SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8597688
Date de publication	2024-10-14 14:53:34 (vue: 2024-10-14 15:18:10)
Titre	Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware
Texte	#### Targeted Geolocations - Brazil - South America #### Targeted Industries - Consumer Retail - Government Agencies & Services - Critical Manufacturing ## Snapshot A recent spear phishing campaign dubbed Water Makara has been targeting businesses in Latin America, particularly in Brazil, with a notable focus on manufacturing, retail, and government sectors. ## Description This campaign exploits Astaroth, a well-known banking malware, which has resurfaced with new evasion techniques. Attackers send phishing emails that mimic official tax documents, preying on users\' urgency to file personal income taxes. These emails contain malicious ZIP files, which execute obfuscated JavaScript via mshta.exe, establishing a connection to a command-and-control (C&C) server. The infection begins when a user downloads and opens a ZIP file that contains an LNK file, which runs malicious commands, leading to Astaroth\'s installation. The malware employs various methods to evade detection, including using Base64 encoding and abusing legitimate Windows utilities. Attackers use a domain generation algorithm (DGA) to create multiple URLs that connect to the malware\'s C&C servers. ## Microsoft Analysis and Additional OSINT Context [First observed in 2017](https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth), Astaroth is an information stealer malware that has impacted users in Latin America, North America, and Europe. While the malware\'s capabilities and attributes have evolved over time, [Astorath employs](https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/?msockid=11175395187c6b993d06473919876a3b) a number of fileless techniques and abuses various legitimate process to run undetected on compromised machines, making it a pervasive threat. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#bl
Notes	★★
Envoyé	Oui
Condensat	### #### ##references © 2017 2024 2024 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abuses abusing access accessed action additional af74 against age agencies alert alerts algorithm all allow america analysis antivirus any are artifacts astaroth astorath attack attacker attackers attacks attributes authority automated banking base64 based been begins behind block brazil breach breaches businesses but c&c caad campai campaign can capabilities changes client cloud com/en com/microsoft com/threatanalytics3/9382203e command commands common components compromised configure connect connection consumer contain contains content context control controlled copyright cover create credential criterion critical customers de/details/win defend defender delivered description detect detected detection detections/hunting detects dga distribution documents does domain downloads dubbed edr email emails employs enable enabled encoding encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent establishing europe evade evasion even evolved evolving exe executable execute exploits file fileless files first fkie focus folder folders follow following fraunhofer from full generation geolocations government hardening has have html https://learn https://malpedia https://security https://www immediate impact impacted including income industries infection information installation investigation investigations invisible javascript known land latest latin leading learndoc learning legitimate less like list living lnk local lsa lsass machine machines majority makara making malicious malware malware: manage manufacturing meet methods micro microsoft mimic mitigations mode more mshta msockid=11175395187c6b993d06473919876a3b multiple name=trojan:win32/astaroth network new non north not notable number obfuscated observable observable/ observed ocid=magicti off official opens osint over overview part particularly passive permission personal pervasive phishing post preferences premises prevalence prevent preying process product prohibited protection protection#how protections queries ransomware rapidly recent recommendations recommends reduce reducing reduction reference#block remediate remediation reproduction reserved resolve resurfaced retail rights rule rules run running runs scenes sectors security send server servers services settings significantly site snapshot south spear stealer stealing subsystem surface take tamper targeted targeting targets tax taxes techniques theft thereof these threat threats time tools trend trendmicro trojan:win32/astaroth trusted turn undetected unknown unless urgency urls us/defender us/research/24/j/water us/security/blog/2020/03/23/latest us/wdsi/threats/malware use used user users uses using utilities various view=o365 volume water webmail well when which windows without works worldwide written xdr your zip
Tags	Ransomware Malware Tool Threat Prediction
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 1 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-14 15:50:22	(Déjà vu) Telekopye transitions to targeting tourists via hotel booking scam (lien direct)	#### Géolocations ciblées - Amérique du Nord - Europe du Nord - Europe du Sud - Europe occidentale ## Instantané ESET Research a permis à un rapport sur Telekopye, une boîte à outils d'escroquerie utilisée pour frauder les gens sur les marchés en ligne, qui s'est désormais développé pour cibler des plateformes de réservation d'hébergement comme Booking.com et Airbnb. ## Description À l'origine découvert par ESET en 2023, Telekopye a été utilisé par des groupes d'escroquerie organisés pour voler des informations de paiement auprès des utilisateurs sans méfiance sur divers services en ligne, avec un accent récent sur le ciblage des réservations d'hébergement. Les escrocs, appelés Néandertaliens, fonctionnent via une structure bien organisée à l'aide de la boîte à outils Telekopye pour créer des e-mails de phishing, des messages SMS et des pages Web qui incitent les victimes à la saisie des informations de paiement.En 2024, ils ont commencé à compromettre les récits d'hôtels légitimes et de fournisseurs d'hébergement pour escroquer les utilisateurs en imitant de vrais détails de réservation, ce qui rend la fraude plus convaincante.Ce changement de mise au point a coïncidé avec la saison des fêtes d'été, au cours de laquelle les escroqueries sur le thème de l'hébergement ont dépassé les escroqueries du marché. Les groupes Telekopye améliorent continuellement leurs techniques, en utilisant des grattoirs Web et des chatbots pour accélérer le processus d'arnaque et interagir avec les victimes en temps réel.Les actions des forces de l'ordre ont conduit à des arrestations de certains membres clés, mais la boîte à outils reste une menace persistante à travers l'Europe et l'Amérique du Nord. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStrepo	Ransomware Tool Threat Legislation		★★★