One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8607769 |
| Date de publication | 2024-11-07 21:28:49 (vue: 2024-11-07 22:07:22) |
| Titre | New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency (Recyclage) |
| Texte | ## Snapshot A new crimeware bundle named "SteelFox" was identified in August 2024, which is distributed through forum posts and malicious torrents disguised as popular software activators for programs like Foxit PDF Editor and AutoCAD. The malware tricks users into downloading what they believe to be legitimate software, which then deploys a multi-stage attack. ## Description The initial dropper requests administrator access and uses AES-128 encryption to drop and decrypt a second-stage payload. This loader, disguised as a Windows service, checks against running services to avoid detection, creates a service for persistence, and loads the final stage. The final payload involves a DLL that exploits vulnerable WinRing0.sys drivers, enabling privilege escalation, and launches a modified XMRig miner and a stealer component that collects a wide range of user data, including browser cookies and credit card information. The SteelFox campaign operates on a mass scale with over 11,000 detections worldwide, particularly in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware uses the StartServiceCtrlDispatcherW function for decryption and injection, and it employs an unusual persistence mechanism by interacting with the AppInfo service. It resolves the IP address of its C2 server using Google Public DNS and DNS over HTTPS to remain undetected and sends collected data to the C2 server in a large JSON file via TLSv1.3 with SSL pinning. The campaign is not targeted at specific individuals or organizations, and attribution remains uncertain, with posts linking to the malware often made by compromised accounts or unaware users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on[safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refe |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 000 128 2024 2024** 365 365/security/defender 365/security/office about abuse abused access access/overview accessed accounts acquired across activators active activities activity address addresses addresses: admin administrator advice: aes against age agents algeria all allocated anomalies: anomalous anomaly antivirus any app appinfo applicable apply apps are article attachments attack attacker attacks attacks: attribution august authentication authenticator auto autocad avoid azure based behavior behaviors believe block blocking blocks brazil broadly browser browsers bullet bundle campaign can card check checks china classes cli click clicking cloud cloud/recommendations code collected collects com/azure/active com/azure/defender com/cli/azure/vm com/en com/microsoft com/steelfox common commonly compliance component components comprehensive compromised conditional configure considered content contributor cookies copyright core correlate cover coverage creates credential credit crimeware criterion cryptocurrency cryptojacking customer customers data decrypt decryption defender delete delivered deploys description detect detecting detection detections detections/hunting detects device devices different directory directory/authentication/concept directory/authentication/how directory/authentication/tutorial directory/conditional directory/identity directory/privileged discourage disguised distinct distributed distribution dll dns downloading drivers drop dropper drops due edge editor egypt elevated email emails employ employs enable enabled enabling encourage encryption encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure entire environment equivalent escalation especially even every evolving example excessive excluded executable execution exploits external factor features fido file files filtering final first focusing following forum found foxit from full function google guidance guide hello help here high host hour https https://learn https://securelist https://www identified identifies identify identifying identity impact implement inbound including increase increases increases: india indicate individuals infections information infostealer infostealers initial injection intelligence interacting intrusions involves in its json keys lanka large latest#az launches learndoc learndoc#block learning legitimate like limiting linking links list loader loads locations login machine made mail majority malicious malware malware: management management/pim manager many mass match may mechanism meet methods mexico mfa mfa: microsoft mimics miner miner/114414/ mining mitigate mitigation mitigations mode modified monitor more multi multifactor multiple name=pua:linux/coinminer name=pua:win64/xmrig name=puaminer:bat/xmrig name=puaminer:linux/coinminer name=puaminer:win64/xmrig name=trojan:linux/minerxmrig name=trojan:win64/xmrig named new newly non not number obfuscated ocid=magicti offer office often of operates organizations other over overview part particularly password passwordless passwords patterns payload pdf performed permission permissions persistence phishing phones pinning points policies policies: policy polymorphic popular possible posts potentially prevalence prevent privilege privileged privileges product programs prohibited prompt protection protection/howto protections proxy pua pua:linux/coinminer pua:win64/xmrig puaminer:bat/xmrig puaminer:linux/coinminer puaminer:win32/xmrig public purge queries quota range ransomware rapidly rarely read reauthentication recheck recommendations recommends reduce reduction refer reference references refined regions remain remains remove reproduction requests require requires reserved resolves resource resources response reuse rights risk risky roles roles: rules running russia safe scale scam scores scripts second secure security security/defender security/safe security/zero sends sensitive sent separate server service services settings should sight sign site sites situation smartscreen snapshot software spam s |
