One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8580783 |
| Date de publication | 2024-09-20 19:42:19 (vue: 2024-09-20 20:18:10) |
| Titre | WEBDAV MALICIET Fichier Hébergement alimentaire des attaques de logiciels malveillants furtifs Webdav Malicious File Hosting Powering Stealthy Malware Attacks (Recyclage) |
| Texte | ## Snapshot A new method of attack has emerged that leverages WebDAV technology to host malicious files. This technique, which aids in the distribution of the Emmenthal loader, also known as PeakLight, has been under investigation since December 2023. ## Description The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader. These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate executable. The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors. The Emmenhtal loader, also known as PeakLight, is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide. The wide range of malware indicates that multiple threat actors utilize the same service. The repeated use of specific AS providers over several months points to a centralized service offering. The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals. Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity. ## Microsoft Analysis The memory-only dropper named [PeakLight](https://security.microsoft.com/intel-explorer/articles/a1d5fe95), which uses ZIP files disguised as pirated movies to deploy a PowerShell-based downloader. This fileless malware, challenging to detect due to its operation within trusted applications like PowerShell, allows attackers to execute malicious activities discreetly, maintaining persistence and evading most security defenses. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use[Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/mdo-about?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/en-us/defender-office-365/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/en-us/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.m |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 100 2023 2024 2024** 365 365/mdo 365/safe 365/zero ability about accessed accounts acquired activities actors advice: against age aids all allows also analysis antivirus any app applications apps are article attachments attack attacker attackers attacks attacks/ authentication authenticator auto backdoor:js/remcos backdoor:msil/asyncrat backdoor:msil/remcos backdoor:win32/asyncrat backdoor:win32/remcos based been block blocks browser browsers bullet can centralized challenging check classes click clicking cloud code com/en com/intel com/webdav common components configure content copyright cover coverage credential credentials criterion customers cybercriminal cybercriminals cybersecurity december decoding defender defenses delete deliver delivered deploy description designed detect detects devices different discreetly disguised distributing distribution diversity download downloader dropper due edge email emails emerged emmenhtal emmenthal employees enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evading even evolving example excluded exe executable execute execution explorer/articles/a1d5fe95 extensive features fido file fileless files filtering first following from further gbhackers group guidance has hello host hosting hour https://gbhackers https://learn https://security https://www iaas identified identifies identity impact inbound including indicates infections information infostealer infostealers infrastructure intelligence intrusions investigation involved its keys known landscape learndoc learndoc#block learning legitimate leverages like likely links list lnk” loader locations machine mail maintaining majority malicious malware malware: managed many match may meet memory method methods mfa microsoft mitigation mitigations mode months more most movies msr multiple name=backdoor:js/remcos name=backdoor:msil/asyncrat name=backdoor:win32/asyncrat name=backdoor:win32/remcos name=pws:win32/remcos name=trojan:msil/asyncrat name=trojan:vba/asyncrat name=trojan:vbs/asyncrat name=trojan:vbs/danabot name=trojan:vbs/xworm name=trojan:win32/cryptbot name=trojan:win32/danabot name=trojan:win32/darkgate name=trojan:win32/lummastealer name=trojan:win32/remcos name=trojan:win64/amadey name=trojan:win64/danabot name=trojan:xml/asyncrat name=trojandownloader:autoit/remcos name=trojandownloader:msil/asyncrat name=trojandownloader:o97m/remcos name=trojandownloader:vbs/asyncrat name=trojandownloader:vbs/danabot name=trojandownloader:win32/danabot name=trojandropper:win32/cryptbot name=trojanspy:win32/danabot name=trojanspy:win64/danabot named new newly not notorious number obfuscated ocid=magicti off offer offered offering office only operation organizations other over overview part password passwordless passwords payloads peaklight peaklight: permission persistence personal phishing phones pirated points policies policy polymorphic possible potentially powering powershell prevalence prevent product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited prompt protection protection/howto protections providers pua purge pws:win32/remcos query=remcos range ransomware rapidly recheck recommendations recommends reduce reduction refer reference references remind remove repeated represents reproduction require requires reserved response rights role rules running safe same scam scripts search secured security sekoia sent servers service settings several should sight since site sites smartscreen snapshot sophisticated spam specific spoofed stealer stealers stealth stealthy stop stored strictly succeeded suggests support supporting surface sweeping sync#sync syncing tdr team technique techniques technology theft thereof these threat threats times tools trojan:msil/asyncrat trojan:vba/asyncrat trojan:vbs/asyncrat trojan:vbs/danabot trojan:vbs/xworm trojan:win32/cryptbot trojan:win32/danabot trojan:win32/darkgate trojan:win32/lummastealer trojan:win32/remcos trojan:win64/amadey trojan:win64/da |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8579832 |
| Date de publication | 2024-09-19 20:13:20 (vue: 2024-09-19 20:18:14) |
| Titre | GOMORRAH STENER V5.1: Une analyse approfondie d'un malware basé sur .NET Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware |
