One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8570004 |
| Date de publication | 2024-09-04 20:38:54 (vue: 2024-09-04 21:18:24) |
| Titre | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion (Recyclage) |
| Texte | #### Géolocations ciblées - Chine ## Instantané Les chercheurs de Trend Micro ont découvert une nouvelle porte dérobée multiplateforme nommée KTLVVOOR, développée à Golang, ciblant à la fois les environnements Microsoft Windows et Linux. ## Description Ce malware, attribué par Trend Micro à l'acteur de menace chinois Earth Lusca, est très obscurci, en utilisant les noms des services publics de systèmes légitimes comme SSHD, Java et Bash pour éviter la détection.KTLVDOOR permet aux attaquants de contrôler pleinement les systèmes infectés, d'effectuer des commandes distantes, de manipuler des fichiers et de réaliser des analyses de port.Sa configuration utilise des techniques de chiffrement personnalisées pour compliquer l'analyse, en utilisant un format de type TLV unique pour gérer les commandes et les communications réseau.Plus de 50 serveurs de commandement et de contrôle (C&C) associés à cette campagne ont été organisés par une société chinoise, Alibaba.Bien que la Terre Lusca soit liée à bon nombre de ces échantillons, il n'est pas clair si toute l'infrastructure leur est exclusive ou partagée avec d'autres acteurs de langue chinoise. La complexité et l'échelle de l'attaque suggèrent que cela pourrait faire partie des tests en phase de démarrage pour une campagne plus large.Jusqu'à présent, le seul objectif connu est une société commerciale en Chine, indiquant un modèle similaire à d'autres groupes de langue chinois comme Iron Tiger et Void Arachne, qui ont déjà ciblé des entités chinoises. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/def |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed action actor actors af74 against age alert alerts alibaba all allow although analysis antivirus any arachne are artifacts associated attack attacker attackers attributed authority automated avoid backdoor based bash behind block both breach breaches broader c&c campaign can changes china chinese client cloud com/en com/microsoft com/threatanalytics3/9382203e command commands common communications company complexity complicate conduct configuration configure content control controlled copyright cover credential criterion custom customers defend defender delivered description detect detected detection developed discovered distribution does early earth edr email employing enable enabled enables encryption endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure entire entities environments equivalent even evolving exclusive executable far files folder folders follow following format from full fully geolocations golang groups hardening have highly hosted html https://learn https://security https://www immediate impact indicating infected infrastructure intrusion investigation investigations iron its java known ktlvdoor learndoc learning legitimate like linux list local lsa lsass lusca machine majority malicious malware manage manipulate many meet micro microsoft might mitigations mode multiplatform named names network new non not obfuscated ocid=magicti only other over overview part passive pattern perform permission port post preferences premises prevalence prevent previously product prohibited protection protection#how protections ransomware rapidly recommendations recommends reduce reducing reduction reference#block references remediate remediation remote reproduction researchers reserved resolve rights rule rules run running samples scale scans scenes security servers settings shared significantly similar site snapshot speaking sshd stage stealing subsystem suggest surface system systems take tamper target targeted targeting techniques testing theft them thereof these threat threats tied tiger tlv tools trading trend trendmicro trusted turn unclear unique unknown unless us/defender us/research/24/i/earth used uses using utilities view=o365 void volume webmail when who windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Prediction |
| Stories | APT 27 |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8569206 |
| Date de publication | 2024-09-03 16:34:56 (vue: 2024-09-03 17:18:19) |
| Titre | Le malware qui ne doit pas être nommé: la campagne d'espionnage présumée livre Voldemort The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers Voldemort |
| Texte | ## Snapshot Proofpoint researchers have uncovered a unique malware campaign that they have dubbed "Voldemort." ## Description This campaign, which Proofpoint assesses is likely motivated by espionage, involves the use of a custom backdoor with capabilities for intelligence gathering and payload delivery. The malware is distributed via phishing emails that impersonate tax authorities in various countries, including the U.S., UK, France, Germany, Italy, India, and Japan, targeting over 70 organizations worldwide. The emails use tactics such as fake sender domains and Google AMP Cache URLs to redirect victims to malicious landing pages. Once the target engages, the malware utilizes unconventional methods for command and control (C2), like Google Sheets and WebDAV shares, to avoid detection. Notably, the malware\'s attack chain involves a Windows Explorer prompt that masquerades a remote file as a local PDF, increasing the likelihood of victim interaction. Proofpoint notes that while the campaign\'s phishing tactics resemble those of cybercriminals, the advanced features of the Voldemort malware suggest an interest in espionage. The attackers have leveraged multiple evolving techniques, including abusing Windows search protocols and using Cloudflare tunnels for anonymity. The campaign\'s scale and sophistication indicate it may be the work of an advanced persistent threat (APT), though attribution to a specific group remains uncertain. ## Additional Analysis Threat actors may impersonate tax authorities because these entities are universally recognized, trusted, and often feared due to their role in managing sensitive financial and personal information. By posing as tax agencies, attackers can exploit common fears and concerns about tax compliance and penalties to increase the likelihood that recipients will open emails, click on malicious links, or download attachments. The sense of urgency and authority associated with communications from tax bodies like the IRS or HM Revenue & Customs makes recipients less cautious, leading to a higher success rate for phishing and malware delivery campaigns. Furthermore, tax-related lures can be easily customized to target specific individuals or organizations by referencing local tax laws and regulations, increasing the credibility and effectiveness of these attacks across different regions. Read Microsoft\'s [special report on tax season security](https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/tax-season-cybersecurity-what-cybercriminals-want-and-who-they-target-most-is-it-you) for more information. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://lear |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 about abusing access accessed across action actors additional advanced af74 against age agencies alert alerts all allow amp analysis anonymity antivirus any apt are artifacts assesses associated attachments attack attacker attackers attacks attribution authorities authority automated avoid backdoor based because behind block bodies breach breaches cache campaign campaigns can capabilities cautious chain changes click client cloud cloudflare com/en com/microsoft com/threatanalytics3/9382203e com/us/blog/threat command common communications compliance concerns configure content control controlled copyright countries cover credential credibility criterion custom customers customized customs cybercriminals cybersecurity defend defender delivered delivers delivery description detect detected detection different distributed distribution does domains download dubbed due easily edr effectiveness email emails enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engages ensure entities equivalent espionage even evolving executable exploit explorer fake feared fears features file files financial folder folders follow following france from full furthermore gathering germany google group hardening have higher https://learn https://security https://www immediate impact impersonate including increase increasing india indicate individuals information insider/intelligence insight/malware intelligence interaction interest investigation investigations involves irs italy japan landing laws leading learndoc learning less leveraged like likelihood likely links list local lsa lsass lures machine majority makes malicious malware manage managing masquerades may meet methods microsoft mitigations mode more most motivated multiple must named named: network new non not notably notes ocid=magicti often once open organizations over overview pages part passive payload pdf penalties permission persistent personal phishing posing post preferences premises prevalence prevent product prohibited prompt proofpoint protection protection#how protections protocols ransomware rapidly rate read recipients recognized recommendations recommends redirect reduce reducing reduction reference#block references referencing regions regulations related remains remediate remediation remote report reports/tax reproduction researchers resemble reserved resolve revenue rights role rule rules run running scale scenes search season security sender sense sensitive settings shares sheets significantly site snapshot sophistication special specific stealing subsystem success such suggest surface suspected tactics take tamper target targeting tax techniques theft thereof these those though threat threats tools trusted tunnels turn uncertain unconventional uncovered unique universally unknown unless urgency urls us/defender us/security/security use used using utilizes various victim victims view=o365 voldemort volume want webdav webmail what when which who will windows without work works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-09-05 16:44:40 | (Déjà vu) Analyse du Trojan Mekotio Analyzing the Mekotio Trojan (lien direct) |
## Snapshot Researchers at Cyfirma released an article about Mekotio Trojan, a sophisticated piece of malware that uses a PowerShell-based dropper to distribute its payload. ## Description The dropper is heavily obfuscated, employing techniques like custom XOR decryption to hide key details. Upon execution, the dropper gathers system information and communicates with a command-and-control (C2) server to receive additional payloads and instructions. It also ensures persistence by modifying system settings to execute the malware upon system startup. Key functions of the PowerShell script include generating random strings, decoding encrypted data, retrieving system details, checking for antivirus software, and managing file transfers via TCP connections. The malware\'s primary payload consists of executable and script files, which are extracted, renamed, and executed. The dropper creates shortcuts to these payloads and adds them to the Windows registry to maintain persistence. Observed C2 communication suggests the threat actors may be of Portuguese or Brazilian origin. ## Additional Analysis Threat actors frequently use PowerShell in their attacks due to its powerful capabilities, deep integration with the Windows operating system, and the fact that it is a trusted and pre-installed tool on nearly all Windows systems. Unlike other scripting languages, PowerShell allows attackers to interact directly with the Windows API, manipulate system settings, and execute commands in memory, making detection more challenging for traditional antivirus solutions that rely on file-based signatures. PowerShell\'s versatility allows threat actors to write sophisticated scripts that can download additional payloads, obfuscate commands, perform privilege escalation, and achieve persistence on the infected system. Additionally, PowerShell scripts can be easily obfuscated to evade detection and analysis, leveraging techniques like base64 encoding, string concatenation, or custom encryption methods. The ability to run in-memory (fileless) attacks without leaving traces on the disk further complicates detection by endpoint protection tools. Overall, PowerShell\'s flexibility, stealth, and integration with Windows make it an attractive choice for threat actors seeking to conduct effective and evasive attacks. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-pro | Ransomware Malware Tool Threat | ★★ |