| Tags | Ransomware Spam Malware Tool Threat Cloud |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8607234 |
| Date de publication | 2024-11-06 22:17:45 (vue: 2024-11-06 23:11:08) |
| Titre | CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits |
| Texte | #### Targeted Geolocations - United States - Western Europe - Southern Europe - Northern Europe - Eastern Europe - East Asia - South America #### Targeted Industries - Information Technology - Digital, Print and Broadcast Media ## Snapshot Check Point Research has uncovered a large-scale, sophisticated phishing campaign dubbed "CopyRh(ight)adamantys," which deploys the latest version of the Rhadamanthys info-stealer (version 0.7). ## Description This campaign targets entities across the U.S., Europe, East Asia, and South America using a copyright infringement theme and impersonates a wide array of companies. Most impersonated brands are from the entertainment, media, technology, and software sectors, enhancing the credibility of the phishing attempts. Attackers send tailored emails from different Gmail accounts to each target, often in the recipient\'s native language, though occasional localization errors suggest automated processing, possibly AI-enhanced. The campaign\'s infection process involves a link to a password-protected archive file, which, when downloaded, installs the Rhadamanthys stealer via DLL sideloading. Once active, the stealer writes files that bypass hash-based antivirus detection by slightly altering the file size and hash. The stealer also injects malicious modules into processes like "dllhost.exe" to evade detection further and maintain persistence. One of Rhadamanthys 0.7\'s highlighted features is its Optical Character Recognition (OCR) module, which is configured with search terms to scan for specific phrases, likely targeting financial data such as Bitcoin wallet keys, suggesting a financially motivated attack rather than espionage. According to Check Point Research, this campaign is likely the work of a cybercrime group due to its global reach and wide target selection across industries, aimed at maximizing financial gains. The attackers\' extensive use of automation and potentially AI indicates an evolving threat landscape where phishing tactics are becoming increasingly sophisticated and widespread. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 365 365/security/defender 365/security/office about accessed according accounts acquired across active adamantys advice: against age aimed all also altering america antivirus any app apps archive are array article asia attachments attack attacker attackers attempts authentication authenticator auto automated automation baits based becoming bitcoin block blocks brands broadcast browser browsers bullet bypass campaign campaign: can card character check checkpoint classes click clicking cloud code com/2024/massive com/azure/active com/deployedge/microsoft com/en com/microsoft common companies components configure configured content copyrh copyright cover coverage credential credentials credibility criterion customers cybercrime data defender delete delivered deployment deploys description detection detections/hunting detects devices different digital directory/authentication/concept directory/authentication/how directory/identity distribution dll dllhost downloaded dubbed due each east eastern edge email emails employees enable enabled encourage encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced enhancing ensure enterprise entertainment entire entities equivalent errors espionage europe evade even evolving example excluded exe executable execution exploits extensive features fido file files filtering financial financially first following from further gains global gmail group guidance has hash hello highlighted host hour https://learn https://research https://www identifies identity ight impact impersonated impersonates inbound including increasingly indicates industries infection infections info information infostealer infostealers infringement injects installs intellectual intelligence intrusions involves its keys landscape language large latest learndoc learndoc#block learning like likely link links list localization locations machine mail maintain majority malicious malware malware: managed many match maximizing media meet methods mfa microsoft mitigation mitigations mode module modules monitored more most motivated msr name=trojan:win32/acll name=trojan:win32/casdet name=trojan:win32/leonem name=trojan:win32/multiverze name=trojan:win32/rhadamanthys native new newly northern not number obfuscated occasional ocid=magicti ocr off offer office often once one optical organizations other overview part password passwordless passwords permission persistence personal phishing phones phrases point points policies policy polymorphic possible possibly potentially prevalence prevent print process processes processing product prohibited prompt property protected protection protection/howto protections pua purge queries ransomware rapidly rather reach recheck recipient recognition recommendations recommends reduce reduction refer reference references remind remove reproduction require requires research reserved response rfn rhadamanthys rhadamantys rights rules running safe scale scam scan scripts search sectors secured security/defender security/safe security/zero selection send sent settings should sideloading sight site sites size slightly smartscreen snapshot software sophisticated south southern spam specific spoofed states status stealer stop stored strictly succeeded such suggest suggesting support surface sweeping sync#sync syncing tactics tailored target targeted targetedgeolocations targeting targets techniques technology terms than theft theme thereof though threat threats times tools trojan:win32/acll trojan:win32/casdet trojan:win32/leonem trojan:win32/multiverze trojan:win32/rhadamanthys trusted turn typed uncovered united unknown unless unwanted us/wdsi/threats/malware use used users uses using variants vaults version version/ wallet web websites western when where which wide widespread windows without work workplace writes written your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move |
