SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8599844
Date de publication	2024-10-18 17:12:34 (vue: 2024-10-18 18:12:50)
Titre	La volonté de D: une plongée profonde dans le voleur de divulge, le voleur Dedsec et le voleur de canard The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer (Recyclage)
Texte	## Instantané Cyfirma a publié un rapport analysant le paysage du voleur d'informations, avec un accent particulier sur le divulge, le DEDSEC et le canard. ## Description Ces voleurs, principalement distribués via des plates-formes comme GitHub, Discord et Telegram, sont souvent construites à l'aide de code open-source et modifiés pour cibler des données sensibles telles que les informations d'identification du navigateur et les portefeuilles de crypto-monnaie.Divulge, fortement promu sur les forums souterrains, est un successeur du voleur umbral, avec des caractéristiques anti-VM et la capacité de voler des données de navigateur.DedSec, une copie de Doererium, utilise des tactiques anti-VM et échappe à la détection en s'ajoutant à la liste d'exclusion du défenseur Windows. Duck Stealer, qui partage une grande partie de son code avec Azstealer, est conçu pour collecter les données du navigateur, voler la crypto-monnaie et capturer les jetons Discord.Les trois voleurs utilisent diverses techniques d'évasion pour contourner la détection et ont intégré des caractéristiques anti-analyse.Cyfirma note que ces outils sont souvent favorisés via des canaux télégrammes ou discordes et que les développeurs conservent l'accès à toutes les données collectées par les utilisateurs utilisant ces voleurs.Beaucoup sont annoncés comme «gratuits» mais sont livrés avec des risques cachés d'infections à double hook.Dans l'ensemble, le rapport met en évidence la menace croissante des voleurs d'informations, en particulier celles ciblant les données du navigateur et de la discorde, avec une promotion active à travers diverses communautés en ligne. ## Analyse Microsoft et contexte OSINT supplémentaire Les cybercriminels utilisent de plus en plus des applications de message et les données ciblées exfiltrates.Ces plateformes offrent plusieurs avantages qui les rendent attrayants pour les acteurs de menace.Premièrement, Telegram et Discord fournissent une combinaison de simplicité, de sécurité et d'anonymat qui permet aux cybercriminels de communiquer facilement, soit dans des chats privés ou des canaux publics, sans la surveillance commune dans les forums underground traditionnels.Telegram, en particulier, permet [la communication cryptée] (https://tsf.telegram.org/manuals/e2ee-simple) et a été critiquée pour une "approche de laissez-faire pour les politiques de confidentialité", que les acteurs malveillants pourraient percevoir comme un renforcementla sécurité de leurs opérations. De plus, ces plates-formes prennent en charge les fonctionnalités telles que Webhooks et bots, qui sont exploitées par les attaquants pour distribuer des logiciels malveillants et mener des attaques de phishing.Par exemple, les webhooks de Discord \\, initialement conçus pour les notifications, peuvent être utilisés à mauvais escient pour exfiltrer les données collectées par les voleurs d'informations en les envoyant à des canaux contrôlés par l'attaquant via des demandes HTTPS.Cette mauvaise utilisation des webhooks complique les efforts de surveillance et de blocage en raison de leur intégration avec diverses applications et du chiffrement utilisé.Le réseau de livraison de contenu (CDN) de Discord \\ est également [exploité par les cybercriminels] (https://www.resecurity.com/blog/article/millions-of-undetectable-malicious-urls-generated-via-the-abuse-of-public-cloud-and-web-30-services) pour héberger des charges utiles de logiciels malveillants, ce qui en fait un outil de distribution efficace.Comme ces plateformes offrent à la fois des capacités d'automatisation robustes et des options de communication discrètes, elles sont devenues de plus en plus attrayantes pour les cybercriminels qui cherchent à contourner les mesures de sécurité traditionnelles et à atteindre un public plus large. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de
Notes	★★★
Envoyé	Oui
Condensat	### © 2024 2024 365 365/security/defender 365/security/office ability about abuse access accessed accounts acquired active activity actors adding additional additionally advantages advertised advice: against age alerts all allows also analysis analyzing anonymity anti antivirus any app approach apps are article attachments attack attacker attackers attacks attractive audience authentication authenticator auto automation azstealer based become been block blocking blocks bolstering both bots browser browsers built bullet but bypass can capabilities capture card cdn center channels chats check classes click clicking cloud code collect collected com/azure/active com/blog/article/millions com/deployedge/microsoft com/en com/intel com/microsoft com/research/the combination come common communicate communication communities complicates components conduct configure content context controlled copy copyright cover coverage credential credentials criterion criticized cryptocurrency customers cybercriminals cyfirma data dedsec deep defender delete delivered delivery deployment description designed detection detections/hunting detects developers devices different directory/authentication/concept directory/authentication/how directory/identity discord discreet distribute distributed distribution dive divulge doenerium dual duck due easily edge effective efforts either email emails employees employing enable enabled enables encourage encrypted encryption encyclopedia endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evades evasion even evolving example excluded exclusion executable execution exfiltrate exploited faire features fido files filtering first firstly focus following forums free from generated github group growing guidance has have heavily hello hidden highlights hook host hour https https://learn https://security https://tsf https://www identifies identity impact inbound including increasingly indicate infections information infostealer infostealers initially instance integrated integration intelligence intrusions its itself keys laissez landscape learndoc learndoc#block learning like links list locations looking machine mail majority make making malicious malware malware: managed many match measures meet messaging methods mfa microsoft might misuse misused mitigation mitigations mode modified monitored monitoring more much name=trojan:msil/formbook network network: new newly not notes notifications number obfuscated ocid=magicti off offer office often online open operations options org/manuals/e2ee organizations osint other overall oversight overview part particular particularly password passwordless passwords payloads perceive permission personal phishing phones platforms points policies policy polymorphic possible potentially prevalence prevent primarily privacy private