SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8579832
Date de publication	2024-09-19 20:13:20 (vue: 2024-09-19 20:18:14)
Titre	GOMORRAH STENER V5.1: Une analyse approfondie d'un malware basé sur .NET Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware
Texte	## Instantané Cyfirma a publié un rapport sur Gomorrrah Stealer, un malware de volet d'informations basé sur .NET qui fonctionne dans un modèle de logiciel malveillant en tant que service (MAAS). ## Description Ce logiciel malveillant sophistiqué cible un large éventail de données sensibles, y compris les mots de passe, les détails de la carte de crédit, les cookies des navigateurs Web, les VPN, les portefeuilles de crypto-monnaie, les applications de messagerie et les clients FTP.Il utilise des techniques d'évasion telles que le débogueur et la détection de l'environnement virtuel, modifie le registre Windows pour la persistance et utilise le code du langage intermédiaire pur (IL) basé sur .NET avec une compilation juste en temps (JIT) pour résister à l'analyse statique. Gomorrrah Stealer infiltre les systèmes en supprimant un fichier DLL, en déménageant ses exécutables et en créant des répertoires dans le dossier temporaire pour organiser des données récoltées.Il capture les informations du système, installé des programmes, exécutant des processus et prend des captures d'écran.Après avoir exfiltrant les données d'un serveur de commande et de contrôle (C2), il supprime les fichiers locaux pour couvrir ses pistes.Le logiciel malveillant est distribué via un canal télégramme, soutenu par un acteur de menace nommé \\ 'lucifer, \' qui le promeut également sur les plateformes de médias sociaux comme YouTube et Facebook. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [exiger MFA] (https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-Politique? OCID = magicti_ta_learndoc) de tous les appareils, à tous les endroits, à tout moment. - Activer les méthodes d'authentification sans mot de passe (par exemple, Windows He
Notes	★★
Envoyé	Oui
Condensat	### © 2024 2024 365 365/security/defender 365/security/office about accessed accounts acquired actor advice: after against age all also analysis antivirus any app apps are array article attachments attack attacker authentication authenticator auto based block blocks browser browsers bullet can captures card channel check classes click clicking clients cloud code com/azure/active com/deployedge/microsoft com/en com/microsoft com/research/gomorrah command common compilation components configure content control cookies copyright cover coverage creating credential credentials credit criterion cryptocurrency customers cyfirma data debugger defender delete deletes delivered deployment depth description details detection detects devices different directories directory/authentication/concept directory/authentication/how directory/identity distributed distribution dll dropping due edge email emails employees employs enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire environment equivalent evasion even evolving example excluded executable executables execution exfiltrating facebook features fido file files filtering first folder following from ftp gomorrah group guidance harvested hello host hour https://learn https://www identifiesand identity impact inbound including infections infiltrates information infostealer infostealers installed intelligence intermediate intrusions its jit just keys language learndoc learndoc#block learning like links list local locations lucifer maas machine mail majority malicious malware malware/ malware: managed many match media meet messaging methods mfa microsoft mitigation mitigations mode model modifies monitored more mtb name=trojan:win32/gomorrah named net new newly not number obfuscated ocid=magicti off offer office operates organizations organize other overview part password passwordless passwords permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially prevalence prevent processes product programs prohibited promotes prompt protection protection/howto protections pua pure purge ransomware rapidly recheck recommendations recommends reduce reduction refer reference references registry released relocating remind remove report reproduction require requires reserved resist response rights rpx rules running safe scam screenshots scripts secured security/defender security/safe security/zero sensitive sent server service settings should sight site sites smartscreen snapshot social sophisticated spam specific spoofed static status stealer stealing stop stored strictly succeeded such support supported surface sweeping sync#sync syncing system systems takes targets techniques telegram temp theft thereof threat threats time times tools tracks trojan:win32/gomorrah trusted turn typed under unknown unless unwanted us/wdsi/threats/malware use used users uses using variants vaults virtual vpns wallets web websites when where which who wide windows without workplace written your youtube “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 2 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-09-20 16:51:05	(Déjà vu) Clever \'GitHub Scanner\' campaign abusing repos to push malware (lien direct)	## Snapshot Bleeping Computer reports a new phishing campaign that abuses GitHub repositories to distribute the [Lumma Stealer](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad) malware, targeting users through the platform\'s "Issues" feature. ## Description Malicious GitHub users file false "security vulnerability" reports on open-source projects, to lure users into visiting a counterfeit "GitHub Scanner" website. The email alerts are sent from legitimate GitHub servers, originating from the legitimate GitHub email address, notifications@github.com, and signed "Best regards, Github Security Team" in the message body, in attempt to make the messages appear more authentic. In the email, users are asked to contact "github-scanner\[.\]com," not affiliated with GitHub, to learn more about the alleged security issue. When users visit the fraudulent domain, they\'re prompted with a fake captcha, which copies malicious JavaScript code to their clipboard. A subsequent screen instructs them to execute the Windows Run command and paste the copied code. This triggers a PowerShell script that downloads the file \'l6E.exe\' from the malicious domain, which is equipped with anti-detection and persistence capabilities. The file is saved as "SysSetup.exe" in a temporary directory and, when executed, installs the Lumma Stealer malware. Lumma Stealer is designed to steal credentials, cookies, browsing history, and cryptocurrency wallets from the infected device. Bleeping Computer previously [reported](https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes/) that Lumma Stealer has been linked to similar attacks, aiming to steal developers\' credentials and compromise source code for potential supply chain attacks. ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use[Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Organizations can also leverage web browsers that automatically[identify and block malicious websites](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), including those used in this phishing campaign. To build resilience against phishing attacks in general, organizations can use[anti-phishing policies](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide) to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling [SafeLinks](https://docs.microsoft.com/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide) ensures real-time protection by scanning at time of delivery and at time of click. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-firs	Ransomware Spam Malware Tool Threat		★★
	2024-09-20 19:42:19	(Déjà vu) WEBDAV MALICIET Fichier Hébergement alimentaire des attaques de logiciels malveillants furtifs Webdav Malicious File Hosting Powering Stealthy Malware Attacks (lien direct)	## Snapshot A new method of attack has emerged that leverages WebDAV technology to host malicious files. This technique, which aids in the distribution of the Emmenthal loader, also known as PeakLight, has been under investigation since December 2023. ## Description The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader. These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate executable. The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors. The Emmenhtal loader, also known as PeakLight, is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide. The wide range of malware indicates that multiple threat actors utilize the same service. The repeated use of specific AS providers over several months points to a centralized service offering. The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals. Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity. ## Microsoft Analysis The memory-only dropper named [PeakLight](https://security.microsoft.com/intel-explorer/articles/a1d5fe95), which uses ZIP files disguised as pirated movies to deploy a PowerShell-based downloader. This fileless malware, challenging to detect due to its operation within trusted applications like PowerShell, allows attackers to execute malicious activities discreetly, maintaining persistence and evading most security defenses. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use[Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/mdo-about?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/en-us/defender-office-365/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/en-us/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.m	Ransomware Spam Malware Tool Threat		★★★