One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8594953 |
| Date de publication | 2024-10-09 17:00:18 (vue: 2024-10-09 17:18:17) |
| Titre | Voleur d'unité YUNIT STEALER |
| Texte | ## Snapshot Cyfirma has identified a new [information stealer](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), Yunit Stealer, designed to extract sensitive data, including system information, credentials, cookies, and cryptocurrency wallets. ## Description The malware uses JavaScript and various persistence techniques like modifying Windows registry keys and disabling Windows Defender. It utilizes Discord and Telegram webhooks for data exfiltration. The malware employs obfuscation to evade detection and uses PowerShell commands to hide its actions. Yunit Stealer\'s developer is believed to be based in France, with ties to gaming platforms. The malware is particularly adept at gathering and exfiltrating browser data and cryptocurrency information by manipulating common system utilities and files. In addition, it uses scheduled tasks and registry modifications to ensure it remains active on compromised systems. The malware\'s code includes geofencing capabilities, allowing it to selectively operate based on geographic location. Cyfirma\'s investigation suggests that the developer has a history of malicious projects and is actively involved in gaming-related communities, which may influence their development of this stealer. Yunit Stealer\'s techniques make it an information stealing threat, particularly due to its persistence mechanisms and ability to bypass security measures. ## Microsoft Analysis Cybercriminals are increasingly using messaging apps like Discord and Telegram as private communication channels, to spread [information stealers](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), and exfiltrate targeted data. These platforms offer several advantages that make them attractive to threat actors. Firstly, Telegram and Discord provide a combination of simplicity, security, and anonymity that allows cybercriminals to communicate easily, either in private chats or public channels, without the oversight common in traditional underground forums. Telegram, in particular, enables [encrypted communication](https://tsf.telegram.org/manuals/e2ee-simple) and has been criticized for a "laissez-faire approach to privacy policies," which malicious actors might perceive as bolstering the security of their operations. Additionally, these platforms support features like webhooks and bots, which are exploited by attackers to distribute malware and conduct phishing attacks. For instance, Discord\'s webhooks, initially designed for notifications, can be misused to exfiltrate data collected by information stealers by sending it to attacker-controlled channels through HTTPS requests. This misuse of webhooks complicates monitoring and blocking efforts due to their integration with various apps and the encryption used. Discord\'s content delivery network (CDN) is also [exploited by cybercriminals](https://www.resecurity.com/blog/article/millions-of-undetectable-malicious-urls-generated-via-the-abuse-of-public-cloud-and-web-30-services) to host malware payloads, making it an effective distribution tool. As these platforms offer both robust automation capabilities and discreet communication options, they have become increasingly attractive to cybercriminals looking to bypass traditional security measures and reach a wider audience. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click] |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/office ability about abuse accessed accounts acquired actions active actively activity actors addition additionally adept advantages advice: against age alerts all allowing allows also analysis anonymity antivirus any app approach apps are article attachments attack attacker attackers attacks attractive audience authentication authenticator auto automation based become been believed block blocking blocks bolstering both bots browser browsers bullet bypass can capabilities card cdn center channels chats check classes click clicking cloud code collected com/azure/active com/blog/article/millions com/deployedge/microsoft com/intel com/microsoft com/research/yunit combination commands common communicate communication communities complicates compromised conduct configure content controlled cookies copyright cover coverage credential credentials criterion criticized cryptocurrency customers cybercriminals cyfirma data defender delete delivered delivery deployment description designed detection detections/hunting developer development devices different directory/authentication/concept directory/authentication/how directory/identity disabling discord discreet distribute distribution due easily edge effective efforts either email emails employees employs enable enabled enables encourage encrypted encryption endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evade even evolving example excluded executable execution exfiltrate exfiltrating exfiltration exploited extract faire features fido files filtering first firstly following