|
L'article ressemble à 2 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-11-07 21:35:51 | (Déjà vu) Souhaiter Stealer Wish Stealer (lien direct) |
## Snapshot CYFIRMA released a report detailing Wish Stealer, a new information stealer malware that targets Windows systems to exfiltrate information from Discord, web browsers, and cryptocurrency wallets, among other applications. ## Description This malware gains access by exploiting user sessions, allowing it to extract login credentials, cookies, credit card details, and even disable antivirus software. It monitors two-factor authentication codes, making it a threat to both personal and corporate security. The malware deploys a "clipper" function that monitors the clipboard, replacing cryptocurrency wallet addresses with those controlled by the attacker to misdirect funds. By executing stealth functions, such as anti-debugging, anti-VM (virtual machine), and anti-defender capabilities, Wish Stealer evades detection and enhances its persistence on infected systems. Stored credentials for social media and other applications, often found in the AppData folder, are also targeted, allowing the malware to access accounts and bypass two-factor authentication. Additionally, Wish Stealer uses various folders to manage and execute its functions, including hiding itself as a legitimate process in the $APPDATA directory. It even injects code to gather and archive stolen data, subsequently uploading it to a server, and delivers the data to hackers via Discord. The tool has been circulating on the surface web since October 2024, but threat actors on Discord have been promoting its sale since late September. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/ | Ransomware Spam Malware Tool Threat | ★★ | |
|
2024-11-08 18:01:58 | (Déjà vu) Runningrat \\'s Next Move: de l'accès à distance à l'exploitation de cryptographie à but lucratif RunningRAT\\'s Next Move: From Remote Access to Crypto Mining for Profit (lien direct) |
## Instantané Hunt \ [. \] IO a publié le rapport détaillant comment l'exécution d'un accès à distance (rat), traditionnellement utilisé pour le vol d'informations et pour obtenir un accès à distance a été observé en déploiement des charges utiles de crypto-extraction. ## Description Initialement observé dans les attaques ciblant les Jeux olympiques d'hiver de PyeongChang, RunningRat a traditionnellement permis aux attaquants de surveiller les systèmes, de désactiver les anti-logiciels et d'exfiltrer les données sur les serveurs de commandement et de contrôle (C2).Cependant, des analyses récentes révèlent que RunningRat est désormais également utilisé pour un gain financier grâce à l'extraction de la crypto-monnaie, comme en témoigne la découverte de scripts de crypto-exploitation sur ses serveurs. Cette nouvelle variante des téléchargements RunningRat et installe Monero Mining Software (XMRIG) en utilisant des répertoires et des scripts ouverts pour détourner les ressources système, telles que CPU Power, pour les opérations minières.Il vérifie également les capacités matérielles des systèmes compromis pour déterminer leur aptitude à l'exploitation minière.Le logiciel malveillant atteint la persistance en s'inclinant comme un service Windows légitime, ce qui rend plus difficile pour les utilisateurs. Selon Hunt \ [. \] IO, la présence d'échantillons de runningrat dans des référentiels en ligne accessibles, couplés à ses tactiques en évolution, indique que les logiciels malveillants sont activement adaptés et redéployés à des fins variées.Ce changement illustre comment les logiciels malveillants établis peuvent évoluer en permanence, posant des risques continus pour les utilisateurs et soulignant l'importance de rester vigilant contre les nouvelles capacités dans les menaces familières. ## Recommandations Bien que chaque situation soit unique au client et à son environnement, les recommandations suivantes sont largement applicables pour aider à identifier et à atténuer les attaques de cryptojacking: - Rôles privilégiés séparés: les comptes d'administration et d'utilisateurs doivent être distincts.Utilisez [Gestion des identités privilégiées] (https://learn.microsoft.com/azure/active-directory/priviled-entity-management/pim-configure) ou des comptes séparés pour les tâches privilégiées, limitant les comptes avec des autorisations excessives.Appliquer l'authentification multi-facteurs (MFA) et [Accès conditionnel] (https://learn.microsoft.com/azure/active-directory/conditional-access/overview), en particulier pour les comptes avec des rôles élevés. - Implémentez le MFA: assurez-vous une utilisation complète de [MFA] (https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa), en particulier pour les comptes avec des privilèges de contributeur de machine virtuel.Décourager la réutilisation du mot de passe.Une liste complète des recommandations de sécurité cloud peut être trouvée dans [Recommandations de sécurité & # 8211;un guide de référence] (https://learn.microsoft.com/azure/defender-for-cloud/recommendations-reference?ocid=Magicti_TA_LearnDoc). - Utiliser les comportements de connexion basés sur les risques et les politiques d'accès conditionnel: surveiller les scores de risque High Azure Active Directory et corréler le comportement des risques avec l'activité ultérieure.Implémentez les politiques d'accès conditionnel pour la réauthentification multifactor, la conformité des périphériques, les mises à jour de mot de passe ou le blocage de l'authentification. - détecter les anomalies de connexion: utilisez des méthodes de détection d'anomalies standard pour identifier les modèles de connexion inhabituels, tels que l'utilisation de proxy, les emplacements anormaux et les agents utilisateur.Utilisez Microsoft 365 Defender pour détecter les activités suspectes effectuées par les utilisateurs risqués. - Surveiller les | Malware Threat Cloud | ★★★ |