One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8594980 |
| Date de publication | 2024-10-09 18:13:00 (vue: 2024-10-09 18:18:28) |
| Titre | Voleur de Vilsa VILSA STEALER (Recyclage) |
| Texte | ## Snapshot Cyfirma recently identified a sophisticated malware called “Vilsa Stealer” on GitHub. The malware is designed to discreetly and efficiently extract sensitive data. ## Description Vilsa stealer targets information from various sources like browsers, cryptocurrency wallets, Discord, Steam, and Telegram, among others. Written in Python, it employs encryption to obfuscate its behavior and uses advanced techniques to bypass security measures. Vilsa Stealer also ensures persistence by copying itself into the Windows Startup folder, enabling it to run at each boot. One of its key functions is targeting browser extensions to steal cryptocurrency wallet data, while another feature terminates processes associated with security analysis tools like Wireshark or Process Hacker. The malware also checks for virtual machines and terminates if detected. It uploads stolen data to a remote server using the GoFile API and encrypts files, making detection harder. An additional payload, "hvnc.py," gives remote access to compromised systems, evading security with UAC bypass techniques. CYFIRMA\'s investigation revealed that the malware uploads stolen data to a server linked to a suspicious IP address, which points to a spyware panel associated with a Telegram channel. The malware\'s sophisticated capabilities make it a potent tool in the cybercriminal landscape. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenti |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/office about access accessed accounts acquired activity additional address advanced advice: against age alerts all also among analysis another antivirus any api app apps are article associated attachments attack attacker authentication authenticator auto based behavior block blocks boot browser browsers bullet bypass called can capabilities card center channel check checks classes click clicking cloud code com/azure/active com/deployedge/microsoft com/microsoft com/research/vilsa common components compromised configure content copying copyright cover coverage credential credentials criterion cryptocurrency customers cybercriminal cyfirma data defender delete delivered deployment description designed detected detection detections/hunting detects devices different directory/authentication/concept directory/authentication/how directory/identity discord discreetly distribution due each edge efficiently email emails employees employs enable enabled enabling encourage encryption encrypts endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure ensures enterprise entire equivalent evading even evolving example excluded executable execution extensions extract feature features fido files filtering first folder following from functions github gives gofile group guidance hacker harder hello host hour https://learn https://www hvnc identified identifies identity impact inbound including indicate infections information infostealer infostealers intelligence intrusions investigation its itself key keys landscape learndoc learndoc#block learning like linked links list locations machine machines mail majority make making malicious malware malware: managed many match measures meet methods mfa microsoft mitigation mitigations mode monitored more network: new newly not number obfuscate obfuscated ocid=magicti off offer office one organizations other others overview panel part password passwordless passwords payload permission persistence personal phishing phones points policies policy polymorphic possible potent potentially prevalence prevent process processes product prohibited prompt protection protection/howto protections pua purge python queries ransomware rapidly recently recheck recommendations recommends reduce reduction refer reference references remind remote remove reproduction require requires reserved response revealed rights rules run running safe scam scripts secured security security/defender security/safe security/zero sensitive sent server settings should sight site sites smartscreen snapshot sophisticated sources spam specific spoofed spyware startup status steal stealer stealer/ stealer” stealing steam stolen stop stored strictly succeeded support surface suspicious sweeping sync#sync syncing systems targeting targets techniques telegram terminates theft thereof threat threats times titles tool tools trojan:python/vilsastealer trusted turn typed uac unknown unless unwanted uploads use used users uses using variants various vaults vilsa virtual wallet wallets web websites when where which windows wireshark without workplace written your “vilsa “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8594953 |
| Date de publication | 2024-10-09 17:00:18 (vue: 2024-10-09 17:18:17) |
| Titre | Voleur d'unité YUNIT STEALER |
| Texte | ## Snapshot Cyfirma has identified a new [information stealer](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), Yunit Stealer, designed to extract sensitive data, including system information, credentials, cookies, and cryptocurrency wallets. ## Description The malware uses JavaScript and various persistence techniques like modifying Windows registry keys and disabling Windows Defender. It utilizes Discord and Telegram webhooks for data exfiltration. The malware employs obfuscation to evade detection and uses PowerShell commands to hide its actions. Yunit Stealer\'s developer is believed to be based in France, with ties to gaming platforms. The malware is particularly adept at gathering and exfiltrating browser data and cryptocurrency information by manipulating common system utilities and files. In addition, it uses scheduled tasks and registry modifications to ensure it remains active on compromised systems. The malware\'s code includes geofencing capabilities, allowing it to selectively operate based on geographic location. Cyfirma\'s investigation suggests that the developer has a history of malicious projects and is