One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8607768 |
| Date de publication | 2024-11-07 21:35:51 (vue: 2024-11-07 22:07:22) |
| Titre | Souhaiter Stealer Wish Stealer (Recyclage) |
| Texte | ## Snapshot CYFIRMA released a report detailing Wish Stealer, a new information stealer malware that targets Windows systems to exfiltrate information from Discord, web browsers, and cryptocurrency wallets, among other applications. ## Description This malware gains access by exploiting user sessions, allowing it to extract login credentials, cookies, credit card details, and even disable antivirus software. It monitors two-factor authentication codes, making it a threat to both personal and corporate security. The malware deploys a "clipper" function that monitors the clipboard, replacing cryptocurrency wallet addresses with those controlled by the attacker to misdirect funds. By executing stealth functions, such as anti-debugging, anti-VM (virtual machine), and anti-defender capabilities, Wish Stealer evades detection and enhances its persistence on infected systems. Stored credentials for social media and other applications, often found in the AppData folder, are also targeted, allowing the malware to access accounts and bypass two-factor authentication. Additionally, Wish Stealer uses various folders to manage and execute its functions, including hiding itself as a legitimate process in the $APPDATA directory. It even injects code to gather and archive stolen data, subsequently uploading it to a server, and delivers the data to hackers via Discord. The tool has been circulating on the surface web since October 2024, but threat actors on Discord have been promoting its sale since late September. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/ |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### $appdata **© 2024 2024** 365 365/security/defender 365/security/office about access accessed accounts acquired activity actors additionally addresses advice: against age alerts all allowing also among anti antivirus any app appdata applications apps archive are article attachments attack attacker authentication authenticator auto based been block blocks both browser browsers bullet but bypass can capabilities card center check circulating classes click clicking clipboard clipper cloud code codes com/azure/active com/deployedge/microsoft com/microsoft com/research/wish common configure content controlled cookies copyright corporate cover coverage credential credentials credit criterion cryptocurrency customers cyfirma data debugging defender delete delivered delivers deployment deploys description detailing details detection detections/hunting devices different directory directory/authentication/concept directory/authentication/how directory/identity disable discord distribution due edge email emails employees enable enabled encourage endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced enhances ensure enterprise entire equivalentfor evades even evolving example excluded executable execute executing execution exfiltrate exploiting extract factor features fido files filtering first folder folders following found from fromall function functions funds gains gather group guidance hackers has have hello hiding host hour https://learn https://www identifies identity impact inbound including indicate infected infections information infostealer infostealers injects intelligence intrusions its itself keys late learndoc learndoc#block learning legitimate like links list locations login machine mail majority making malicious malware manage managed many match media meet methods mfa microsoft misdirect mitigation mitigations mode monitored monitors more network: new newly not number obfuscated ocid=magicti october off offer office often organizations other overview part password passwordless passwords permission persistence personal phishing phones points policies policy polymorphic possible potentially prevalence prevent process product prohibited promoting prompt protection protection/howto protections pua purge queries ransomware rapidly recheck recommendations recommends reduce reduction refer reference references released remind remove replacing report reproduction require requires reserved response rights rules running safe sale scam scripts secured security security/defender security/safe security/zero sent september server sessions settings should sight since site sites smartscreen snapshot social software spam specific spoofed status stealer stealer/ stealing stealth stolen stop stored strictly subsequently succeeded such support surface sweeping sync#sync syncing systems targeted targets techniques theft thereof those threat threats times titles tool tools trusted turn two typed unknown unless unwanted uploading use used user users uses using variants various vaults virtual wallet wallets web websites when where which windows wish without workplace written your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8607769 |
| Date de publication | 2024-11-07 21:28:49 (vue: 2024-11-07 22:07:22) |
| Titre | New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency (Recyclage) |
