One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8318511 |
| Date de publication | 2023-03-14 17:32:00 (vue: 2023-03-14 18:07:16) |
| Titre | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam |
| Texte |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
| Envoyé | Oui |
| Condensat | “fakegpt”: 000 001 002 003 004 005 150 2022 2023 400 47986 Access Att Banking Configuration Country: Cryptocurrency Data Directory Discovery Egypt File From Host:file Indicator Industry: Industry:politics Information Ingress Local Management Military Mitre Network Notifications Oman Poland Process Receiver Removal Spain System T1070 T1105 T1420 T1422 T1424 T1426 T1512 T1517 T1533 Target Targets Tool Transfer Turkey able about abused abusing accessibility accompanied account accounts accounts: acquire across active activities activity actor:apt36 actor:apt42 actor:charming actor:cobalt actor:hadoken actor:hadokensecurity actor:phosphorous actor:transparent actors actually added additional adept ads advanced adversaries advertisement advised aligning all alleged allows also amini amp; analyst android anomali antivirus api app application applications applications: apps apt apt36 apt42 arab are around asked aspera associated atlantic ats att&ck att&ck: attached attachments attack attackers attacks attempts attention audio australia authentic authenticity automated automates automatically automation avail available avoid aware background balances banking basic been begins behavior being belongs benign big binary bind binding blended block boot brand broadcast browser business but call camera campaign campaigns can capable caprarat capture capture: cdn centos chain charming charts chatgpt chatgpt’s check chrome chrome’s ck: claiming cobalt collects command comment: compiler compromise connecting consider contact content continuous control conversations converter cookie cookies council countries country:ae country:au country:australia country:in country:india country:ir country:iran country:pakistan country:pk country:russia country:tr country:turkey country:united country:us country:usa create created credential credentials credit criminals cryptocurrency currency current customers cve cyber daily dangerous data data: declarativenetrequest defenders deletion delivered delivering delivers delivery description details detected detection:icefire detection:android/spy detection:xenomorph detection:zombinder detections developer devices did digital discord discover discovery discuss discussed distribute dll document documents domains don’t double download dropped drops dubbed during effort egypt emerging emirates employee encrypted engaged engineering enhances ensnare enterprise entertainment eset especially espionage establish etc even event example executes execution execution: exfiltrates expanded exploit exploited exploiting extension external extortion facebook facing fake family faspex february figure file files first flavors flow: following framework fraud from function functionality further game get gets give glimpse google government graph grip group group:magic group:mythic groups guardio’s gui had harvesting has have high hijack hijacked honey host: hound how however hunting hype ibm ibm’s icefire identifying illusion images impact impersonating important inauthentic increase india indian indicator indicators industry:entertainment industry:government industry:manufacturing industry:media industry:technology infection info information infrastructure infrastructure: ingress inno input install installations installed installer installing installs instant institutions intelligence interaction interactions invited ioc iocs ioncube ios iran iteration its july keen keep kernel keylogging kids kitten known landscape languages larger latest layer leads legitimate leopard limiting link links linux list loading location log logged logs love lure lures magazine magic mahsa maintain makes malicious malvertising malware malware:caprarat malware:icefire malware:sys01 malware:xenomorph malware:zombinder managing march masquerades may media messages messaging messenger meta method might military minority mitre mobile model modify monitor more movie mythic need network networks new newer news not november now nuitka number obfuscated obfuscation observed october official of |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline Conference |
| Stories | APT 35 ChatGPT ChatGPT APT 36 APT 42 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.