One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8595673 |
| Date de publication | 2024-10-10 21:39:16 (vue: 2024-10-10 22:18:06) |
| Titre | Chargeur de pronisage: un logiciel malveillant conduit JPHP divertissant à partir du chargeur D3f @ ck Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader (Recyclage) |
| Texte | ## Instantané L'équipe de renseignement sur les menaces de Trustwave a découvert un nouveau malware appelé Pronsis Loader,Livraison des charges utiles primaires [Lumma Stealer] (https://security.microsoft.com/intel-profiles/3393357882548511c30b0728d3c4f8b5ca20e41c285a56f796eb39f57531ad)et [latrodectus] (https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/analyzing-latrodectus-the-new-face-of-malware-loaders/). ## Description Le chargeur de prévision est similaire au chargeur D3f @ ck en ce qu'ils utilisent tous deux des exécutables compilés JPHP.JPHP, un langage de programmation dérivé de PHP, est un langage de programmation moins courant chez les acteurs de la menace.JPHP a été utilisé par ICerat dans [2020] (https://security.microsoft.com/intel-explorer/articles/6fe5599a), puis par d3f @ ck dans [2024] (https://www.essentire.com/blog/ Exploration-the-d3f-ck-malware-as-a-service-chargedeur).Pronis Loder diffère de D3f @ CK dans sa méthode de déploiement en utilisant le système d'installation scriptable Nullsoft (NSIS), un outil populaire pour créer des installateurs Windows.L'une de ses principales techniques d'évasion comprend l'exclusion du profil utilisateur de son ciblage, ce qui rend la détection plus difficile pour certaines solutions de sécurité.Le chargeur de prévision manque d'utilisation des certificats, y compris des certificats SSL, et laisse tomber des fichiers dans le répertoire% Temp%, déguisant les fichiers malveillants parmi les fichiers bénins.L'analyse de Trustwave \\ a identifié que le chargeur de prévision utilise systématiquement les mêmes conventions de dénomination du chemin source, E: \ Lab \ Orders \ , et suit une convention de dénomination spécifique pour les fichiers zip.Ces fichiers combinent généralement trois mots dans le nom de fichier, le troisième mot étant généralement pro. Les chercheurs ont observé un chargeur de prévision offrant principalement la charge utile du voleur de Lumma et, dans certains cas, des logiciels malveillants Latrodectus.Lumma Stealer télécharge sa charge utile à partir d'une URL spécifiée et décode un fichier DLL crypté.L'infrastructure liée à Lumma Stealer comprend plusieurs adresses IP et répertoires ouverts utilisés pour stocker des fichiers malveillants, avec le serveur de commande et de contrôle (C2) identifié comme "Situitbsoqp \ [. \] Shop / API".Latrodectus est distribué par e-mails de phishing et établit la persistance via une tâche planifiée nommée "Updater" et un mutex nommé "Runnung". Il fonctionne en exécutant la charge utile à partir d'un fichier d'archive téléchargé, qui abandonne et exécute ensuite des composants supplémentaires du Latrodectus malin.Les serveurs C2 de malware \\ incluent "Restoreviner \ [. \] com / test /" et "Peronikilinfer \ [. \] com / test /." ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachm |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2020 2024 2024** 2147069186 2147075603 2147117932 365 365/security/defender 365/security/office about accessed accounts acquired actors additional addresses advice: against age all among analysis analyzing antivirus any app apps archive are article attachments attack attacker authentication authenticator auto based behavior:win64/latrodectus being benign block blocks blog/analyzing blog/pronsis both browser browsers building bullet called can card cases certain certificate certificates challenging check classes click clicking cloud code com/azure/active com/blog/exploring com/deployedge/microsoft com/en com/intel com/microsoft com/test/ combine command common compiled components configure consistently content control convention conventions copyright cover coverage credential credentials criterion customers d3f d3f@ck d3fck decodes defender delete delivered delivering deployment derived description detection detections/hunting devices different differs directories directory directory/authentication/concept directory/authentication/how directory/identity disguising distributed distribution diverging dll downloaded downloads driven drops due edge email emails employees enable enabled encourage encrypted encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent esentire establishes evades evasion even evolving example excluded excluding executable executables executes executing execution explorer/articles/6fe5599a exploring face features fido file filename files filtering first following follows from group guidance has have hello host hour https://learn https://security https://www icerat identified identifies identity impact inbound include includes including