forums france from gaming gathering generated geofencing geographic group guidance has have hello hide history host hour https https://learn https://security https://tsf https://www identified identifies identity impact inbound includes including increasingly indicate infections influence information infostealer infostealers initially instance integration intelligence intrusions investigation involved its javascript keys laissez learndoc learndoc#block learning like links list location locations looking machine mail majority make making malicious malware managed manipulating many match may measures mechanisms meet messaging methods mfa microsoft might misuse misused mitigation mitigations mode modifications modifying monitored monitoring more network network: new newly not notifications number obfuscated obfuscation ocid=magicti off offer office operate operations options org/manuals/e2ee organizations other oversight overview part particular particularly password passwordless passwords payloads perceive permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially powershell prevalence prevent privacy private product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited projects prompt protection protection/howto protections provide pua public purge queries ransomware rapidly reach recheck recommendations recommends reduce reduction refer reference references registry related remains remind remove reproduction requests require requires resecurity reserved response rights robust rules running safe scam scheduled scripts secured security security/defender security/safe security/zero selectively sending sensitive sent services settings several should sight simple simplicity site sites smartscreen snapshot spam specific spoofed spread status stealer stealer/ stealers stealing stop stored strictly succeeded suggests support surface sweeping sync#sync syncing system systems targeted tasks techniques telegram theft them thereof these threat threats through ties times titles tool tools traditional trusted turn typed underground undetectable unknown unless unwanted urls use used users uses using utilities utilizes variants various vaults wallets web webhooks websites when where which wider windows without workplace written your yunit “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 3 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-09 18:13:00 | (Déjà vu) Voleur de Vilsa VILSA STEALER (lien direct) |
## Snapshot Cyfirma recently identified a sophisticated malware called “Vilsa Stealer” on GitHub. The malware is designed to discreetly and efficiently extract sensitive data. ## Description Vilsa stealer targets information from various sources like browsers, cryptocurrency wallets, Discord, Steam, and Telegram, among others. Written in Python, it employs encryption to obfuscate its behavior and uses advanced techniques to bypass security measures. Vilsa Stealer also ensures persistence by copying itself into the Windows Startup folder, enabling it to run at each boot. One of its key functions is targeting browser extensions to steal cryptocurrency wallet data, while another feature terminates processes associated with security analysis tools like Wireshark or Process Hacker. The malware also checks for virtual machines and terminates if detected. It uploads stolen data to a remote server using the GoFile API and encrypts files, making detection harder. An additional payload, "hvnc.py," gives remote access to compromised systems, evading security with UAC bypass techniques. CYFIRMA\'s investigation revealed that the malware uploads stolen data to a server linked to a suspicious IP address, which points to a spyware panel associated with a Telegram channel. The malware\'s sophisticated capabilities make it a potent tool in the cybercriminal landscape. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenti | Ransomware Spam Malware Tool Threat | ★★★ | |
|
2024-10-10 19:46:52 | (Déjà vu) Pas tous amusants et jeux: Lua Malware cible les moteurs du secteur de l'éducation et des étudiants Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines (lien direct) |
## Instantané Les laboratoires de menace Morphisec ont identifié des variantes sophistiquées de logiciels malveillants Lua ciblant le secteur de l'éducation, exploitant notamment la popularité des suppléments de moteur de jeu basés sur la LIA parmi les étudiants. ## Description Le malware est livré via des scripts LUA obscurcis téléchargés à partir de plates-formes comme GitHub, qui sont moins susceptibles d'être détectées que les bytecode LUA compilées.Ces téléchargements incluent généralement un compilateur LUA, un fichier LUA DLL, un script obscurci et un fichier batch pour exécuter le script. Lors de l'exécution, le chargeur communique avec un serveur de commande et de contrôle (C2), d'envoi de détails sur la machine infectée et de réception de tâches pour maintenir la persistance, masquer les processus et télécharger de nouvelles charges utiles et configurations.Le malware utilise l'empoisonnement d'optimisation des moteurs de recherche (SEO) et est associé à des moteurs de