One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8599824 |
| Date de publication | 2024-10-18 16:43:16 (vue: 2024-10-18 17:13:00) |
| Titre | La stratégie multi-couches de l'acteur de menace vietnamien \\ sur les professionnels du marketing numérique Vietnamese Threat Actor\\'s Multi-Layered Strategy on Digital Marketing Professionals (Recyclage) |
| Texte | ## Instantané Cyble Research and Intelligence Labs (CRIL) a découvert une campagne de logiciels malveillants complexe ciblant les demandeurs d'emploi et les professionnels du marketing numérique, en particulier ceux qui utilisent des méta-publicités.Le malware est livré via des e-mails de phishing contenant un fichier LNK malveillant, déguisé en PDF.Une fois déclenché, le malware utilise une série de scripts PowerShell obscurcis conçus pour échapper à la détection par des outils de sécurité, en utilisant des techniques telles que des vérifications de machine virtuelle et de bac à sable, ainsi que des méthodes anti-désabugage. L'approche en plusieurs étapes du malware \\ comprend l'escalade et la persistance des privilèges à travers des répertoires cachés.Il utilise le cryptage AES pour cacher la charge utile malveillante, qui n'est décryptée qu'en mémoire après avoir réussi plusieurs chèques de sécurité.Dans la dernière étape, le malware déploie Quasar Rat, un cheval de Troie à distance, accordant aux attaquants un contrôle total sur le système infecté, permettant le vol de données, la surveillance et l'exploitation ultérieure. CRIL a attribué cette campagne à un groupe de menaces vietnamiennes en fonction de son ciblage, de ses outils et techniques spécifiques, qui reflètent une campagne similaire à partir de juillet 2022. Les attaquants ont évolué leurs méthodes au fil du temps, en utilisant une variété de voleurs et de rats pour étendre leuratteindre.Selon Ot Cril, les tactiques d'évasion sophistiquées et l'utilisation de Quasar Rat font de cette campagne une menace notable pour les professionnels des secteurs du marketing numérique et du commerce électronique. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Enquête et remédiation] (https://learn.microsoft.com/microsoft-365/security/Defender-Endpoint / Automated Investigations? View = O365 Worldwide? OCID = magicti_ta_learndoc) en complet automatiséMode pour permettre à Microsoft Defender pour le point final de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de cr |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2022 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action actor actors ads aes af74 after against age alert alerts all allow anti antivirus any approach are artifacts attack attacker attackers attributed authority automated based behind block breach breaches campaign can changes checks client cloud com/blog/vietnamese com/en com/microsoft com/threatanalytics3/9382203e commerce common complex components conceal configure containing content control controlled copyright cover credential cril criterion customers cyble data debugging decrypted defend defender delivered deploys description designed detect detected detection detections/hunting detects digital directories disguised distribution does edr email emails employs enable enabled enabling encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent escalation evade evasion even evolved evolving executable expand exploitation file files final folder folders follow following from full further granting group hacktool:win32/autokms hardening has have hidden https://cyble https://learn https://security https://www immediate impact includes infected information intelligence investigation investigations its job july labs layered learndoc learning like list lnk local lsa lsass machine majority make malicious malware malware: manage marketing meet memory meta methods microsoft mirror mitigations mode multi multiple name=hacktool:win32/autokms name=trojan:win32/coinminer name=trojan:win32/killav network new non not notable obfuscated ocid=magicti once only over overview part particularly passing passive payload pdf permission persistence phishing post powershell preferences premises prevalence prevent privilege product professionals professionals/ prohibited protection protection#how protections quasar queries ransomware rapidly rat rats reach recommendations recommends reduce reducing reduction reference#block references remediate remediation remote reproduction research reserved resolve rights rule rules run running sandbox scenes scripts sectors security seekers series settings significantly similar site snapshot sophisticated specific stage stealers stealing strategy subsystem surface surveillance system tactics take tamper targeting techniques theft thereof those threat threats through time tools triggered trojan trojan:win32/coinminer trojan:win32/killav trusted turn uncovered unknown unless us/defender us/wdsi/threats/malware use used uses using variety vietnamese view=o365 virtual volume webmail well when which who windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Industrial |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8599384 |
| Date de publication | 2024-10-17 18:58:40 (vue: 2024-10-17 19:16:16) |
| Titre | ClickFix tactic: The Phantom Meet (Recyclage) |
| Texte | ## Snapshot Researchers at Sekoia released a report highlighting the ClickFix social engineering tactic and its use in a variety of malicious campaigns. ## Description In May 2024, a new social engineering tactic known as ClickFix was identified, involving fake error messages in web browsers to deceive users into executing malicious PowerShell commands. This method, first identified by Proofpoint researchers, has been leveraged by threat actors, such as the initial access broker TA571, in phishing campaigns. These campaigns trick users into downloading malware like Matanbuchus or NetSupport RAT via HTML files disguised as Word documents. Sekoia researchers have tracked the increasing use of ClickFix, which is now used in campaigns to spread infostealers, botnets, and remote access tools on both Windows and macOS. A significant cluster using this tactic impersonates Google Meet, with fake video conference pages distributing malware. Sekoia linked this activity to two cybercrime groups, "Slavic Nation Empire" (SNE) and "Scamquerteo," both part of larger cryptocurrency scam operations. ClickFix allows attackers to bypass browser security features, making it an effective tool for infiltrating systems undetected. Its use in targeting cryptocurrency assets, Web3 applications, and decentralized finance indicates a focus on high-value victims. This tactic may be further adapted for broader malware distribution, presenting ongoing risks to both corporate and individual users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [Block](https://learn.microsoft.com/en-us/defender-endpoint/attack-sur |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed action activity actors adapted af74 against age alert alerts all allow allows antivirus any applications are artifacts assets attack attacker attackers authority automated based been behind block both botnets breach breaches broader broker browser browsers bypass campaigns can changes clickfix client cloud cluster com/en com/microsoft com/threatanalytics3/9382203e commands common components conference configure content controlled copyright corporate cover credential criterion cryptocurrency customers cybercrime deceive decentralized defend defender delivered description detect detected detections/hunting detects disguised distributing distribution documents does downloading edr effective email empire enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engineering ensure equivalent error even evolving executable executing fake features files finance first focus folder folders follow following from full further google groups hardening has have high highlighting html https://blog https://learn https://security https://www identified immediate impact impersonates increasing indicates individual infiltrating infostealers initial investigation investigations involving io/clickfix its known larger learndoc learning leveraged like linked list local lsa lsass machine macos majority making malicious malware malware: manage matanbuchus may meet meet/ messages method microsoft mitigations mode mtb name=trojandownloader:win32/rugmi nation netsupport network new non not now ocid=magicti ongoing operations overview pages part passive permission phantom phishing post powershell preferences premises presenting prevalence prevent product prohibited proofpoint protection protection#how protections queries ransomware rapidly rat recommendations recommends reduce reducing reduction reference#block references released remediate remediation remote report reproduction researchers reserved resolve rights risks rule rules run running scam scamquerteo scenes security sekoia settings significant significantly site slavic snapshot sne social spread stealing subsystem such surface systems ta571 tactic tactic: take tamper targeting techniques theft thereof these threat threats tool tools tracked trick trojandownloader:win32/rugmi trusted turn two undetected unknown unless us/defender us/wdsi/threats/malware use used users using value variety victims video view=o365 volume web web3 webmail when which windows without word works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Conference |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.