One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8314193 |
| Date de publication | 2023-02-28 16:15:00 (vue: 2023-02-28 17:06:26) |
| Titre | Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinorDLL64: A Backdoor From The Vast Lazarus Arsenal?
(published: February 23, 2023)
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations.
MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery | |
| Envoyé | Oui |
| Condensat | “iloveindea1998^ 001 001: 002 003 004 005 101 2021 2022 2023 256 ^” able about access account accounts acting activity actor actor:clasiopa actor:hydrochasma actor:lazarus adding additional advanced advised aes agenttesla aiming all allin also alternate america analysis analyst analyzed and/or anomali antivirus api app application approach apt archive are arsenal artifacts: asia atharvan att&ck att&ck: attached attachment: attack attacks attempts attribution authentication automation autostart available backdoor backdoors based beam became been behavior behind being between bit bitdefender block boost boot browser browserghost browsers brute but campaign can capabilities: cbc certain channel charts check cipher clasiopa clasiopa’s clasiopa: clear clicking cloud cobalt code collected come commands comment: commodity communicate communication community companies compromised confidence configuration connection connections contained content control controls cookie could country:kp country:kr country:north country:south covid cpu create credential credentials cryptocurrency cryptographic custom customers cyber cycles data data: days decided defenders defense deletion deliver delivered delivering deobfuscate/decode depth des detection detection:backdoor detection:wslink devastating develop developed digitally directories directory disable discord discovered discovery discovery: discuss discussed dll document dogz domain download downloader downloading downloads dropped dubbed dumper dumping dumping: economics email emails encrypted endpoint engagement engineering entities eset established eternity evasion even evolve exchanged exclusively executable execution execution: exfiltration explained exploring extracting facebook facing false fast february feeds figure file filename:winordll64 filename:winorloaderdll64 files final financial first flag flow: folder followed following force from fscan ftp functions funds gathering generation get ghostsecret glimpse gogo gost government group group:lazarus groups hackbrowserdata hacking had half harder has have hidden hide high hijack hijacking host host: human hydrochasma hydrochasma: imitate important india indication indicator indicators industry:healthcare industry:material industry:shipping infection information information: infostealer infostealers infrastructure ingress initial injection innovating instrumentation integrations intelligence interest interval intervals invisible ioc iocs iteration its keys knowledge known korea laboratories labs land language layer lazarus least legitimate leverage leveraging library like likely lilith link living loading local location logon logs low lsass magazine makes malicious malware malware:agenttesla malware:allin malware:atharvan malware:blackmoon malware:browserghost malware:cobalt malware:dogz malware:eternity malware:fast malware:fscan malware:gogo malware:gost malware:lilith malware:meterpreter malware:miniz malware:philadelphia malware:process malware:purecrypter malware:redline malware:s1deload malware:thumbsender malware:winordll64 malware:wslink management manipulation: masquerading masquerading: match material: materials medical memory menlo metasploit meterpreter mimicking mine mining mitre modified modify modules month motivated motivation multiple mutex name native net network new newly news non north not novel now ntlmrelay obfuscated obtain october off often one open organizations origin other others out over overheating owner/user pacific packing pass password path payload pdb persistent philadelphia phishing phishing: picus: platform playing pointing possible possibly potential powershell premium previously procdump process prompt protect protected protection protocol protocol: protocols provide provides proxy proxying public publicly published: purecrypter purely query ransomware rat receives redline region:asia region:north regions registry related relevant relies remote removal research researchers resource restrict restricted reverse risk run s1deload s1deloadstealer same samples saptarishi scan |
| Tags | Ransomware Malware Tool Threat Medical Medical Cloud |
| Stories | APT 38 |
| Notes | ★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.