One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8569206 |
| Date de publication | 2024-09-03 16:34:56 (vue: 2024-09-03 17:18:19) |
| Titre | Le malware qui ne doit pas être nommé: la campagne d'espionnage présumée livre Voldemort The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers Voldemort |
| Texte | ## Snapshot Proofpoint researchers have uncovered a unique malware campaign that they have dubbed "Voldemort." ## Description This campaign, which Proofpoint assesses is likely motivated by espionage, involves the use of a custom backdoor with capabilities for intelligence gathering and payload delivery. The malware is distributed via phishing emails that impersonate tax authorities in various countries, including the U.S., UK, France, Germany, Italy, India, and Japan, targeting over 70 organizations worldwide. The emails use tactics such as fake sender domains and Google AMP Cache URLs to redirect victims to malicious landing pages. Once the target engages, the malware utilizes unconventional methods for command and control (C2), like Google Sheets and WebDAV shares, to avoid detection. Notably, the malware\'s attack chain involves a Windows Explorer prompt that masquerades a remote file as a local PDF, increasing the likelihood of victim interaction. Proofpoint notes that while the campaign\'s phishing tactics resemble those of cybercriminals, the advanced features of the Voldemort malware suggest an interest in espionage. The attackers have leveraged multiple evolving techniques, including abusing Windows search protocols and using Cloudflare tunnels for anonymity. The campaign\'s scale and sophistication indicate it may be the work of an advanced persistent threat (APT), though attribution to a specific group remains uncertain. ## Additional Analysis Threat actors may impersonate tax authorities because these entities are universally recognized, trusted, and often feared due to their role in managing sensitive financial and personal information. By posing as tax agencies, attackers can exploit common fears and concerns about tax compliance and penalties to increase the likelihood that recipients will open emails, click on malicious links, or download attachments. The sense of urgency and authority associated with communications from tax bodies like the IRS or HM Revenue & Customs makes recipients less cautious, leading to a higher success rate for phishing and malware delivery campaigns. Furthermore, tax-related lures can be easily customized to target specific individuals or organizations by referencing local tax laws and regulations, increasing the credibility and effectiveness of these attacks across different regions. Read Microsoft\'s [special report on tax season security](https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/tax-season-cybersecurity-what-cybercriminals-want-and-who-they-target-most-is-it-you) for more information. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://lear |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 about abusing access accessed across action actors additional advanced af74 against age agencies alert alerts all allow amp analysis anonymity antivirus any apt are artifacts assesses associated attachments attack attacker attackers attacks attribution authorities authority automated avoid backdoor based because behind block bodies breach breaches cache campaign campaigns can capabilities cautious chain changes click client cloud cloudflare com/en com/microsoft com/threatanalytics3/9382203e com/us/blog/threat command common communications compliance concerns configure content control controlled copyright countries cover credential credibility criterion custom customers customized customs cybercriminals cybersecurity defend defender delivered delivers delivery description detect detected detection different distributed distribution does domains download dubbed due easily edr effectiveness email emails enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engages ensure entities equivalent espionage even evolving executable exploit explorer fake feared fears features file files financial folder folders follow following france from full furthermore gathering germany google group hardening have higher https://learn https://security https://www immediate impact impersonate including increase increasing india indicate individuals information insider/intelligence insight/malware intelligence interaction interest investigation investigations involves irs italy japan landing laws leading learndoc learning less leveraged like likelihood likely links list local lsa lsass lures machine majority makes malicious malware manage managing masquerades may meet methods microsoft mitigations mode more most motivated multiple must named named: network new non not notably notes ocid=magicti often once open organizations over overview pages part passive payload pdf penalties permission persistent personal phishing posing post preferences premises prevalence prevent product prohibited prompt proofpoint protection protection#how protections protocols ransomware rapidly rate read recipients recognized recommendations recommends redirect reduce reducing reduction reference#block references referencing regions regulations related remains remediate remediation remote report reports/tax reproduction researchers resemble reserved resolve revenue rights role rule rules run running scale scenes search season security sender sense sensitive settings shares sheets significantly site snapshot sophistication special specific stealing subsystem success such suggest surface suspected tactics take tamper target targeting tax techniques theft thereof these those though threat threats tools trusted tunnels turn uncertain unconventional uncovered unique universally unknown unless urgency urls us/defender us/security/security use used using utilizes various victim victims view=o365 voldemort volume want webdav webmail what when which who will windows without work works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-09-04 20:38:54 | (Déjà vu) Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion (lien direct) | #### Géolocations ciblées - Chine ## Instantané Les chercheurs de Trend Micro ont découvert une nouvelle porte dérobée multiplateforme nommée KTLVVOOR, développée à Golang, ciblant à la fois les environnements Microsoft Windows et Linux. ## Description Ce malware, attribué par Trend Micro à l'acteur de menace chinois Earth Lusca, est très obscurci, en utilisant les noms des services publics de systèmes légitimes comme SSHD, Java et Bash pour éviter la détection.KTLVDOOR permet aux attaquants de contrôler pleinement les systèmes infectés, d'effectuer des commandes distantes, de manipuler des fichiers et de réaliser des analyses de port.Sa configuration utilise des techniques de chiffrement personnalisées pour compliquer l'analyse, en utilisant un format de type TLV unique pour gérer les commandes et les communications réseau.Plus de 50 serveurs de commandement et de contrôle (C&C) associés à cette campagne ont été organisés par une société chinoise, Alibaba.Bien que la Terre Lusca soit liée à bon nombre de ces échantillons, il n'est pas clair si toute l'infrastructure leur est exclusive ou partagée avec d'autres acteurs de langue chinoise. La complexité et l'échelle de l'attaque suggèrent que cela pourrait faire partie des tests en phase de démarrage pour une campagne plus large.Jusqu'à présent, le seul objectif connu est une société commerciale en Chine, indiquant un modèle similaire à d'autres groupes de langue chinois comme Iron Tiger et Void Arachne, qui ont déjà ciblé des entités chinoises. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/def | Ransomware Malware Tool Threat Prediction | APT 27 | ★★★ |