script de triche populaires comme Solara et Electron, souvent utilisés avec Roblox.Il utilise des techniques anti-inverse, y compris une technique d'obscurcissement qui entrave l'analyse en détectant les tentatives de réformatage de code, et utilise la bibliothèque d'interface de fonction étrangère (FFI) pour exécuter directement le code C. Le malware recueille des informations sur les victimes, établit de la persistance par le biais de tâches programmées et peut contourner le défenseur Windows avec des privilèges élevés.Le serveur C2 émet des commandes pour le chargeur à exécuter ou des tâches pour charger des charges utiles supplémentaires, avec des mécanismes de secours pour se connecter à des adresses alternatives si elles sont bloquées.Notamment, les logiciels malveillants conduisent au déploiement d'infostalers, tels que Redline, qui récolte les informations d'identification à vendre sur le Dark Web.Les capacités du malware \\ incluent le téléchargement des charges utiles supplémentaires, l'exécution de fichiers et la définition de fichiers à cacher, avec diverses méthodes comme l'injection de DLL et les scripts PowerShell pour maintenir la persistance et l'évasion de la détection. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), qui identifie unND bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [nécessiter du MFA] (HTTPs: //learn.microsoft.com/azure/active-directory/identity-potection/howto-identity-protection-configure-mfa-policy? ocid = magicti_ta_learndoc) froM tous les appareils, à tous les endroits, à tout moment. - Activer les méthodes d'authentification sans mot de passe (par exemple, Windows Hello, FIDO Keys ou Microsoft Authenticator) pour les comptes qui prennent en charge sans mot de passe.Pour les comptes qui nécessitent toujours des mots de passe, utilisez des applications Authenticatrices comme Microsoft Authenticator pour MFA.[Reportez-vous à cet article] (https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-meth | Ransomware Malware Tool Threat | ★★★ | |
|
2024-10-10 21:39:16 | (Déjà vu) Chargeur de pronisage: un logiciel malveillant conduit JPHP divertissant à partir du chargeur D3f @ ck Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader (lien direct) |
## Instantané L'équipe de renseignement sur les menaces de Trustwave a découvert un nouveau malware appelé Pronsis Loader,Livraison des charges utiles primaires [Lumma Stealer] (https://security.microsoft.com/intel-profiles/3393357882548511c30b0728d3c4f8b5ca20e41c285a56f796eb39f57531ad)et [latrodectus] (https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/analyzing-latrodectus-the-new-face-of-malware-loaders/). ## Description Le chargeur de prévision est similaire au chargeur D3f @ ck en ce qu'ils utilisent tous deux des exécutables compilés JPHP.JPHP, un langage de programmation dérivé de PHP, est un langage de programmation moins courant chez les acteurs de la menace.JPHP a été utilisé par ICerat dans [2020] (https://security.microsoft.com/intel-explorer/articles/6fe5599a), puis par d3f @ ck dans [2024] (https://www.essentire.com/blog/ Exploration-the-d3f-ck-malware-as-a-service-chargedeur).Pronis Loder diffère de D3f @ CK dans sa méthode de déploiement en utilisant le système d'installation scriptable Nullsoft (NSIS), un outil populaire pour créer des installateurs Windows.L'une de ses principales techniques d'évasion comprend l'exclusion du profil utilisateur de son ciblage, ce qui rend la détection plus difficile pour certaines solutions de sécurité.Le chargeur de prévision manque d'utilisation des certificats, y compris des certificats SSL, et laisse tomber des fichiers dans le répertoire% Temp%, déguisant les fichiers malveillants parmi les fichiers bénins.L'analyse de Trustwave \\ a identifié que le chargeur de prévision utilise systématiquement les mêmes conventions de dénomination du chemin source, E: \ Lab \ Orders \ , et suit une convention de dénomination spécifique pour les fichiers zip.Ces fichiers combinent généralement trois mots dans le nom de fichier, le troisième mot étant généralement pro. Les chercheurs ont observé un chargeur de prévision offrant principalement la charge utile du voleur de Lumma et, dans certains cas, des logiciels malveillants Latrodectus.Lumma Stealer télécharge sa charge utile à partir d'une URL spécifiée et décode un fichier DLL crypté.L'infrastructure liée à Lumma Stealer comprend plusieurs adresses IP et répertoires ouverts utilisés pour stocker des fichiers malveillants, avec le serveur de commande et de contrôle (C2) identifié comme "Situitbsoqp \ [. \] Shop / API".Latrodectus est distribué par e-mails de phishing et établit la persistance via une tâche planifiée nommée "Updater" et un mutex nommé "Runnung". Il fonctionne en exécutant la charge utile à partir d'un fichier d'archive téléchargé, qui abandonne et exécute ensuite des composants supplémentaires du Latrodectus malin.Les serveurs C2 de malware \\ incluent "Restoreviner \ [. \] com / test /" et "Peronikilinfer \ [. \] com / test /." ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachm | Ransomware Spam Malware Tool Threat | ★★★ |