One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8607234 |
| Date de publication | 2024-11-06 22:17:45 (vue: 2024-11-06 23:11:08) |
| Titre | CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits |
| Texte | #### Targeted Geolocations - United States - Western Europe - Southern Europe - Northern Europe - Eastern Europe - East Asia - South America #### Targeted Industries - Information Technology - Digital, Print and Broadcast Media ## Snapshot Check Point Research has uncovered a large-scale, sophisticated phishing campaign dubbed "CopyRh(ight)adamantys," which deploys the latest version of the Rhadamanthys info-stealer (version 0.7). ## Description This campaign targets entities across the U.S., Europe, East Asia, and South America using a copyright infringement theme and impersonates a wide array of companies. Most impersonated brands are from the entertainment, media, technology, and software sectors, enhancing the credibility of the phishing attempts. Attackers send tailored emails from different Gmail accounts to each target, often in the recipient\'s native language, though occasional localization errors suggest automated processing, possibly AI-enhanced. The campaign\'s infection process involves a link to a password-protected archive file, which, when downloaded, installs the Rhadamanthys stealer via DLL sideloading. Once active, the stealer writes files that bypass hash-based antivirus detection by slightly altering the file size and hash. The stealer also injects malicious modules into processes like "dllhost.exe" to evade detection further and maintain persistence. One of Rhadamanthys 0.7\'s highlighted features is its Optical Character Recognition (OCR) module, which is configured with search terms to scan for specific phrases, likely targeting financial data such as Bitcoin wallet keys, suggesting a financially motivated attack rather than espionage. According to Check Point Research, this campaign is likely the work of a cybercrime group due to its global reach and wide target selection across industries, aimed at maximizing financial gains. The attackers\' extensive use of automation and potentially AI indicates an evolving threat landscape where phishing tactics are becoming increasingly sophisticated and widespread. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 365 365/security/defender 365/security/office about accessed according accounts acquired across active adamantys advice: against age aimed all also altering america antivirus any app apps archive are array article asia attachments attack attacker attackers attempts authentication authenticator auto automated automation baits based becoming bitcoin block blocks brands broadcast browser browsers bullet bypass campaign campaign: can card character check checkpoint classes click clicking cloud code com/2024/massive com/azure/active com/deployedge/microsoft com/en com/microsoft common companies components configure configured content copyrh copyright cover coverage credential credentials credibility criterion customers cybercrime data defender delete delivered deployment deploys description detection detections/hunting detects devices different digital directory/authentication/concept directory/authentication/how directory/identity distribution dll dllhost downloaded dubbed due each east eastern edge email emails employees enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced enhancing ensure enterprise entertainment entire entities equivalent errors espionage europe evade even evolving example excluded exe executable execution exploits extensive features fido file files filtering financial financially first following from further gains global gmail group guidance has hash hello highlighted host hour https://learn https://research https://www identifies identity ight impact impersonated impersonates inbound including increasingly indicates industries infection infections info information infostealer infostealers infringement injects installs intellectual intelligence intrusions involves its keys landscape language large latest learndoc learndoc#block learning like likely link links list localization locations machine mail maintain majority malicious malware malware: managed many match maximizing media meet methods mfa microsoft mitigation mitigations mode module modules monitored more most motivated msr name=trojan:win32/acll name=trojan:win32/casdet name=trojan:win32/leonem name=trojan:win32/multiverze name=trojan:win32/rhadamanthys native new newly northern not number obfuscated occasional ocid=magicti ocr off offer office often once one optical organizations other overview part password passwordless passwords permission persistence personal phishing phones phrases point points policies policy polymorphic possible possibly potentially prevalence prevent print process processes processing product prohibited prompt property protected protection protection/howto protections pua purge queries ransomware rapidly rather reach recheck recipient recognition recommendations recommends reduce reduction refer reference references remind remove reproduction require requires research reserved response rfn rhadamanthys rhadamantys rights rules running safe scale scam scan scripts search sectors secured security/defender security/safe security/zero selection send sent settings should sideloading sight site sites size slightly smartscreen snapshot software sophisticated south southern spam specific spoofed states status stealer stop stored strictly succeeded such suggest suggesting support surface sweeping sync#sync syncing tactics tailored target targeted targetedgeolocations targeting targets techniques technology terms than theft theme thereof though threat threats times tools trojan:win32/acll trojan:win32/casdet trojan:win32/leonem trojan:win32/multiverze trojan:win32/rhadamanthys trusted turn typed uncovered united unknown unless unwanted us/wdsi/threats/malware use used users uses using variants vaults version version/ wallet web websites western when where which wide widespread windows without work workplace writes written your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-11-07 21:28:49 | (Déjà vu) New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency (lien direct) | ## Snapshot A new crimeware bundle named "SteelFox" was identified in August 2024, which is distributed through forum posts and malicious torrents disguised as popular software activators for programs like Foxit PDF Editor and AutoCAD. The malware tricks users into downloading what they believe to be legitimate software, which then deploys a multi-stage attack. ## Description The initial dropper requests administrator access and uses AES-128 encryption to drop and decrypt a second-stage payload. This loader, disguised as a Windows service, checks against running services to avoid detection, creates a service for persistence, and loads the final stage. The final payload involves a DLL that exploits vulnerable WinRing0.sys drivers, enabling privilege escalation, and launches a modified XMRig miner and a stealer component that collects a wide range of user data, including browser cookies and credit card information. The SteelFox campaign operates on a mass scale with over 11,000 detections worldwide, particularly in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware uses the StartServiceCtrlDispatcherW function for decryption and injection, and it employs an unusual persistence mechanism by interacting with the AppInfo service. It resolves the IP address of its C2 server using Google Public DNS and DNS over HTTPS to remain undetected and sends collected data to the C2 server in a large JSON file via TLSv1.3 with SSL pinning. The campaign is not targeted at specific individuals or organizations, and attribution remains uncertain, with posts linking to the malware often made by compromised accounts or unaware users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on[safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refe | Ransomware Spam Malware Tool Threat Cloud | ★★ |