infections infostealer infostealers infrastructure install installers intelligence intrusions its java jphp key keys lab lacks language latrodectus latrodectus: learndoc learndoc#block learning less like linked links list loader loader/ loader: loaders loaders/ locatedblsoqp locations lumma machine mail majority making malicious malware managed many match meet method methods mfa microsoft mitigation mitigations mode monitored more mtb mtb&threatid= mtb&threatid=2147904918 multiple mutex name=behavior:win64/latrodectus name=trojan:win32/leonem name=trojan:win32/lumma name=trojan:win32/lummacstealer name=trojan:win64/blackwidow name=trojan:win64/icedid name=trojan:win64/lumma named naming new newly not nsis nullsoft number obfuscated observed ocid=magicti off offer office one ones open operates orders organizations other overview part password passwordless passwords path payload payloads permission peronikilinfer persistence personal phishing phones php points policies policy polymorphic popular possible potentially prevalence prevent primarily primary pro product profile profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad programming prohibited prompt pronis pronsis protection protection/howto protections pua purge queries ransomware rapidly rda recheck recommendations recommends reduce reduction refer reference references remind remove reproduction require requires researchers reserved response restoreviner rights rpy rules running runnung safe same scam scheduled scriptable scripts secured security security/defender security/safe security/zero sent server servers service settings shop/api should sight similar site sites smartscreen snapshot solutions some source spam specific specified spoofed ssl status stealer stop store stored strictly succeeded support surface sweeping sync#sync syncing system targeting task team techniques temp theft then thereof these third threat threats three through times tool tools trojan:win32/leonem trojan:win32/lumma trojan:win32/lummacstealer trojan:win64/blackwidow trojan:win64/icedid trojan:win64/lumma trusted trustwave turn typed typically uncovered unknown unless unwanted updater” url us/resources/blogs/spiderlabs us/resources/blogs/trustwave us/wdsi/threats/malware usage use used user users uses using usually utilizin |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8594953 |
| Date de publication | 2024-10-09 17:00:18 (vue: 2024-10-09 17:18:17) |
| Titre | Voleur d'unité YUNIT STEALER |
| Texte | ## Snapshot Cyfirma has identified a new [information stealer](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), Yunit Stealer, designed to extract sensitive data, including system information, credentials, cookies, and cryptocurrency wallets. ## Description The malware uses JavaScript and various persistence techniques like modifying Windows registry keys and disabling Windows Defender. It utilizes Discord and Telegram webhooks for data exfiltration. The malware employs obfuscation to evade detection and uses PowerShell commands to hide its actions. Yunit Stealer\'s developer is believed to be based in France, with ties to gaming platforms. The malware is particularly adept at gathering and exfiltrating browser data and cryptocurrency information by manipulating common system utilities and files. In addition, it uses scheduled tasks and registry modifications to ensure it remains active on compromised systems. The malware\'s code includes geofencing capabilities, allowing it to selectively operate based on geographic location. Cyfirma\'s investigation suggests that the developer has a history of malicious projects and is actively involved in gaming-related communities, which may influence their development of this stealer. Yunit Stealer\'s techniques make it an information stealing threat, particularly due to its persistence mechanisms and ability to bypass security measures. ## Microsoft Analysis Cybercriminals are increasingly using messaging apps like Discord and Telegram as private communication channels, to spread [information stealers](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), and exfiltrate targeted data. These platforms offer several advantages that make them attractive to threat actors. Firstly, Telegram and Discord provide a combination of simplicity, security, and anonymity that allows cybercriminals to communicate easily, either in private chats or public channels, without the oversight common in traditional underground forums. Telegram, in particular, enables [encrypted communication](https://tsf.telegram.org/manuals/e2ee-simple) and has been criticized for a "laissez-faire approach to privacy policies," which malicious actors might perceive as bolstering the security of their operations. Additionally, these platforms support features like webhooks and bots, which are exploited by attackers to distribute malware and conduct phishing attacks. For instance, Discord\'s