| Texte | ## Instantané Cyfirma a publié un rapport sur Gomorrrah Stealer, un malware de volet d'informations basé sur .NET qui fonctionne dans un modèle de logiciel malveillant en tant que service (MAAS). ## Description Ce logiciel malveillant sophistiqué cible un large éventail de données sensibles, y compris les mots de passe, les détails de la carte de crédit, les cookies des navigateurs Web, les VPN, les portefeuilles de crypto-monnaie, les applications de messagerie et les clients FTP.Il utilise des techniques d'évasion telles que le débogueur et la détection de l'environnement virtuel, modifie le registre Windows pour la persistance et utilise le code du langage intermédiaire pur (IL) basé sur .NET avec une compilation juste en temps (JIT) pour résister à l'analyse statique. Gomorrrah Stealer infiltre les systèmes en supprimant un fichier DLL, en déménageant ses exécutables et en créant des répertoires dans le dossier temporaire pour organiser des données récoltées.Il capture les informations du système, installé des programmes, exécutant des processus et prend des captures d'écran.Après avoir exfiltrant les données d'un serveur de commande et de contrôle (C2), il supprime les fichiers locaux pour couvrir ses pistes.Le logiciel malveillant est distribué via un canal télégramme, soutenu par un acteur de menace nommé \\ 'lucifer, \' qui le promeut également sur les plateformes de médias sociaux comme YouTube et Facebook. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [exiger MFA] (https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-Politique? OCID = magicti_ta_learndoc) de tous les appareils, à tous les endroits, à tout moment. - Activer les méthodes d'authentification sans mot de passe (par exemple, Windows He |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/office about accessed accounts acquired actor advice: after against age all also analysis antivirus any app apps are array article attachments attack attacker authentication authenticator auto based block blocks browser browsers bullet can captures card channel check classes click clicking clients cloud code com/azure/active com/deployedge/microsoft com/en com/microsoft com/research/gomorrah command common compilation components configure content control cookies copyright cover coverage creating credential credentials credit criterion cryptocurrency customers cyfirma data debugger defender delete deletes delivered deployment depth description details detection detects devices different directories directory/authentication/concept directory/authentication/how directory/identity distributed distribution dll dropping due edge email emails employees employs enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire environment equivalent evasion even evolving example excluded executable executables execution exfiltrating facebook features fido file files filtering first folder following from ftp gomorrah group guidance harvested hello host hour https://learn https://www identifiesand identity impact inbound including infections infiltrates information infostealer infostealers installed intelligence intermediate intrusions its jit just keys language learndoc learndoc#block learning like links list local locations lucifer maas machine mail majority malicious malware malware/ malware: managed many match media meet messaging methods mfa microsoft mitigation mitigations mode model modifies monitored more mtb name=trojan:win32/gomorrah named net new newly not number obfuscated ocid=magicti off offer office operates organizations organize other overview part password passwordless passwords permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially prevalence prevent processes product programs prohibited promotes prompt protection protection/howto protections pua pure purge ransomware rapidly recheck recommendations recommends reduce reduction refer reference references registry released relocating remind remove report reproduction require requires reserved resist response rights rpx rules running safe scam screenshots scripts secured security/defender security/safe security/zero sensitive sent server service settings should sight site sites smartscreen snapshot social sophisticated spam specific spoofed static status stealer stealing stop stored strictly succeeded such support supported surface sweeping sync#sync syncing system systems takes targets techniques telegram temp theft thereof threat threats time times tools tracks trojan:win32/gomorrah trusted turn typed under unknown unless unwanted us/wdsi/threats/malware use used users uses using variants vaults virtual vpns wallets web websites when where which who wide windows without workplace written your youtube “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-09-20 20:53:14 | (Déjà vu) Behind the CAPTCHA: A Clever Gateway of Malware (lien direct) | ## Snapshot McAfee Labs recently identified a malware campaign leveraging fake CAPTCHA pages to distribute malware, including [Lumma Stealer](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad), a malicious program that targets sensitive information like cryptocurrency wallets and 2FA browser extensions. ## Description The campaign is global, with infections spreading via two main vectors: cracked game download links and phishing emails targeting GitHub users. In one vector, users searching for pirated game software are redirected to malicious CAPTCHA pages, where they are tricked into executing a PowerShell script that installs the malware. In the second vector, phishing emails posing as GitHub security alerts direct users to similar CAPTCHA pages. In both cases, a malicious script is copied to the clipboard and executed via the Windows Run command, bypassing traditional security measures. The script uses multi-layer encryption and mshta utility to obscure its true purpose, downloading and running Lumma Stealer. By storing the malware in the Temp folder, attackers avoid detection, ensuring successful infection and data exfiltration. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the pr | Ransomware Spam Malware Tool Threat | ★★★ |