product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited promoted promotion prompt protection protection/howto protections provide pua public purge queries ransomware rapidly reach recheck recommendations recommends reduce reduction refer reference references released remind remove report reproduction requests require requires resecurity reserved response retain rights risks robust rules running safe scam scripts secured security security/defender security/safe security/zero sending sensitive sent services settings several shares should sight simple simplicity site sites smartscreen snapshot source spam specific spoofed spread status steal stealer stealer/ stealers stealing stop stored strictly succeeded successor such support surface sweeping sync#sync syncing tactics target targeted targeting techniques telegram theft them thereof these those threat threats three through times titles tokens tool tools traditional trojan:msil/formbook trusted turn typed umbral underground undetectable unknown unless unwanted urls us/wdsi/threats/malware use used users uses using variants various vaults wallets web webhooks websites when where which wider
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8598927
Date de publication	2024-10-16 20:34:29 (vue: 2024-10-16 21:12:41)
Titre	Distribution du voleur de Meduza via Telegram, prétendument au nom de la réserve + soutien technique Distribution of Meduza Stealer via Telegram, allegedly on behalf of Reserve+ technical support (Recyclage)
Texte	## Snapshot The Computer Emergency Response Team of Ukraine (CERT-UA) reported the distribution of malicious messages through the Telegram account @reserveplusbot, which was previously associated with the Reserve+ technical support. These messages urged recipients to install "special software" and included a ZIP file that ultimately delivered the Meduza Stealer malware. ## Description The ZIP archive contained an executable that downloaded additional malware designed to steal various document types (.txt, .doc, .pdf, etc.) before deleting itself. To evade detection, the malware added its directory to Microsoft Defender\'s exclusion list using a PowerShell command (example: \'Add-MpPreference -ExclusionPath "%USERPROFILE%\yqpedcpefpenrwim"\'). ## Microsoft Analysis and Additional OSINT Context The [Meduza Stealer](https://www.silentpush.com/blog/meduza-stealer/), first sold on a Russian-speaking dark web forum in June 2023, is a lightweight C++ malware known for its adaptability and competitive pricing. It targets Windows systems, stealing sensitive information like cookies, login credentials, and data from browser extensions, including password managers and cryptocurrency wallets. Meduza terminates itself if it detects the host machine is in specific countries, including Russia and many former Soviet republics, but otherwise connects to a command-and-control server for data exfiltration. Its advanced evasion techniques allow it to bypass most popular antivirus software, making it difficult to detect through both static and dynamic analysis. Meduza\'s operators use Telegram to communicate malware updates to their user base. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/1bdfb795) about CERT-UA warning about recent cybercriminal activity using Meduza Stealer. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of the threat of information stealers. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Mic
Notes	★★★
Envoyé	Oui
Condensat	### © 2023 2024 2024 365 365/security/defender 365/security/office @reserveplusbot about accessed account accounts acquired activity adaptability add added additional advanced advice: against age alerts all allegedly allow analysis antivirus any app apps archive are article associated attachments attack attacker authentication authenticator auto base based before behalf block blocks both browser browsers bullet but bypass c++ can can cards cert check classes click clicking cloud code com/azure/active com/blog/meduza com/deployedge/microsoft com/intel com/microsoft command common communicate competitive computer configure connects contained content context control cookies copyright countries cover coverage credential credentials criterion cryptocurrency customers cybercriminal dark data defender delete deleting delivered description designed detect detection detections/hunting detects devices different difficult directory directory/authentication/concept directory/authentication/how directory/identity distribution doc document downloaded due dynamic edge email emails emergency employees enable enabled encourage endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent etc evade evasion even evolving example example: excluded exclusion exclusionpath executable execution exfiltration explorer/articles/1bdfb795 extensions features fido file files filtering first following former forum from gov group guidance hello here host hour however https://cert https://learn https://sip https://www identifies identity impact inbound included including indicate infections information infostealer infostealers install intelligence intrusions its itself june keys known learndoc learndoc#block learning lightweight like links list locations login machine mail majority making malicious malware managed managers many match meduza meet messages methods mfa microsoft might mitigation mitigations mode monitored more most mppreference new newly not number obfuscated ocid=magicti off offer office on operators organizations osint other otherwise overview part password passwordless passwords pdf permission personal phishing phones points policies policy polymorphic popular possible potentially powershell prevalence prevent previously pricing product prohibited prompt protection protection/howto protections provided pua purge queries ransomware rapidly read recent recheck recipients recommendations recommends reduce reduction refer reference references remind remove report reported reproduction republics require requires reserve+ reserved response rights rules running russia russian safe scam scripts secured security security/defender security/safe security/zero sensitive sent server settings should sight silentpush site sites smartscreen snapshot software sold soviet spam speaking special specific spoofed static status steal stealer stealer/ stealers stealing stop stored strictly succeeded support support surface sweeping sync#sync syncing systems targets team technical techniques telegram terminates theft their thereof these threat threats through times tools to triggered trusted turn txt typed types ua/article/6281018 ukraine ultimately unknown unless unrelated unwanted updates urged use used user userprofile users uses use using using variants various vaults wallets warning web websites when where which windows without workplace written your yqpedcpefpenrwim zip and cert for from in meduza to “yes”
Tags	Ransomware Spam Malware Tool Threat Technical
Stories
Move

L'article ne semble pas avoir été repris sur un précédent.