One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8608186 |
| Date de publication | 2024-11-08 15:29:17 (vue: 2024-11-08 16:07:39) |
| Titre | BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence (Recyclage) |
| Texte | ## Snapshot SentinelLabs identified a campaign named \'Hidden Risk\' by the suspected DPRK threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), targeting cryptocurrency-related businesses with novel multi-stage malware. The campaign employs phishing emails with fake news about cryptocurrency trends to deliver a malicious application disguised as a PDF file. ## Description The emails use the names of real individuals from unrelated industries and mimic forwarding messages from well-known crypto social media influencers. The initial infection is achieved via a link to this application, which is presented as a PDF document on cryptocurrency topics such as “Hidden Risk Behind New Surge of Bitcoin Price,” “Altcoin Season 2.0-The Hidden Gems to Watch,” and “New Era for Stablecoins and DeFi, CeFi.” The first stage of the attack involves a Mac application that downloads a decoy PDF and a malicious binary named \'growth,\' which acts as a backdoor to execute remote commands. This backdoor uses the SaveAndExec function to create a hidden file with world read, write, and execute permissions in the /Users/Shared directory and executes embedded commands. It is only functional on Intel architecture Mac computers or Apple silicon devices with Rosetta emulation framework installed. The malware installs persistence, gathers environmental information, generates a UUID, and communicates with a command-and-control (C2) server. A novel persistence mechanism is observed, which abuses the Zshenv configuration file, allowing the malware to persist without triggering user notifications for background Login Items in MacOS 13 Ventura and later. While this is a known technique, SentinelLabs reports that it\'s the first time they\'ve observed it in the wild. ## Microsoft Analysis and Additional OSINT Context Sapphire Sleet is a nation-state-sponsored group operating from North Korea since as early as March 2020. The group focuses primarily on organizations in the cryptocurrency sector but has been observed expanding its targets to banks within the financial services sector since 2022, and more recently, to the [aerospace and aviation sectors](https://sip.security.microsoft.com/intel-explorer/articles/aff030bb). Sapphire Sleet\'s targets are often global, with a particular interest in the United States and East Asian and African countries. The primary motivation of this group is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms. Sapphire Sleet typically uses LinkedIn as a primary method to lure users to click on links containing malicious files, often hosted in attacker-owned OneDrive or Google Drive locations. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Implement multifactor authentication (MFA) to mitigate credential theft from phishing attacks. MFA can be complemented with the following solutions and best practices to protect organizations: - Activate conditional access policies. [Conditional access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by activating policies regarding compliant devices or trusted IP address requirements. - Configure [continuous access evaluation](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc) in your tenant. - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defende |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© /users/shared 2020 2022 2024 2024** 365 365/security/defender/microsoft 365/security/office about abuses access access/concept access/overview accessed achieved across activate activating activities activity actor acts additional address advanced aerospace african against age agent alert alerts all allowing also analysis anomalous anonymizer anti any apple application architecture are asian attack attacker attacks attempts authentication automatically available aviation backdoor background banks baseline been before behavior behind best binary bitcoin block blockchain bluenoroff breach brings browser browsers build businesses but campaign can card cefi center centralizing characteristics characteristics check click com/azure/active com/defender com/deployedge/microsoft com/en com/intel com/labs/bluenoroff com/microsoft command commands common communicates complemented compliant computers conditional configuration configure configure containing content context continuous continuously contributes control cookie copyright correlating countries create credential credentials criterion crypto cryptocurrency customers decoy defaults defender defi deliver delivery deployment description detection detections/hunting determined devices directory