbear boot border bot both browser buffer bufferavoids build but byte bytes bytesrenames c&c c/c++ called campaign campaign: campaign:execution: campaigns can capabilities capable capture carried carries causing cdn cell center cert certain certificate certificates chain chains channel characteristics check checking checks chrome cipher ciphergraphiron click clicked cloning cobalt cobaltstrike code codeputting collect collected collection collectionemail com/contagio combination command command: commands commandsgraphsteel commandthe commercial communicate communicates communicating communication communications companies company comparable component components: componentsha256: composed compromise compromised computer computers conduct conducting configured confirmed connect connection connections consisting consists contained contains content contentdownloads contents continuing control control: controlled controls convince cooperating copy core corrupt corrupter corrupting corruptor corruptor: corrupts could countries covid cpl create created creating credentials critical crowdstrike crypter crypter:babadeda crypterloreccpl cryptgenrandom cryptocurrency current customized cve cyber cyberattacks cypriot dat data datapersistence datathe dealing decree decrypt decrypted decryption decryptionself decrypts deep deep+dive+into+the+elephant+framework+ deependresearch default defender defense defensedelivers deletes deleting deletion deliver delivered delivery delivery: demonstrates deployed deploying deployment descriptionapt designated designed destructive destructive+malware+targeting+ukrainian+organizations+ detailed detections dev developed developers device devices dha different digicert digital diplomatic directories directory disable disables discord discordusing discovered discovery: disguised disk displays distribute distributed dive dll dllinstall dllregisterserver dlls dllunregisterserver dns dnswhispergate doc document documents docx docxccc3750d9270d1e8c95649d91f94033b058f0190a58646ab1a6295eed496732e1e3f7cbf29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f domain dos:win32 |
| Tags | Ransomware Malware Hack Tool Vulnerability Threat Medical |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.