actively involved in gaming-related communities, which may influence their development of this stealer. Yunit Stealer\'s techniques make it an information stealing threat, particularly due to its persistence mechanisms and ability to bypass security measures. ## Microsoft Analysis Cybercriminals are increasingly using messaging apps like Discord and Telegram as private communication channels, to spread [information stealers](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), and exfiltrate targeted data. These platforms offer several advantages that make them attractive to threat actors. Firstly, Telegram and Discord provide a combination of simplicity, security, and anonymity that allows cybercriminals to communicate easily, either in private chats or public channels, without the oversight common in traditional underground forums. Telegram, in particular, enables [encrypted communication](https://tsf.telegram.org/manuals/e2ee-simple) and has been criticized for a "laissez-faire approach to privacy policies," which malicious actors might perceive as bolstering the security of their operations. Additionally, these platforms support features like webhooks and bots, which are exploited by attackers to distribute malware and conduct phishing attacks. For instance, Discord\'s webhooks, initially designed for notifications, can be misused to exfiltrate data collected by information stealers by sending it to attacker-controlled channels through HTTPS requests. This misuse of webhooks complicates monitoring and blocking efforts due to their integration with various apps and the encryption used. Discord\'s content delivery network (CDN) is also [exploited by cybercriminals](https://www.resecurity.com/blog/article/millions-of-undetectable-malicious-urls-generated-via-the-abuse-of-public-cloud-and-web-30-services) to host malware payloads, making it an effective distribution tool. As these platforms offer both robust automation capabilities and discreet communication options, they have become increasingly attractive to cybercriminals looking to bypass traditional security measures and reach a wider audience. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click] |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/office ability about abuse accessed accounts acquired actions active actively activity actors addition additionally adept advantages advice: against age alerts all allowing allows also analysis anonymity antivirus any app approach apps are article attachments attack attacker attackers attacks attractive audience authentication authenticator auto automation based become been believed block blocking blocks bolstering both bots browser browsers bullet bypass can capabilities card cdn center channels chats check classes click clicking cloud code collected com/azure/active com/blog/article/millions com/deployedge/microsoft com/intel com/microsoft com/research/yunit combination commands common communicate communication communities complicates compromised conduct configure content controlled cookies copyright cover coverage credential credentials criterion criticized cryptocurrency customers cybercriminals cyfirma data defender delete delivered delivery deployment description designed detection detections/hunting developer development devices different directory/authentication/concept directory/authentication/how directory/identity disabling discord discreet distribute distribution due easily edge effective efforts either email emails employees employs enable enabled enables encourage encrypted encryption endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evade even evolving example excluded executable execution exfiltrate exfiltrating exfiltration exploited extract faire features fido files filtering first firstly following forums france from gaming gathering generated geofencing geographic group guidance has have hello hide history host hour https https://learn https://security https://tsf https://www identified identifies identity impact inbound includes including increasingly indicate infections influence information infostealer infostealers initially instance integration intelligence intrusions investigation involved its javascript keys laissez learndoc learndoc#block learning like links list location locations looking machine mail majority make making malicious malware managed manipulating many match may measures mechanisms meet messaging methods mfa microsoft might misuse misused mitigation mitigations mode modifications modifying monitored monitoring more network network: new newly not notifications number obfuscated obfuscation ocid=magicti off offer office operate operations options org/manuals/e2ee organizations other oversight overview part particular particularly password passwordless passwords payloads perceive permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially powershell prevalence prevent privacy private product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited projects prompt protection protection/howto protections provide pua public purge queries ransomware rapidly reach recheck recommendations recommends reduce reduction refer reference references registry related remains remind remove reproduction requests require requires resecurity reserved response rights robust rules running safe scam scheduled scripts secured security security/defender security/safe security/zero selectively sending sensitive sent services settings several should sight simple simplicity site sites smartscreen snapshot spam specific spoofed spread status stealer stealer/ stealers stealing stop stored strictly succeeded suggests support surface sweeping sync#sync syncing system systems targeted tasks techniques telegram theft them thereof these threat threats through ties times titles tool tools traditional trusted turn typed underground undetectable unknown unless unwanted urls use used users uses using utilities utilizes variants various vaults wallets web webhooks websites when where which wider windows without workplace written your yunit “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.