directory/conditional directory/fundamentals/concept disguised distribution document domains downloads dprk drive early east edge email emails embedded employs emulation enable enabling endpoint endpoint/attack endpoints enforced ensures environmental era evaluated evaluation every example executable execute executes execution expanding explorer/articles/aff030bb fake faster file files financial first focused focuses following forwarding framework from function functional fundamentals gathers gems general generate generates global google group growth has hidden hosted https://docs https://learn https://security https://sip https://www identified identify identities identity impact impersonation implement implement improve incident incidents including incoming indicate individuals industries infection influencers information initial installed installs intel intellectual intelligence interest internet invest investigate investigated investigations involves isp items its key known korea korean later learndoc learndoc#block leverage link linkedin links list location locations login lure mac macos macs mailbox malicious malware management march mdi mdo mechanism media meet messages method mfa microsoft mimic mitigate mitigations monitor monitored more motivation multi multifactor named names nation network: new news north notifications novel obfuscated observed ocid=magicti office often one onedrive only operating organizations organizations: osint other owned part particular pdf permission permissions persist persistence persistence/ phishing place platforms policies posture potentially practices presented prevalence prevent price primarily primary products profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1 prohibited property protect protection protection/microsoft provider providing queries ransomware read real recently recommendations recommends reduce reduction reference reference#block reference#use references regarding related remote reports reproduction requirements reserved resilience revenue rights risk rosetta rules running safelinks sapphire saveandexec scanning scope scripts search season sector sectors security security/safe security/set security/virus sender sentinellabs sentinelone server service services session set settings sign silicon since site sleet smartscreen smartscreen/ snapshot social solutions solutions that south specific sponsored stablecoins stage state states status steal stolen such surface surge suspected suspicious system target targeting targetingcryptocurrency targets technique techniques: technology tenant than theft themselves thereof they those threat threats through time titles together topics tracked trading trends triggering trusted turn typically united unless unrelated urls us/windows/security/ |
| Tags | Malware Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8607767 |
| Date de publication | 2024-11-07 21:47:54 (vue: 2024-11-07 22:07:22) |
| Titre | Analyse des activités de reconnaissance Cyber ?? Analysis of Cyber ??Reconnaissance Activities Behind APT37 Threat Actor |
| Texte | #### Géolocations ciblées - Corée ## Instantané Les chercheurs géniens ont analysé une série d'attaques attribuées à APT37 (également connu sous le nom de [Pearl Sleet] (https://security.microsoft.com/intel-profiles/cc39b42c403d3dde8270a88784017b42c410a89cea1c94f232fa811059066d) acteur de menace OLD, ciblant les organisations sud-coréennesImpliqué dans les droits de l'homme nord-coréens, les transfuges, les journalistes et les experts en unification et en sécurité nationale. ## Description Les attaquants ont utilisé des e-mails de phisseur de lance qui semblaient provenir de sources de confiance, contenant des fichiers de raccourcis malveillants (LNK) conçus pour exécuter des commandes PowerShellet déployer le [Rokrat] (https://security.microsoft.com/intel-profiles/8fcae4db5ec22dcdd4b6a41896def195417e2a706e3a82a6b2a3d5022220ea89f8)malware.Ce logiciel malveillant permet aux attaquants de collecter des informations système étendues, y compris des adresses IP, des données de navigateur et des types de documents spécifiques, et collecte des extensions de fichiers d'enregistrement des smartphones.Les attaques récentes comprenaient des courriels avec des documents d'apparence légitime intitulés «Tendances de la Corée du Nord en avril» et «Matériel de cours de cyber-terrorisme nord-coréen». Les charges utiles de logiciels malveillants arrivent aux côtés des documents de leurre, dissimulés dans des fichiers chiffrés nommés "panic.dat" ou "Viewer.dat".Les chercheurs ont également identifié des modèles dans les adresses et les domaines IP des attaquants, les liant à travers les campagnes.APT37 a utilisé des services cloud, tels que les comptes Google Gmail.En outre, ils ont utilisé des