SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8598927
Date de publication	2024-10-16 20:34:29 (vue: 2024-10-16 21:12:41)
Titre	Distribution du voleur de Meduza via Telegram, prétendument au nom de la réserve + soutien technique Distribution of Meduza Stealer via Telegram, allegedly on behalf of Reserve+ technical support (Recyclage)
Texte	## Snapshot The Computer Emergency Response Team of Ukraine (CERT-UA) reported the distribution of malicious messages through the Telegram account @reserveplusbot, which was previously associated with the Reserve+ technical support. These messages urged recipients to install "special software" and included a ZIP file that ultimately delivered the Meduza Stealer malware. ## Description The ZIP archive contained an executable that downloaded additional malware designed to steal various document types (.txt, .doc, .pdf, etc.) before deleting itself. To evade detection, the malware added its directory to Microsoft Defender\'s exclusion list using a PowerShell command (example: \'Add-MpPreference -ExclusionPath "%USERPROFILE%\yqpedcpefpenrwim"\'). ## Microsoft Analysis and Additional OSINT Context The [Meduza Stealer](https://www.silentpush.com/blog/meduza-stealer/), first sold on a Russian-speaking dark web forum in June 2023, is a lightweight C++ malware known for its adaptability and competitive pricing. It targets Windows systems, stealing sensitive information like cookies, login credentials, and data from browser extensions, including password managers and cryptocurrency wallets. Meduza terminates itself if it detects the host machine is in specific countries, including Russia and many former Soviet republics, but otherwise connects to a command-and-control server for data exfiltration. Its advanced evasion techniques allow it to bypass most popular antivirus software, making it difficult to detect through both static and dynamic analysis. Meduza\'s operators use Telegram to communicate malware updates to their user base. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/1bdfb795) about CERT-UA warning about recent cybercriminal activity using Meduza Stealer. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of the threat of information stealers. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Mic
Notes	★★★
Envoyé	Oui
Condensat	### © 2023 2024 2024 365 365/security/defender 365/security/office @reserveplusbot about accessed account accounts acquired activity adaptability add added additional advanced advice: against age alerts all allegedly allow analysis antivirus any app apps archive are article associated attachments attack attacker authentication authenticator auto base based before behalf block blocks both browser browsers bullet but bypass c++ can can cards cert check classes click clicking cloud code com/azure/active com/blog/meduza com/deployedge/microsoft com/intel com/microsoft command common communicate competitive computer configure connects contained content context control cookies copyright countries cover coverage credential credentials criterion cryptocurrency customers cybercriminal dark data defender delete deleting delivered description designed detect detection detections/hunting detects devices different difficult directory directory/authentication/concept directory/authentication/how directory/identity distribution doc document downloaded due dynamic edge email emails emergency employees enable enabled encourage endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent etc evade evasion even evolving example example: excluded exclusion exclusionpath executable execution exfiltration explorer/articles/1bdfb795 extensions features fido file files filtering first following former forum from gov group guidance hello here host hour however https://cert https://learn https://sip https://www identifies identity impact inbound included including indicate infections information infostealer infostealers install intelligence intrusions its itself june keys known learndoc learndoc#block learning lightweight like links list locations login machine mail majority making malicious malware managed managers many match meduza meet messages methods mfa microsoft might mitigation mitigations mode monitored more most mppreference new newly not number obfuscated ocid=magicti off offer office on operators organizations osint other otherwise overview part password passwordless passwords pdf permission personal phishing phones points policies policy polymorphic popular possible potentially powershell prevalence prevent previously pricing product prohibited prompt protection protection/howto protections provided pua purge queries ransomware rapidly read recent recheck recipients recommendations recommends reduce reduction refer reference references remind remove report reported reproduction republics require requires reserve+ reserved response rights rules running russia russian safe scam scripts secured security security/defender security/safe security/zero sensitive sent server settings should sight silentpush site sites smartscreen snapshot software sold soviet spam speaking special specific spoofed static status steal stealer stealer/ stealers stealing stop stored strictly succeeded support support surface sweeping sync#sync syncing systems targets team technical techniques telegram terminates theft their thereof these threat threats through times tools to triggered trusted turn txt typed types ua/article/6281018 ukraine ultimately unknown unless unrelated unwanted updates urged use used user userprofile users uses use using using variants various vaults wallets warning web websites when where which windows without workplace written your yqpedcpefpenrwim zip and cert for from in meduza to “yes”
Tags	Ransomware Spam Malware Tool Threat Technical
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8598402
