One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8574025 |
| Date de publication | 2024-09-10 15:39:55 (vue: 2024-09-10 16:18:16) |
| Titre | Earth Preta Evolves its Attacks with New Malware and Strategies |
| Texte | ## Snapshot Trend Micro has analyzed the recent enhancements of the cyberattack capabilities through the introduction of new tools and malware variants of the group Earth Preta (also known as Mustang Panda and tracked by Microsoft as [Twill Typhoon](https://security.microsoft.com/intel-profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c)). ## Description Earth Preta is now using a variant of the HIUPAN worm, known as PUBLOAD, to propagate its attacks. The HIUPAN worm variant, which spreads through removable drives, is a key component of their strategy, deploying PUBLOAD for initial reconnaissance. PUBLOAD gathers system information and network details, setting the stage for further attacks. Following this, tools like FDMTP, a straightforward malware downloader, and PTSOCKET, which facilitates data exfiltration, are deployed. Their spear-phishing campaigns have also evolved, utilizing multi-stage downloaders such as DOWNBAIT and PULLBAIT. These downloaders lead to the deployment of additional malware like CBROVER and PLUGX, enhancing the depth and reach of their attacks. These campaigns are meticulously planned, targeting specific sectors and countries within the APAC region, often focusing on government entities. The combination of sophisticated malware, advanced phishing techniques, and targeted attacks makes Earth Preta a formidable threat to businesses and organizations, necessitating robust and continuous defensive measures to mitigate these risks. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. Reduce the attack surface. Microsoft customers can turn on the following [attack surface reduction rules](https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction?ocid=magicti_ta_learndoc) to block or audit some observed activity associated with this threat: - [Block untrusted and unsigned processes that run from USB](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-untrusted-and-unsigned-processes-that-run-from-usb) - [Block executable content from email client and webmail](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-content-from-email-client-and-webmail) - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) Prevent drives from using autorun and code launch on insertion or mount. This can be done via [registry settings](https://learn.microsoft.com/en-us/windows/win32/shell/autoplay-reg#using-the-registry-to-disable-autorun?ocid=magicti_ta_learndoc) or via Group Policy. Configure Microsoft Defender Antivirus scans and updates to include scanning of removable drives. The Set-MpPreference cmdlet configures preferences for Microsoft Defender Antivirus scans and updates. The following command lets you scan removable drives: - Set-MpPreference -DisableRemovableDriveScanning - This command indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan. If you specify a value of $False or do not specify a value, Microsoft Defender Antivirus scans removable drives during any type of scan. If you specify a value of $True, Microsoft Defender Antivirus does not scan removable drives during a full scan. Microsoft Defender Antivirus can still scan removable drives during quick scans or custom scans. Follow best practices when developing applications to ensure the [DLLs load securely](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?ocid=magicti_ta_le |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $false $true **© 2024 2024** accessed activity additional advanced age alerts all also analyzed antivirus any apac applications are artifacts associated attack attacks audit autorun backdoor:win32/plugx behind best block blockmode businesses campaigns can capabilities card cbrover center check client cmdlet code com/en com/intel combination command component components compromise configure configures content continuous copyright countries criterion custom customers cyberattack data defender defensive deployed deploying deployment depth description details detect detected detection detections/hunting detects developing disable disableremovabledrivescanning distribution dll dlls does done downbait downloader downloaders drives drives: during earth edr email encyclopedia endpoint endpoint/attack endpoint/edr endpoint/overview enhancements enhancing ensure entities even evolved evolves executable exfiltration facilitates fdmtp files flash focusing follow following formidable from full further gathers government group has have hiupan html https://learn https://security https://www impact include indicate indicates information initial insertion introduction its key known launch lead learndoc learndoc#block lets library like link list load loading makes malicious malware malware: measures meet meticulously micro microsoft mitigate mitigations mode monitored mount mppreference multi mustang name=win32/plugx&threatid= necessitating network network: new non not now observed ocid=magicti often organizations panda part passive permission phishing planned plugx policy possible post practices preferences preta prevalence prevent processes profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c prohibited propagate ptsocket pubload pullbait queries quick reach recent recommendations recommends reconnaissance reduce reduction reference references reg#using region registry remediate removable reproduction reserved response rights risks robust rules run running scan scanning scans scenes sectors securely security set setting settings side site snapshot software some sophisticated spear specific specify spreads stage status straightforward strategies strategy such surface system targeted targeting techniques thereof these threat threat: through titles tools tracked trend trendmicro trusted turn twill type typhoon unless unsigned untrusted unwanted updates us/defender us/research/24/i/earth us/wdsi/threats/malware us/windows/win32/dlls/dynamic us/windows/win32/shell/autoplay usb using utilizing value variant variants webmail when whether which within without works worm written your |
| Tags | Malware Tool Threat Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.