balises Web intégrées dans des e-mails pour recueillir des renseignements sans utiliser de pièces jointes ou de liens directs. ## Analyse Microsoft et contexte OSINT supplémentaire Rokrat est une information personnalisée volant des logiciels malveillants utilisés exclusivement par Pearl Sleet.Pearl Sleet est un groupe d'activités nationales basé en Corée du Nord qui est actif depuis au moins 2012. Pearl Sleet est connu pour cibler principalement les transfuges de la Corée du Nord, des médias numériques, imprimés et diffusés, et des organisations religieuses, en particulier en Asie de l'Est.Le groupe de menaces se concentre sur l'espionnage et les services cloud pour l'exfiltration des données et la commande et le contrôle (C2).Le groupe utilise l'ingénierie sociale pour mener des attaques de trous de phishing et d'arrosage pour accéder aux utilisateurs ciblés \\ 'Boîtes et réseaux et réseaux.L'activité du grésil perlé est suivie par une autre sécuritéCompagnies AS APT37, Richochet Chollima, Temp.reper, Scarcruft et Inkysquid. ## Recommandations Microsoft recommande le suiviDen fait des atténuations pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Implémentez l'authentification multifactrice (MFA) pour atténuer le vol d'identification des attaques de phishing.Le MFA peut être complété par les solutions et les meilleures pratiques suivantes pour protéger les organisations: - Activer les politiques d'accès conditionnel.[Accès conditionnel] (https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) sont évalués et appliqués chaque fois qu'un attaquant tente d'utiliser un cookie de session volé.Les organisations peuvent se protéger contre les attaques qui exploitent les informations d'identification volées en activant des politiques concernant les appareils conformes ou les exigences d'adresse IP de confiance. - Configurer [Évaluation d'accès continu] (https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation?ocid=Magicti_ta_learndoc) dans votre locataire. - Investissez dans des solutions anti-phishing av |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2012 2024 2024** 365 365/security/defender/microsoft 365/security/office access access/concept access/overview accessed accounts across activate activating active activities activity actor additional address addresses advanced against age agent alert alerts all alongside also analysis analyzed anomalous anonymizer anti antivirus any appeared april” apt37 are arrive asia attachments attack attacker attackers attacks attempts attributed authentication automatically available based baseline beacons been before behavior behind best block breach brings broadcast browser browsers build campaign campaigns can card center centralizing characteristics characteristics check chollima click cloud collect collects com/azure/active com/defender com/deployedge/microsoft com/en com/intel com/microsoft come command commands common companies complemented compliant concealed conditional conduct configure configure containing content context continuous continuously contributes control cookie copyright correlating credential credentials criterion custom customers cyber dat data decoy defaults defectors defender delivery deploy deployment description designed detection detections/hunting determined devices digital direct directory/conditional directory/fundamentals/concept distribution document documents domains east edge email emails embedded employed enable enablesattackers enabling encrypted encyclopedia endpoint/attack endpoints enforced engineering ensures espionage evaluated evaluation every example exclusively executable execute execution exfiltration experts extensions extensive faster file files focused focuses following from fundamentals gather general genians geolocations gmail google group has hole https://docs https://learn https://security https://www human identified identify identities identity impact impersonation implement implement improve incident incidents included includes including incoming information inkysquid intelligence intelligence/apt37 internet invest investigate investigated investigations involved isp journalists key known korea korean kr/blog/threat learndoc learndoc#block least lecture legitimate leverage linking links list lnk location looking mailbox mailboxes malicious malware management materials mdi mdo media meet messages mfa microsoft mitigate mitigations monitor monitored msr mtb multifactor name=trojan:o97m/rokrat name=trojan:win32/rokrat name=trojanspy:win32/rokrat named nation national networks north obfuscated ocid=magicti office one organizations organizations: osint other out panic part particularly patterns payloads pearl permission phishing place policies posture potentially powershell practices prevalence prevent primarily