One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8595623 |
| Date de publication | 2024-10-10 19:46:52 (vue: 2024-10-10 20:18:11) |
| Titre | Pas tous amusants et jeux: Lua Malware cible les moteurs du secteur de l'éducation et des étudiants Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines (Recyclage) |
| Texte | ## Instantané Les laboratoires de menace Morphisec ont identifié des variantes sophistiquées de logiciels malveillants Lua ciblant le secteur de l'éducation, exploitant notamment la popularité des suppléments de moteur de jeu basés sur la LIA parmi les étudiants. ## Description Le malware est livré via des scripts LUA obscurcis téléchargés à partir de plates-formes comme GitHub, qui sont moins susceptibles d'être détectées que les bytecode LUA compilées.Ces téléchargements incluent généralement un compilateur LUA, un fichier LUA DLL, un script obscurci et un fichier batch pour exécuter le script. Lors de l'exécution, le chargeur communique avec un serveur de commande et de contrôle (C2), d'envoi de détails sur la machine infectée et de réception de tâches pour maintenir la persistance, masquer les processus et télécharger de nouvelles charges utiles et configurations.Le malware utilise l'empoisonnement d'optimisation des moteurs de recherche (SEO) et est associé à des moteurs de script de triche populaires comme Solara et Electron, souvent utilisés avec Roblox.Il utilise des techniques anti-inverse, y compris une technique d'obscurcissement qui entrave l'analyse en détectant les tentatives de réformatage de code, et utilise la bibliothèque d'interface de fonction étrangère (FFI) pour exécuter directement le code C. Le malware recueille des informations sur les victimes, établit de la persistance par le biais de tâches programmées et peut contourner le défenseur Windows avec des privilèges élevés.Le serveur C2 émet des commandes pour le chargeur à exécuter ou des tâches pour charger des charges utiles supplémentaires, avec des mécanismes de secours pour se connecter à des adresses alternatives si elles sont bloquées.Notamment, les logiciels malveillants conduisent au déploiement d'infostalers, tels que Redline, qui récolte les informations d'identification à vendre sur le Dark Web.Les capacités du malware \\ incluent le téléchargement des charges utiles supplémentaires, l'exécution de fichiers et la définition de fichiers à cacher, avec diverses méthodes comme l'injection de DLL et les scripts PowerShell pour maintenir la persistance et l'évasion de la détection. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), qui identifie unND bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [nécessiter du MFA] (HTTPs: //learn.microsoft.com/azure/active-directory/identity-potection/howto-identity-protection-configure-mfa-policy? ocid = magicti_ta_learndoc) froM tous les appareils, à tous les endroits, à tout moment. - Activer les méthodes d'authentification sans mot de passe (par exemple, Windows Hello, FIDO Keys ou Microsoft Authenticator) pour les comptes qui prennent en charge sans mot de passe.Pour les comptes qui nécessitent toujours des mots de passe, utilisez des applications Authenticatrices comme Microsoft Authenticator pour MFA.[Reportez-vous à cet article] (https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-meth |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ###microsoft **© 2024 2024** 365/security/defender about accessed accounts additional addresses admin administrative advice: age all alternate among analysis anti antivirus any app applications apps are article associated attack attacker attacks attempts authentication authenticator avoid based batch block blocked blocks browser browsers build bullet bypass bytecode can can capabilities chain cheating classes clicking cloud code com/azure/active com/deployedge/microsoft com/en com/microsoft com/threat command commands common communicates compiled compiler components configurations configure connect content control copyright cover credential credentials criterion customers dark defender delivered deployment description details detected detecting detection detections/hunting detects developers devices different directly directory/authentication/concept directory/authentication/how directory/identity distribution dll domain downloaded downloading downloads due edge educate educational electron elevated employees employs enable enabled encourage encyclopedia end endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce engine engines ensure enterprise entire equivalent establish establishes evade even evolving example excluded executable execute executing execution exploiting fallback features ffi fido file files first following foreign from fun function games: gaming gathers github group guidance harvest hello help hidden hiding hinders host https://blog https://learn https://www hygiene identified identifies identity impact include including infected infections information infostealer infostealers infrastructure injection installation interface intrusions issues keys labs leads learndoc learndoc#block learning least less level library like likely limit list load loader local locations lua machine maintain maintaining majority malicious malware malware: managed many match mechanisms meet methods mfa microsoft mitigation mitigations mode more morphisec mtb name=trojan:msil/lummastealer new not notably number obfuscated obfuscation ocid=magicti off offer often on optimization organizations other overview part particularly password passwordless passwords payloads permission persistence personal phishing phones platforms points poisoning policies policy popular popularity possible potentially powershell practice prepare prevalence prevent preventing principle privilege privileges processes product prohibited prompt protection protection/howto protections pua publishers queries ransomware rapidly rats receiving recommendations recommends redline reduce reduction refer reference references reformatting remind remove reproduction require requires reserved respond restricting reversing rights roblox rules running sale scam scheduled script scripts search sector secure secured sending seo server service setting settings should sight site sites smartscreen snapshot software solara sophisticated specific stop stored strictly student students succeeded such supplements supply support support surface sweeping sync#sync syncing targeting targets tasks technique techniques than theft their them thereof these threat threats through times tools to trojan:msil/lummastealer trusted turn typed typically unknown unless unwanted update upon us/wdsi/threats/malware use used users uses using variants various vaults victim web websites when where which wide windows without workplace written your for from in to “yes” |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8594953 |
| Date de publication | 2024-10-09 17:00:18 (vue: 2024-10-09 17:18:17) |
| Titre | Voleur d'unité YUNIT STEALER |
