One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8571535 |
| Date de publication | 2024-09-06 20:50:58 (vue: 2024-09-06 21:18:21) |
| Titre | APT Lazarus: castors cryptographiques avides, appels vidéo et jeux APT Lazarus: Eager Crypto Beavers, Video calls and Games (Recyclage) |
| Texte | ## Instantané Group-IB a publié un rapport détaillant l'activité du groupe de Lazare qui cible les demandeurs d'emploi par de fausses entretiens.La campagne attire des victimes de téléchargement du logiciel malveillant déguisé en projet Node.js, qui contient le malware de Beavertail, conduisant finalement au déploiement d'une porte dérobée python connue sous le nom d'invisibleferret. ## Description La chaîne d'infection commence lorsque les victimes sont contactées via des plateformes de recherche d'emploi comme LinkedIn, Moonlight ou Upwork.Les conversations sont ensuite souvent déplacées vers Telegram, où les victimes sont trompées pour télécharger une fausse application de conférence vidéo ou un projet Node.js pour une tâche d'entrevue supposée.Ces applications sont en fait malveillantes, contenant des charges utiles qui volent des données sensibles aux navigateurs, aux portefeuilles de crypto-monnaie et à d'autres sources. BEAVERTail Malware, initialement développé par les acteurs de la menace en tant qu'outil basé sur JavaScript, a évolué pour inclure les versions macOS et Python natives.La version Windows arrive via un fichier d'installation nommé FCCCALL, qui se présente comme une application de vidéoconférence légitime.Lors de l'exécution, FccCall imite les interfaces logicielles légitimes tout en exécutant des processus d'arrière-plan malveillants qui exfiltrent les informations d'identification du navigateur, les données de portefeuille de crypto-monnaie, etc. La variante Beavertail Python a introduit des composants modulaires, nommés collectivement CIVETQ, qui élargissent les capacités du malware \\.Les modules CIVETQ se concentrent sur des tâches telles que le keylogging, le vol de presse-papiers, l'exfiltration des données du navigateur et l'établissement de persistance sur les plates-formes Windows, MacOS et Linux.La version Python configure également AnyDesk pour un accès sans surveillance, permettant aux attaquants de maintenir un pied sur des systèmes compromis sans interaction utilisateur. InvisibleFerret, une porte arrière basée sur Python, est un autre composant important utilisé dans ces campagnes.Il dispose de la télécommande, de la clé de clés et des capacités de vol de données du navigateur, avec des mises à jour récentes incorporant des techniques d'obfuscation plus avancées et des méthodes supplémentaires d'exfiltration de données, y compris via Telegram.Beavertail et InvisibleFerret sont en cours de développement actif, les mises à jour fréquentes étant déployées pour améliorer la furtivité et l'efficacité. Le groupe Lazare utilise également des référentiels malveillants sur les plates-formes de partage de code pour distribuer des projets Node.js transversaux.Ces référentiels ciblent souvent les professionnels des secteurs de la crypto-monnaie et des jeux en se faisant passer pour des projets de développement légitimes.Lazarus met à jour en permanence ces référentiels, en utilisant des techniques d'obscurcissement et en manipulant la visibilité du référentiel pour échapper à la détection. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Micr |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed across action active activity actors actually additional advanced af74 against age alert alerts all allow also another antivirus any anydesk application applications apt are arrives artifacts attack attacker attackers authority automated backdoor background based beavers beavertail begins behind being block both breach breaches browser browsers calls campaign campaigns can capabilities chain changes civetq client clipboard cloud code collectively com/blog/apt com/en com/microsoft com/threatanalytics3/9382203e common component components compromised conferencing configure configures contacted containing contains content continued continuously control controlled conversations copyright cover credential credentials criterion crypto cryptocurrency customers data defend defender delivered deployed deployment description detailing detect detected detection developed development disguised distribute distribution does downloading eager edr efficiency email employing enable enabled enabling endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent enhance ensure equivalent establishment evade even eventually evolved evolving executable executing execution exfiltrate exfiltration expand fake fcccall features file files focus folder folders follow following foothold frequent from full games gaming group hardening has https://learn https://security https://www immediate impact include including incorporating infection initially installer interaction interfaces interview interviews introduced investigation investigations invisibleferret javascript job keylogging known lazarus lazarus: leading learndoc learning legitimate like linkedin linux list local lsa lsass lures machine macos maintain majority malicious malware manage manipulating masquerading meet methods microsoft mimics mitigations mode modular modules moonlight more moved named native network new node non not obfuscation ocid=magicti often other overview part passive payloads permission persistence platforms poses post preferences premises prevalence prevent processes product professionals prohibited project projects protection protection#how protections python ransomware rapidly recent recommendations recommends reduce reducing reduction reference#block references released remediate remediation remote report repositories repository reproduction reserved resolve rights rule rules run running scenes scripts/ search sectors security seekers sensitive settings sharing significant significantly site snapshot software sources steal stealing stealth subsystem supposed surface systems take tamper target targets task tasks techniques telegram theft then thereof these threat threats through tool tools tricked trojanized trusted turn unattended under unknown unless updates upon upwork us/defender used user utilizing variant version versions victims video view=o365 visibility volume wallet wallets webmail when where which windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat |
| Stories | APT 38 |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8570653 |
| Date de publication | 2024-09-05 16:44:40 (vue: 2024-09-05 17:18:12) |
| Titre | Analyse du Trojan Mekotio Analyzing the Mekotio Trojan (Recyclage) |
| Texte | ## Snapshot Researchers at Cyfirma released an article about Mekotio Trojan, a sophisticated piece of malware that uses a PowerShell-based dropper to distribute its payload. ## Description The dropper is heavily obfuscated, employing techniques like custom XOR decryption to hide key details. Upon execution, the dropper gathers system information and communicates with a command-and-control (C2) server to receive additional payloads and instructions. It also ensures persistence by modifying system settings to execute the malware upon system startup. Key functions of the PowerShell script include generating random strings, decoding encrypted data, retrieving system details, checking for antivirus software, and managing file transfers via TCP connections. The malware\'s primary payload consists of executable and script files, which are extracted, renamed, and executed. The dropper creates shortcuts to these payloads and adds them to the Windows registry to maintain persistence. Observed C2 communication suggests the threat actors may be of Portuguese or Brazilian origin. ## Additional Analysis Threat actors frequently use PowerShell in their attacks due to its powerful capabilities, deep integration with the Windows operating system, and the fact that it is a trusted and pre-installed tool on nearly all Windows systems. Unlike other scripting languages, PowerShell allows attackers to interact directly with the Windows API, manipulate system settings, and execute commands in memory, making detection more challenging for traditional antivirus solutions that rely on file-based signatures. PowerShell\'s versatility allows threat actors to write sophisticated scripts that can download additional payloads, obfuscate commands, perform privilege escalation, and achieve persistence on the infected system. Additionally, PowerShell scripts can be easily obfuscated to evade detection and analysis, leveraging techniques like base64 encoding, string concatenation, or custom encryption methods. The ability to run in-memory (fileless) attacks without leaving traces on the disk further complicates detection by endpoint protection tools. Overall, PowerShell\'s flexibility, stealth, and integration with Windows make it an attractive choice for threat actors seeking to conduct effective and evasive attacks. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-pro |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 20activities 20for 20is 20malicious 20of 20one 20various 20versatility 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability about access accessed achieve action actors additional additionally adds af74 against age alert alerts all allow allows also analysis analyzing antivirus any api are article artifacts attack attacker attackers attacks attacks/#:~:text=powershell attractive authority automated base64 based behind block blue brazilian breach breaches can capabilities center challenging changes checking choice cisecurity client cloud com/blog/the com/en com/microsoft com/research/analyzing com/threatanalytics3/9382203e command commands common communicates communication complicates concatenation conduct configure connections consists content control controlled copyright cover creates credential criterion custom customers cyber cyfirma data decoding decryption deep defend defender delivered description details detect detected detection directly disk distribute distribution does download dropper due easily edr effective email employing enable enabled encoding encrypted encryption endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure ensures equivalent escalation evade evasive even evolving executable execute executed execution exploit exploiting extracted fact file fileless files flexibility folder folders follow following frequently from full functions further gathers generating goat hackers hardening heavily hide how https://bluegoatcyber https://learn https://security https://www immediate impact include infected information insights insights: installed instructions integration intel interact internet investigation investigations its key languages learndoc learning leaving leveraging like list local lsa lsass machine maintain majority make making malicious malware manage managing manipulate may meet mekotio memory methods microsoft mitigations mode modifying more nearly network new non not obfuscate obfuscated observed ocid=magicti operating org/insights/white origin other overall overview papers/intel part passive payload payloads perform permission persistence piece portuguese post power powerful powershell pre preferences premises prevalence prevent primary privilege product prohibited protection protection#how protections random ransomware rapidly receive recommendations recommends reduce reducing reduction reference#block references registry released rely remediate remediation renamed reproduction researchers reserved resolve retrieving rights rule rules run running scenes script scripting scripts secure security seeking server settings shortcuts signatures significantly site snapshot software solutions sophisticated startup stealing stealth string strings subsystem suggests suitable surface system systems take tamper tcp techniques theft them thereof these threat threats tool tools traces traditional transfers trojan trojan/ trusted turn unknown unless unlike upon us/defender use used uses versatility view=o365 volume webmail when which windows without works worldwide write written xdr xor your |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.