One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8561536 |
| Date de publication | 2024-08-21 16:17:58 (vue: 2024-08-21 17:18:29) |
| Titre | Rencontrez Uuloader: un installateur malveillant émergent et évasif Meet UULoader: An Emerging and Evasive Malicious Installer (Recyclage) |
| Texte | #### Géolocations ciblées - Chine - Corée ## Instantané Les chercheurs de Cyberint ont détecté une augmentation de l'utilisation de fichiers d'installation Windows malveillants (.msi) pour répandre les logiciels malveillants.L'un d'eux est un installateur malveillant nommé Uuloader qui se dégage des applications légitimes ou met à jour les installateurs pour cibler les conférenciers coréens et chinois. ## Description Ce malware utilise des techniques d'évasion sophistiquées, telles que le décapage d'en-tête de fichier, pour éviter la détection par les logiciels de sécurité.Les composants principaux d'Uuloader \\ sont cachés dans un fichier Microsoft Cabinet (.CAB), qui comprend des exécutables dépouillés et obscurcis.Le malware s'installe sous le couvert d'une application légitime, souvent accompagnée d'un fichier leurre pour distraire l'utilisateur. Une fois exécuté, Uuloader déploie sa charge utile, généralement des outils d'accès à distance comme GH0strat et se considère comme une exclusion dans Windows Defender.Malgré sa chaîne de déploiement complexe, Uuloader a maintenu de faibles taux de détection sur des plates-formes comme Virustotal, mettant en évidence son efficacité.Bien que les chercheurs de Cyberint ne connaissent pas l'acteur de menace spécifique derrière Uuloader, ils évaluent que l'acteur a probablement des origines chinoises. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-redulation-Rules-reference #block-credential-staling-from-the-windows-local-security-autehority-Subsystème) Protection LSA. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed accompanied action actor af74 against age alert alerts all allow although antivirus any application applications are artifacts assess attack attacker authority automatedmode avoid based behind block breach breaches cab cabinet can chain changes china chinese client cloud com/blog/research/meet com/en com/microsoft com/threatanalytics3/9382203e common complex components configure content controlled copyright core cover credential criterion customers cyberint decoy defend defender delivered deployment deploys description despite detect detected detection distract distribution does edr effectiveness email emerging employs enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent evasion evasive even evolving exclusion executable executables executed file files folder folders follow following from full geolocations gh0strat guise hardening has have header hidden highlighting https://cyberint https://learn https://security immediate impact includes increase installer installer/ installers installs investigation investigations its itself know korea korean learndoc learning legitimate like likely list local low lsa lsass machine maintained majority malicious malware manage masquerades meet microsoft mitigations mode msi named network new non not obfuscated ocid=magicti often once one origins overview part passive payload permission platforms post preferences premises prevalence prevent product prohibited protection protection#how protections ransomware rapidly rates recommendations recommends reduce reducing reduction reference#block references registers remediate remediation remote reproduction researchers reserved resolve rights rule rules run running scenes security settings significantly site snapshot software sophisticated speakers specific spread stealing stripped stripping subsystem such surface take tamper target targeted techniques theft thereof these threat threats tools trusted turn typically under unknown unless update us/defender use used user uuloader uuloader: view=o365 virustotal volume webmail when which windows within without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8561043 |
| Date de publication | 2024-08-20 20:51:50 (vue: 2024-08-20 21:18:22) |
| Titre | Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset |
| Texte | #### Targeted Geolocations - Israel - United States ## Snapshot Researchers at Proofpoint have identified a new cyber-espionage campaign by the Iranian threat actor TA453, targeting a prominent Jewish religious figure with a fake podcast interview invitation. ## Description TA453 actors targeted multiple email accounts for the victim, including their organizational email address and personal email address in attempts to deploy a new malware toolkit called BlackSmith, which loads the group\'s Powershell Trojan dubbed AnvilEcho. AnvilEcho consolidates previous TA453 malware capabilities into a single script, enhancing its intelligence-gathering potential. The trojan has a number of functions, some of which are enhanced malware models previously used by TA453. Notably, the AnvilEcho contains Redo-It and Do-It functions to conduct reconniassance and exfiltrate information to TA452-controlled infrastructure. According to Proofpoint, the TA453 has been observed targeting a series of diplomatic and political entities, including embassies in Tehran and US political campaigns. While Proofpoint is unable to link TA453 to individual members of the Islamic Revolutionary Guard Corps (IRGC), they assess that this campaign is likely part of intelligence collection efforts in support of the IRGC. ## Microsoft Analysis Microsoft Threat Intelligence assesses the malicious activity described in this report is attributed to [Mint Sandstorm](https://security.microsoft.com/intel-profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3) based on the indicators of compromise (IOCs) and the group\'s previously observed tactics, techniques, and procedures (TTPs). Microsoft has observed Mint Sandstorm using some of the same infrastructure to target other prominent figures in Israel. Proofpoint\'s report aligns with Microsoft\'s observations of previous Mint Sandstorm activity as the group has been known to obtain initial access through spear-phishing campaigns and target individuals and organizations in Israel and the United States. Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary Guard Corps (IRGC). Read more about [Mint Sandstorm](https://security.microsoft.com/intel-profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3) and the group\'s [past activity](https://security.microsoft.com/intel-explorer/articles/0d1182f5). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protecti |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 about access accessed according accounts action activity actor actors address af74 against age alert alerts aligns all allow analysis antivirus anvilecho any are artifacts assess assesses attack attacker attempts attributed authority automated based been behind best blacksmith block breach breaches called campaign campaigns can capabilities changes client cloud collection com/en com/intel com/microsoft com/threatanalytics3/9382203e com/us/blog/threat common composite compromise conduct configure consolidates contains content controlled copyright corps cover credential criterion customers cyber defend defender delivered delivering deploy describe described description detect detected diplomatic distribution does dubbed edr efforts email embassies enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent enhanced enhancing ensure entities equivalent espionage even evolving executable exfiltrate explorer/articles/0d1182f5 fake figure figures files folder folders follow following from full functions gathering geolocations group guard hardening has have https://learn https://security https://www identified immediate impact including indicators individual individuals information infrastructure initial insight/best intelligence interview investigation investigations invitation invite iocs iranian irgc islamic israel its jewish known laid learndoc learning like likely link list loads local lsa lsass machine majority malicious malware manage meet members microsoft mint mitigations mode models more multiple name network new non not notably number observations observed obtain ocid=magicti organizational organizations other overview part passive past permission personal phishing plans plans: podcast political post potential powershell preferences premises prevalence prevent previous previously procedures product profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3 prohibited prominent proofpoint protection protection#how protections ransomware rapidly read recommendations recommends reconniassance redo reduce reducing reduction reference#block references religious remediate remediation report reproduction researchers reserved resolve revolutionary rights rule rules run running same sandstorm scenes script security series settings several significantly single site snapshot some spear states stealing subgroups subsystem support surface ta452 ta453 tactics take tamper target targeted targeting targets techniques tehran theft thereof threat threats through ties toolkit tools toolset to trojan trusted ttps turn unable united unknown unless us/defender used using victim view=o365 volume webmail when which windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.