Date de publication	2024-10-15 20:34:15 (vue: 2024-10-15 21:12:45)
Titre	UAC-0050: cyber-espionnage, crimes financiers, informations et opérations psychologiques UAC-0050: Cyber Espionage, Financial Crimes, Information and Psychological Operations
Texte	#### Géolocations ciblées - Ukraine ## Instantané L'équipe gouvernementale d'intervention d'urgence informatique d'Ukraine (CERT-UA) a suivi l'UAC-0050, un groupe cybercriminal impliqué dans l'espionnage, le vol financier et les opérations psychologiques.Entre septembre et octobre 2024, l'UAC-0050 a fait au moins 30 tentatives de voler des fonds auprès des entreprises ukrainiennes et des entrepreneurs individuels. ## Description En utilisant des outils tels que Remcos et Tektonit RMS, l'UAC-0050 a acquis un accès non autorisé aux comptables \\ 'Comptabilisateurs, falsification des transactions financières pour voler des montants allant de dizaines de milliers à des millions de hryvnias.Leurs attaques sont sophistiquées, tirant parti de divers outils de logiciels malveillants comme Meduza Stealer, [Lumma Stealer] (https://sip.security.microsoft.com/intel-profiles/33933578825488511C30B0728D3C4F8B5CA20E41C285A rat ack.Les fonds volés sont généralement convertis en crypto-monnaie pour financer d'autres attaques, notamment les opérations d'influence sous le [groupe de cellules de feu] (https://imi.org.ua/en/news/police-bomb-stherets-proved-false-and-Brand de la marque-Russian-IP-Addreses-I64294). ## Analyse Microsoft et contexte OSINT supplémentaire [UAC-0050] (https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html) est un acteur de menace actif depuis 2020, ciblant principalement les agences gouvernementales ukrainiennes.Dans les campagnes précédentes, ils déploient les logiciels malveillants de Remcos Rat par le biais de [Campagnes de phishing] (https://cert.gov.ua/article/3804703), usurpant souvent l'identité du service de sécurité de l'Ukraine et distribuant des courriels avec des pièces jointes malveillantes.Le groupe a précédemment utilisé des outils d'administration à distance tels que les services publics distants.Leurs attaques semblent être motivées par l'espionnage. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de la menace des voleurs d'informations. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=Magicti_ta_learndoc), quel idenTifes et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouv
Notes	★★
Envoyé	Oui
Condensat	### #### © 0050 0050: 2020 2024 2024 2147078266 2147117932 2147216637 365 365/security/defender 365/security/office about access accessed accountants accounts acquired active activity actor additional addresses administration advice: against age agencies alerts all amounts analysis antivirus any app appear apps are article associated attachments attack attacker attacks attempts authentication authenticator auto based been between block blocks bomb brand browser browsers bullet campaigns can can cards cells cert check classes click clicking cloud code com/2024/01/uac com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft common components computer computers configure content context converted copyright cover coverage credential credentials crimes criterion cryptocurrency customers cyber cybercriminal darktrack defender delete delivered deploy description detections/hunting detects devices different directory/authentication/concept directory/authentication/how directory/identity distributing distribution due edge email emails emergency employees enable enabled encourage encyclopedia endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise enterprises entire entrepreneurs equivalent espionage even evolving example excluded executable execution false falsifying features fido files filtering finance financial fire first following from funds further gained geolocations gov government group guidance has hello host hour however hryvnias html https://cert https://imi https://learn https://sip https://thehackernews https://www i64294 identifies identity impact impersonating inbound including indicate individual infections influence information infostealer infostealers intelligence intrusions involved keys learndoc learndoc#block learning least leveraging like links list locations lumma machine made mail majority malicious malware malware: managed many match meduza meet methods mfa microsoft might millions mitigation mitigations mode monitored more motivated msr&threatid= mtb&threatid= name=pws:win32/lumma name=pws:win32/remcos name=trojan:win32/delf name=trojan:win32/lummacstealer name=trojan:win32/remcos new newly not number obfuscated ocid=magicti october off offer office often on operations org organizations osint other overview part password passwordless passwords permission personal phishing phones points policies policy polymorphic possible potentially prevalence prevent previous previously primarily product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad prohibited prompt protection protection/howto protections proved provided psychological pua purge pws:win32/lumma pws:win32/remcos queries ranging ransomware rapidly rat recheck recommendations recommends reduce reduction refer reference references remcos remind remote remove report reproduction require requires reserved response rights rms rules running russian safe scam scripts secured security security/defender security/safe security/zero sent september service settings should sight since site sites smartscreen snapshot sophisticated spam specific spoofed status steal stealer stealers stealing stolen stop stored strictly succeeded such support support surface sweeping sync#sync syncing targeted targeting team techniques tektonit tens theft their thereof these thousands threat threats through times tools to tracking transactions triggered trojan:win32/delf trojan:win32/lummacstealer trojan:win32/remcos trusted