| Texte | ## Snapshot A new crimeware bundle named "SteelFox" was identified in August 2024, which is distributed through forum posts and malicious torrents disguised as popular software activators for programs like Foxit PDF Editor and AutoCAD. The malware tricks users into downloading what they believe to be legitimate software, which then deploys a multi-stage attack. ## Description The initial dropper requests administrator access and uses AES-128 encryption to drop and decrypt a second-stage payload. This loader, disguised as a Windows service, checks against running services to avoid detection, creates a service for persistence, and loads the final stage. The final payload involves a DLL that exploits vulnerable WinRing0.sys drivers, enabling privilege escalation, and launches a modified XMRig miner and a stealer component that collects a wide range of user data, including browser cookies and credit card information. The SteelFox campaign operates on a mass scale with over 11,000 detections worldwide, particularly in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware uses the StartServiceCtrlDispatcherW function for decryption and injection, and it employs an unusual persistence mechanism by interacting with the AppInfo service. It resolves the IP address of its C2 server using Google Public DNS and DNS over HTTPS to remain undetected and sends collected data to the C2 server in a large JSON file via TLSv1.3 with SSL pinning. The campaign is not targeted at specific individuals or organizations, and attribution remains uncertain, with posts linking to the malware often made by compromised accounts or unaware users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on[safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refe |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 000 128 2024 2024** 365 365/security/defender 365/security/office about abuse abused access access/overview accessed accounts acquired across activators active activities activity address addresses addresses: admin administrator advice: aes against age agents algeria all allocated anomalies: anomalous anomaly antivirus any app appinfo applicable apply apps are article attachments attack attacker attacks attacks: attribution august authentication authenticator auto autocad avoid azure based behavior behaviors believe block blocking blocks brazil broadly browser browsers bullet bundle campaign can card check checks china classes cli click clicking cloud cloud/recommendations code collected collects com/azure/active com/azure/defender com/cli/azure/vm com/en com/microsoft com/steelfox common commonly compliance component components comprehensive compromised conditional configure considered content contributor cookies copyright core correlate cover coverage creates credential credit crimeware criterion cryptocurrency cryptojacking customer customers data decrypt decryption defender delete delivered deploys description detect detecting detection detections detections/hunting detects device devices different directory directory/authentication/concept directory/authentication/how directory/authentication/tutorial directory/conditional directory/identity directory/privileged discourage disguised distinct distributed distribution dll dns downloading drivers drop dropper drops due edge editor egypt elevated email emails employ employs enable enabled enabling encourage encryption encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure entire environment equivalent escalation especially even every evolving example excessive excluded executable execution exploits external factor features fido file files filtering final first focusing following forum found foxit from full function google guidance guide hello help here high host hour https https://learn https://securelist https://www identified identifies identify identifying identity impact implement inbound including increase increases increases: india indicate individuals infections information infostealer infostealers initial injection intelligence interacting intrusions involves in its json keys lanka large latest#az launches learndoc learndoc#block learning legitimate like limiting linking links list loader loads locations login machine made mail majority malicious malware malware: management management/pim manager many mass match may mechanism meet methods mexico mfa mfa: microsoft mimics miner miner/114414/ mining mitigate mitigation mitigations mode modified monitor more multi multifactor multiple name=pua:linux/coinminer name=pua:win64/xmrig name=puaminer:bat/xmrig name=puaminer:linux/coinminer name=puaminer:win64/xmrig name=trojan:linux/minerxmrig name=trojan:win64/xmrig named new newly non not number obfuscated ocid=magicti offer office often of operates organizations other over overview part particularly password passwordless passwords patterns payload pdf performed permission permissions persistence phishing phones pinning points policies policies: policy polymorphic popular possible posts potentially prevalence prevent privilege privileged privileges product programs prohibited prompt protection protection/howto protections proxy pua pua:linux/coinminer pua:win64/xmrig puaminer:bat/xmrig puaminer:linux/coinminer puaminer:win32/xmrig public purge queries quota range ransomware rapidly rarely read reauthentication recheck recommendations recommends reduce reduction refer reference references refined regions remain remains remove reproduction requests require requires reserved resolves resource resources response reuse rights risk risky roles roles: rules running russia safe scale scam scores scripts second secure security security/defender security/safe security/zero sends sensitive sent separate server service services settings should sight sign site sites situation smartscreen snapshot software spam s |
| Tags | Ransomware Spam Malware Tool Threat Cloud |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.