| Texte | ## Snapshot Cyfirma has identified a new [information stealer](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), Yunit Stealer, designed to extract sensitive data, including system information, credentials, cookies, and cryptocurrency wallets. ## Description The malware uses JavaScript and various persistence techniques like modifying Windows registry keys and disabling Windows Defender. It utilizes Discord and Telegram webhooks for data exfiltration. The malware employs obfuscation to evade detection and uses PowerShell commands to hide its actions. Yunit Stealer\'s developer is believed to be based in France, with ties to gaming platforms. The malware is particularly adept at gathering and exfiltrating browser data and cryptocurrency information by manipulating common system utilities and files. In addition, it uses scheduled tasks and registry modifications to ensure it remains active on compromised systems. The malware\'s code includes geofencing capabilities, allowing it to selectively operate based on geographic location. Cyfirma\'s investigation suggests that the developer has a history of malicious projects and is actively involved in gaming-related communities, which may influence their development of this stealer. Yunit Stealer\'s techniques make it an information stealing threat, particularly due to its persistence mechanisms and ability to bypass security measures. ## Microsoft Analysis Cybercriminals are increasingly using messaging apps like Discord and Telegram as private communication channels, to spread [information stealers](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), and exfiltrate targeted data. These platforms offer several advantages that make them attractive to threat actors. Firstly, Telegram and Discord provide a combination of simplicity, security, and anonymity that allows cybercriminals to communicate easily, either in private chats or public channels, without the oversight common in traditional underground forums. Telegram, in particular, enables [encrypted communication](https://tsf.telegram.org/manuals/e2ee-simple) and has been criticized for a "laissez-faire approach to privacy policies," which malicious actors might perceive as bolstering the security of their operations. Additionally, these platforms support features like webhooks and bots, which are exploited by attackers to distribute malware and conduct phishing attacks. For instance, Discord\'s webhooks, initially designed for notifications, can be misused to exfiltrate data collected by information stealers by sending it to attacker-controlled channels through HTTPS requests. This misuse of webhooks complicates monitoring and blocking efforts due to their integration with various apps and the encryption used. Discord\'s content delivery network (CDN) is also [exploited by cybercriminals](https://www.resecurity.com/blog/article/millions-of-undetectable-malicious-urls-generated-via-the-abuse-of-public-cloud-and-web-30-services) to host malware payloads, making it an effective distribution tool. As these platforms offer both robust automation capabilities and discreet communication options, they have become increasingly attractive to cybercriminals looking to bypass traditional security measures and reach a wider audience. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click] |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/office ability about abuse accessed accounts acquired actions active actively activity actors addition additionally adept advantages advice: against age alerts all allowing allows also analysis anonymity antivirus any app approach apps are article attachments attack attacker attackers attacks attractive audience authentication authenticator auto automation based become been believed block blocking blocks bolstering both bots browser browsers bullet bypass can capabilities card cdn center channels chats check classes click clicking cloud code collected com/azure/active com/blog/article/millions com/deployedge/microsoft com/intel com/microsoft com/research/yunit combination commands common communicate communication communities complicates compromised conduct configure content controlled cookies copyright cover coverage credential credentials criterion criticized cryptocurrency customers cybercriminals cyfirma data defender delete delivered delivery deployment description designed detection detections/hunting developer development devices different directory/authentication/concept directory/authentication/how directory/identity disabling discord discreet distribute distribution due easily edge effective efforts either email emails employees employs enable enabled enables encourage encrypted encryption endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evade even evolving example excluded executable execution exfiltrate exfiltrating exfiltration exploited extract faire features fido files filtering first firstly following forums france from gaming gathering generated geofencing geographic group guidance has have hello hide history host hour https https://learn https://security https://tsf https://www identified identifies identity impact inbound includes including increasingly indicate infections influence information infostealer infostealers initially instance integration intelligence intrusions investigation involved its javascript keys laissez learndoc learndoc#block learning like links list location locations looking machine mail majority make making malicious malware managed manipulating many match may measures mechanisms meet messaging methods mfa microsoft might misuse misused mitigation mitigations mode modifications modifying monitored monitoring more network network: new newly not notifications number obfuscated obfuscation ocid=magicti off offer office operate operations options org/manuals/e2ee organizations other oversight overview part particular particularly password passwordless passwords payloads perceive permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially powershell prevalence prevent privacy private product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited projects prompt protection protection/howto protections provide pua public purge queries ransomware rapidly reach recheck recommendations recommends reduce reduction refer reference references registry related remains remind remove reproduction requests require requires resecurity reserved response rights robust rules running safe scam scheduled scripts secured security security/defender security/safe security/zero selectively sending sensitive sent services settings several should sight simple simplicity site sites smartscreen snapshot spam specific spoofed spread status stealer stealer/ stealers stealing stop stored strictly succeeded suggests support surface sweeping sync#sync syncing system systems targeted tasks techniques telegram theft them thereof these threat threats through ties times titles tool tools traditional trusted turn typed underground undetectable unknown unless unwanted urls use used users uses using utilities utilizes variants various vaults wallets web webhooks websites when where which wider windows without workplace written your yunit “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.