turn typed typically ua/article/3804703 ua/article/6281009 ua/en/news/police uac ukraine ukrainian unauthorized under unknown unless unrelated unwanted us/wdsi/threats/malware use used users uses use using using utilities variants various vaults web websites when where which windows without workplace written your and for from in to “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ressemble à 2 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-18 17:12:34	(Déjà vu) La volonté de D: une plongée profonde dans le voleur de divulge, le voleur Dedsec et le voleur de canard The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer (lien direct)	## Instantané Cyfirma a publié un rapport analysant le paysage du voleur d'informations, avec un accent particulier sur le divulge, le DEDSEC et le canard. ## Description Ces voleurs, principalement distribués via des plates-formes comme GitHub, Discord et Telegram, sont souvent construites à l'aide de code open-source et modifiés pour cibler des données sensibles telles que les informations d'identification du navigateur et les portefeuilles de crypto-monnaie.Divulge, fortement promu sur les forums souterrains, est un successeur du voleur umbral, avec des caractéristiques anti-VM et la capacité de voler des données de navigateur.DedSec, une copie de Doererium, utilise des tactiques anti-VM et échappe à la détection en s'ajoutant à la liste d'exclusion du défenseur Windows. Duck Stealer, qui partage une grande partie de son code avec Azstealer, est conçu pour collecter les données du navigateur, voler la crypto-monnaie et capturer les jetons Discord.Les trois voleurs utilisent diverses techniques d'évasion pour contourner la détection et ont intégré des caractéristiques anti-analyse.Cyfirma note que ces outils sont souvent favorisés via des canaux télégrammes ou discordes et que les développeurs conservent l'accès à toutes les données collectées par les utilisateurs utilisant ces voleurs.Beaucoup sont annoncés comme «gratuits» mais sont livrés avec des risques cachés d'infections à double hook.Dans l'ensemble, le rapport met en évidence la menace croissante des voleurs d'informations, en particulier celles ciblant les données du navigateur et de la discorde, avec une promotion active à travers diverses communautés en ligne. ## Analyse Microsoft et contexte OSINT supplémentaire Les cybercriminels utilisent de plus en plus des applications de message et les données ciblées exfiltrates.Ces plateformes offrent plusieurs avantages qui les rendent attrayants pour les acteurs de menace.Premièrement, Telegram et Discord fournissent une combinaison de simplicité, de sécurité et d'anonymat qui permet aux cybercriminels de communiquer facilement, soit dans des chats privés ou des canaux publics, sans la surveillance commune dans les forums underground traditionnels.Telegram, en particulier, permet [la communication cryptée] (https://tsf.telegram.org/manuals/e2ee-simple) et a été critiquée pour une "approche de laissez-faire pour les politiques de confidentialité", que les acteurs malveillants pourraient percevoir comme un renforcementla sécurité de leurs opérations. De plus, ces plates-formes prennent en charge les fonctionnalités telles que Webhooks et bots, qui sont exploitées par les attaquants pour distribuer des logiciels malveillants et mener des attaques de phishing.Par exemple, les webhooks de Discord \\, initialement conçus pour les notifications, peuvent être utilisés à mauvais escient pour exfiltrer les données collectées par les voleurs d'informations en les envoyant à des canaux contrôlés par l'attaquant via des demandes HTTPS.Cette mauvaise utilisation des webhooks complique les efforts de surveillance et de blocage en raison de leur intégration avec diverses applications et du chiffrement utilisé.Le réseau de livraison de contenu (CDN) de Discord \\ est également [exploité par les cybercriminels] (https://www.resecurity.com/blog/article/millions-of-undetectable-malicious-urls-generated-via-the-abuse-of-public-cloud-and-web-30-services) pour héberger des charges utiles de logiciels malveillants, ce qui en fait un outil de distribution efficace.Comme ces plateformes offrent à la fois des capacités d'automatisation robustes et des options de communication discrètes, elles sont devenues de plus en plus attrayantes pour les cybercriminels qui cherchent à contourner les mesures de sécurité traditionnelles et à atteindre un public plus large. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de	Ransomware Spam Malware Tool Threat		★★★
	2024-10-18 19:13:56	(Déjà vu) AVERTISSEMENT contre les e-mails de phishing qui usurpent les grandes agences de divertissement coréennes Warning Against Phishing Emails Impersonating Major Korean Entertainment Agencies (lien direct)	#### Targeted Geolocations - Korea ## Snapshot AhnLab Security Intelligence Center (ASEC) has reported that phishing emails impersonating major Korean entertainment agencies are being distributed in Korea. These emails attempt to trick recipients into clicking a link by claiming unauthorized use of their images in Facebook and Instagram advertisements. ## Description The link downloads a python-based [infostealer](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), which is disguised as a PDF by changing the icon and adding spaces in the file name to conceal the .EXE extension. When executed, the malware presents a normal PDF document to distract the user while it collects a variety of sensitive information, including system and browser data, messenger information, screen captures, and Steam account details. This collected data is then sent to the threat actor\'s Telegram chat room. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=magicti_ta_learndoc). Refer to [this article](https://learn.microsoft.com/azure/acti	Ransomware Spam Malware Tool Threat		★★