webhooks, initially designed for notifications, can be misused to exfiltrate data collected by information stealers by sending it to attacker-controlled channels through HTTPS requests. This misuse of webhooks complicates monitoring and blocking efforts due to their integration with various apps and the encryption used. Discord\'s content delivery network (CDN) is also [exploited by cybercriminals](https://www.resecurity.com/blog/article/millions-of-undetectable-malicious-urls-generated-via-the-abuse-of-public-cloud-and-web-30-services) to host malware payloads, making it an effective distribution tool. As these platforms offer both robust automation capabilities and discreet communication options, they have become increasingly attractive to cybercriminals looking to bypass traditional security measures and reach a wider audience. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click] |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365 365/security/defender 365/security/office ability about abuse accessed accounts acquired actions active actively activity actors addition additionally adept advantages advice: against age alerts all allowing allows also analysis anonymity antivirus any app approach apps are article attachments attack attacker attackers attacks attractive audience authentication authenticator auto automation based become been believed block blocking blocks bolstering both bots browser browsers bullet bypass can capabilities card cdn center channels chats check classes click clicking cloud code collected com/azure/active com/blog/article/millions com/deployedge/microsoft com/intel com/microsoft com/research/yunit combination commands common communicate communication communities complicates compromised conduct configure content controlled cookies copyright cover coverage credential credentials criterion criticized cryptocurrency customers cybercriminals cyfirma data defender delete delivered delivery deployment description designed detection detections/hunting developer development devices different directory/authentication/concept directory/authentication/how directory/identity disabling discord discreet distribute distribution due easily edge effective efforts either email emails employees employs enable enabled enables encourage encrypted encryption endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evade even evolving example excluded executable execution exfiltrate exfiltrating exfiltration exploited extract faire features fido files filtering first firstly following forums france from gaming gathering generated geofencing geographic group guidance has have hello hide history host hour https https://learn https://security https://tsf https://www identified identifies identity impact inbound includes including increasingly indicate infections influence information infostealer infostealers initially instance integration intelligence intrusions investigation involved its javascript keys laissez learndoc learndoc#block learning like links list location locations looking machine mail majority make making malicious malware managed manipulating many match may measures mechanisms meet messaging methods mfa microsoft might misuse misused mitigation mitigations mode modifications modifying monitored monitoring more network network: new newly not notifications number obfuscated obfuscation ocid=magicti off offer office operate operations options org/manuals/e2ee organizations other oversight overview part particular particularly password passwordless passwords payloads perceive permission persistence personal phishing phones platforms points policies policy polymorphic possible potentially powershell prevalence prevent privacy private product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited projects prompt protection protection/howto protections provide pua public purge queries ransomware rapidly reach recheck recommendations recommends reduce reduction refer reference references registry related remains remind remove reproduction requests require requires resecurity reserved response rights robust rules running safe scam scheduled scripts secured security security/defender security/safe security/zero selectively sending sensitive sent services settings several should sight simple simplicity site sites smartscreen snapshot spam specific spoofed spread status stealer stealer/ stealers stealing stop stored strictly succeeded suggests support surface sweeping sync#sync syncing system systems targeted tasks techniques telegram theft them thereof these threat threats through ties times titles tool tools traditional trusted turn typed underground undetectable unknown unless unwanted urls use used users uses using utilities utilizes variants various vaults wallets web webhooks websites when where which wider windows without workplace written your yunit “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.