One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8386764 |
| Date de publication | 2023-09-20 05:00:00 (vue: 2023-09-22 16:02:53) |
| Titre | Les logiciels malveillants chinois apparaissent sérieusement dans le paysage des menaces de cybercriminalité Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape |
| Texte | Key Takeaways Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well. The increase in Chinese language malware activity indicates an expansion of the Chinese malware ecosystem, either through increased availability or ease of access to payloads and target lists, as well as potentially increased activity by Chinese speaking cybercrime operators. Overview Since early 2023, Proofpoint observed an increase in the email distribution of malware associated with suspected Chinese cybercrime activity. This includes the attempted delivery of the Sainbox Remote Access Trojan (RAT) – a variant of the commodity trojan Gh0stRAT – and the newly identified ValleyRAT malware. After years of this malware not appearing in Proofpoint threat data, its appearance in multiple campaigns over the last six months is notable. The phrase “Chinese-themed” is used to describe any of the observed content related to this malicious activity, including lures, malware, targeting, and any metadata that contains Chinese language usage. Campaigns are generally low-volume and are typically sent to global organizations with operations in China. The email subjects and content are usually written in Chinese, and are typically related to business themes like invoices, payments, and new products. The targeted users have Chinese-language names spelled with Chinese-language characters, or specific company email addresses that appear to align with businesses\' operations in China. Although most campaigns have targeted Chinese speaking users, Proofpoint observed one campaign targeting Japanese organizations, suggesting a potential expansion of activity. These recently identified activity clusters have demonstrated flexible delivery methods, leveraging both simple and moderately complex techniques. Commonly, the emails contain URLs linking to compressed executables that are responsible for installing the malware. However, Proofpoint has also observed Sainbox RAT and ValleyRAT delivered via Excel and PDF attachments containing URLs linking to compressed executables. Proofpoint researchers assess those multiple campaigns delivering Sainbox RAT and ValleyRAT contain some similar tactics, techniques, and procedures (TTPs). However, research into additional activity clusters utilizing these malwares demonstrate enough variety in infrastructure, sender domains, email content, targeting, and payloads that researchers currently conclude that all use of these malwares and associated campaigns are not attributable to the same cluster, but likely multiple distinct activity sets. The emergence and uptick of both novel and older Chinese-themed malware demonstrates a new trend in the overall 2023 threat landscape. A blend of historic malware such as Sainbox – a variant of the older Gh0stRAT malware – and the newly uncovered ValleyRAT may challenge the dominance that the Russian-speaking cybercrime market has on the threat landscape. However, the Chinese-themed malware is currently mostly targeted toward users that likely speak Chinese. Proofpoint continues to monitor for evidence of increasing adoption across other languages. For network defenders, we include several indicators of compromise and Emerging Threats detections to provide the community with the ability to cover these threats. Campaign Details Proofpoint has observed over 30 campaigns in 2023 leveraging malware typically associated with Chinese cybercrime activity. Nearly all lures are in Chinese, although Proofpoint has also observed messages in Japanese targeting organizations in that country. Gh0stRAT / Sainbox Proofpoint has observed an increase in a variant of Gh0stRAT Proofpoint researchers refer to as Sainbox. Sainbox was first i |
| Envoyé | Oui |
| Condensat | 064 0823d7/ 0d133dde99d883274bf5644bd9e59af3c54c2b3c65f3d1bc762f2d3725f80582 0x00 0x01 0x02 0x04 0x05 0x06 0x07 0x08 0x09 0x0a 0x64 0x65 110gb 173 2008 2018 2020 2022 2023 2044739 2045774 2045775 220 2854367 2854368 2854369 2854370 2854371 4f01ffe98009a8090ea8a086d21c62c24219b21938ea3ec7da8072f8c4dcc7a6 624 63/laoxiang 7f32ca98ce66a057ae226ec78638db95feebc59295d3afffdbf407df12b5bc79 862023 a48abe2847e891cfd6c18c7cdaaa8e983051bc2f7a0bd9ef5c515a72954e1715 aa0035@zohomail ability about absent access acknowledging across active activities activity actor actors addition additional additionally addresses adoption advanced afford after age agent algorithm align aligns aliyuncs all alongside also although always among analysis analysts announces answer anti anticipates any appear appearance appearing appears appliance application april architecture are arise: assess assessment associated attachments attempt attempted attributable attribute aug august authors availability available awareness balanced bangning based basic be: beacon been before begins behind being beizhu below between bkt blend bot both broader builder bulletin business businesses but bytes c++ campaign campaigns can cannot cdn challenge change characters check checks china chinese circles cjkmj@51fapiao cleaned cleanup clicked client clouddn cluster clusters cn/r8f cnc cncactivity code coincidental com com/ com/26866498 com/file/40788929/860577489/ com/piao command commands commodity commonly communicate communication community companies company compiled completely complex component compressed compromise computer conclude conclusion conducted consequently considers consistently constantly contain contained containing contains content continues control country cover cpu ctcontents currently custom cybercrime cybersecurity daily data debug decade december decoding defenders defines deliver delivered delivering delivery demonstrate demonstrated demonstrates derived describe description descriptions despite details detect detection detections determine digest directly directory directory: disk distinct distributing distribution dll dns document does domain domains dominance dominate downloaded downloads dozens drive drops dubbed due dwz earlier early earnest ease easier easyconnect ecosystem effective either email emails emergence emerging emulation enables encoding ending enough entity environment especially essential etc etpro even evidence exact example examples excel exe executable executables execute executed executes exe” existence expansion exploit exploited fakaka16 fakaka9 families fatalrat fenzu figure file files finally firm first flexible following forked formatted fox fray freemail frequently from from: functionalities future gameinfo generally generates generation get gh0strat global group guid had handful hangzhou hard hardware has have hdd high hints historic historically hosts hotmail however http http://124 hxxp://51fapiaoyun hxxp://ckj2 hxxp://rus3rcqtp hxxps://drfs hxxps://fhyhdf hxxps://zc1800 identified identifier identify image impact implemented implemented: inbound include included includes including increase increased increasing indicate indicates indicator indicators infected info information informational information” infrastructure initial initially install installation installed installers installing interest investigation invoice invoices invoice” invoicing involves iocs ips isadmin its itself jacking japan japanese joins jun june kakafa kernel key keys kit kweffabibis0@outlook landscape language languages last leading least led legitimate less leveraging like likely linked linking list lists lnk load loader lookup low ltd” lure lures lwplbh@cluedk machine made maintain majority malicious malware malwares management manufacturing mar march market masquerading mature may md5 mean memory messages metadata method methods minor moderately modifications monitor months more most mostly multiple name names nearly necessarily neither network new newly next nor not notable notably novel number obfuscation observed observedurl occurre |
| Tags | Malware Tool Threat Prediction |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.