One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8566420 |
| Date de publication | 2024-08-29 05:00:36 (vue: 2024-08-29 21:17:13) |
| Titre | Les logiciels malveillants qui ne doivent pas être nommés: la campagne d'espionnage présumée offre «Voldemort» The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” |
| Texte | Key findings Proofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”. Proofpoint assesses with moderate confidence the goal of the activity is to conduct espionage. The activity impersonated tax authorities from governments in Europe, Asia, and the U.S. and targeted dozens of organizations worldwide. The ultimate objective of the campaign is unknown, but Voldemort has capabilities for intelligence gathering and to deliver additional payloads. Voldemort\'s attack chain has unusual, customized functionality including using Google Sheets for command and control (C2) and using a saved search file on an external share. Overview In August 2024, Proofpoint researchers identified an unusual campaign using a novel attack chain to deliver custom malware. The threat actor named the malware “Voldemort” based on internal filenames and strings used in the malware. The attack chain comprises multiple techniques currently popular within the threat landscape as well as uncommon methods for command and control (C2) like the use of Google Sheets. Its combination of the tactics, techniques, and procedures (TTPs), lure themes impersonating government agencies of various countries, and odd file naming and passwords like “test” are notable. Researchers initially suspected the activity may be a red team, however the large volume of messages and analysis of the malware very quickly indicated it was a threat actor. Proofpoint assesses with moderate confidence this is likely an advanced persistent threat (APT) actor with the objective of intelligence gathering. However, Proofpoint does not have enough data to attribute with high confidence to a specific named threat actor (TA). Despite the widespread targeting and characteristics more typically aligned with cybercriminal activity, the nature of the activity and capabilities of the malware show more interest in espionage rather than financial gain at this time. Voldemort is a custom backdoor written in C. It has capabilities for information gathering and to drop additional payloads. Proofpoint observed Cobalt Strike hosted on the actor\'s infrastructure, and it is likely that is one of the payloads that would be delivered. Campaign details Volume and targeting Beginning on 5 August 2024, the malicious activity included over 20,000 messages impacting over 70 organizations globally. The first wave of messages included a few hundred messages daily but then spiked on 17 August with nearly 6,000 total messages. Messages purported to be from various tax authorities notifying recipients about changes to their tax filings. Throughout the campaign the actor impersonated tax agencies in the U.S. (Internal Revenue Service), the UK (HM Revenue & Customs), France (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle Entrate), and from August 19, also India (Income Tax Department), and Japan (National Tax Agency). Each lure was customized and written in the language of the authority being impersonated. Proofpoint analysts correlated the language of the email with public information available on a select number of targets, finding that the threat actor targeted the intended victims with their country of residence, rather than the country that the targeted organization operates in, or country or language that could be extracted from the email address. For example, certain targets in a multi-national European organization received emails impersonating the IRS because their publicly available information linked them to the US. In some cases, it appears that the threat actor mixed up the country of residence for some victims when the target had the same (but uncommon) name as a more well-known person with a more public presence. Emails were sent from suspected compromised domains, with the actor including th |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | –10 hxxp://83 /ows/v1/outlookcloudsettings/settings/global /stage0 /stage1 /stage2 000 05 06 0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9 0tvqdimwv56syk91imcyxovzbw4gtnb947ee/ 1//0eg8rbquarqvhcgyiaraaga4snwf 12 13 147 18/p/ 18/p/7c31e3ebfb77ead34ea71900b1b0/stage2 19 2023 2024 2044 243 2857963 2857964 2857976 2858210 2:2 317 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea 4765 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb 5cpublic 5csa150 6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728 7za 962194083343 987654321 : a a1:a1 able about above abuse abused abuses abusing accepts access account acquired across acting action actions active activities activity actor actors actual actually addition additional address addressed advanced aerospace after again against agencies agency agent agenzia aging alerting algorithm align aligned all allocated allowed allows already also although amalgamation among amount amp analysis analysis analysts another any api apis appear appeared appears applications appreciated apps apt archive are argument arguments array artifacts asia asking assess assesses assessment associated attack attacker attempts attribute attribution august authenticate author authorities authority autodiscover automatically available back backdoor background base base64 based basic be: beacon because becoming been before beginning begins behavior behaviors being believe below below: benign binary block blocking blog bot bots breakdown brokers browser browsing bundeszentralamt business but button bytes c2 cache calculating call callback called calling calls campaign campaigns can candidates capabilities capability case cases causes cell cells certain chain chain change changed changes characteristics check checking checks cipher ciscocollabhost ciscosparklauncher clever click clicked clicking client cloudflare cluster clusters cmsojysppsfaoeubxii4xlvk10cafejzyaebi2iptpt9kpwo7vphutpf28 cmsojysppsfaoeubxii4xlvk10cafejzyaebi2iptpt9kpwo7vphutpftest cobalt code collaboration colleagues collected collecting collector collects com com com/0023012 com/abc com/irs com/la com/notice com/sa150 com/steuerratgeber com:443/v4/spreadsheets/16jvcer com@ssl combination combines come command commands commodity commonly communicate communicating communication companies compatible; compiled comprises compromise compromised computer condition conduct conducted confidence config configuration connections consequence consistent contain contained containing contains content contents continues control copy correct correlated could countries country cpu cracked create created creating criminal currently custom customized customs cybercrime cybercriminal daily data debug decoy decrypt decrypted decrypting decryption decrypts dedicated defense defining deletes deliver delivered delivering delivers delivery delle demonstrating denoted department dependencies dependencies depending deploy des described description description despite detail detailed details details detects determine developers developing dgfip dichiarazione did different difficult dir direct directed direction directly directories directory discovered discussed disparate display displayed displaying displayname=downloads&subquery= distribution dll dll dll” document document” does domain domains domains: done download download downloaded downloading downloads dozens drive drop dump dumpulator during dynamically each easily ecosystem ecrime editing effectively egg elements else email emails embedded emerging empty emulation encoded encrypted end ended ending engaging enough entire entities entrate environment equally espionage etpro europe european evade even evident examining example example: except exe exec executable executable executed executes executing execution exe” exfil exfil&nbs |
| Tags | Malware Tool Threat Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.