print products profiles/8fcae4db5ec22dcdd4b6a41896def195417e2a706e3a82a6b2a3d50220ea89f8 profiles/cc39ccf4403d3dde8270a88784017b42c410a89cea1c94f232fa811059066d9e prohibited protect protection protection/microsoft provider providing queries ransomware real reaper recent recommendations recommends recon reconnaissance recording reduce reduction reference reference#block reference#use references regarding religious reproduction requirements researchers reserved resilience richochet rights rokrat rules running safelinks scanning scarcruft scope scripts search security security/safe security/set security/virus sender series service services session set settings shortcut sign since site sleet smartphone smartscreen smartscreen/ snapshot social solutions solutions that sources south spear specific sponsored state status stealing stolen such surface suspicious system target targeted targeting techniques: temp tenant terrorism than theft them themselves thereof they those threat threats through time titled together tracked trends trojan:o97m/rokrat trojan:win32/rokrat trojanspy:win32/rokrat trusted turn types unification unless urls us/wdsi/threats/malware us/windows/security/operating use used user users uses use use using view=o365 viewer visited watering web websites well which within without with worldwide written xdr your ens |
| Tags | Malware Threat Cloud |
| Stories | APT 37 |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-11-08 21:43:02 | (Déjà vu) New Campaign Uses Remcos RAT to Exploit Victims (lien direct) | ## Instantané Fortiguard Labs a découvert une campagne de phishing en tirant parti du rat Remcos pour prendre le contrôle des ordinateurs des victimes. ## Description L'attaque commence par un e-mail de phishing contenant un document Ole Excel malveillant qui exploite [CVE-2017-0199] (https://security.microsoft.com/intel-explorer/cves/cve-2017-0199/), une vulnérabilité dansMicrosoft Office et WordPad, pour télécharger et exécuter un fichier HTA.Ce fichier télécharge ensuite un exécutable, dllhost.exe, qui initie un processus PowerShell pour charger et exécuter du code malveillant avec des techniques d'anti-analyse comme la gestion des exceptions vectorée, l'appel dynamiquement des API système et le crochet API.Le logiciel malveillant garantit la persistance en effectuant des creux de processus pour s'injecter dans un nouveau processus, vaccinende.exe, et en modifiant le registre système pour la course automatique. La charge utile REMCOS, une variante inutile de malware, est déployée directement dans la mémoire et communique avec un serveur C&C à l'aide du trafic chiffré.Il recueille des informations de base de l'appareil de la victime, y compris l'état du processeur et de la mémoire, le niveau de privilège des utilisateurs et l'emplacement de l'appareil, entre autres.REMCOS peut exécuter des commandes à partir du serveur C&C, telles que Keylogging, prendre des captures d'écran, enregistrer l'audio et envoyer une liste de tous les processus en cours d'exécution. ## Recommandations Implémentez l'authentification multifactrice (MFA) pour atténuer le vol d'identification des attaques de phishing.Le MFA peut être complété par les solutions et les meilleures pratiques suivantes pour protéger les organisations: - Activer les politiques d'accès conditionnel.[Accès conditionnel] (https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) sont évalués et appliqués chaque fois qu'un attaquant tente d'utiliser un cookie de session volé.Les organisations peuvent se protéger contre les attaques qui exploitent les informations d'identification volées en activant des politiques concernant les appareils conformes ou les exigences d'adresse IP de confiance. - Configurer [Évaluation d'accès continu] (https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation?ocid=Magicti_ta_learndoc) dans votre locataire. - Investissez dans des solutions anti-phishing avancées qui surveilleront les e-mails entrants et les sites Web visités.[Microsoft Defender pour Office365] (https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=Magicti_Ta_learnDoc) rassemble des incidents et une gestion des alertes à travers l'e-mail, les dispositifset identités, centraliser les enquêtes pour les menaces par courrier électronique.Les organisations peuvent également tirer parti des navigateurs Web qui [identifient et bloquent automatiquement les sites Web malveillants] (https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen?ocid=Magicti_TA_Learndoc), y compris ceux utilisés dans cette campagne de phishing.Pour renforcer la résilience contre les attaques de phishing en général, les organisations peuvent utiliser [des politiques anti-phishing] (https://docs.microsoft.com/microsoft-365/security/office-365-security/set-ul-anti-phishing-polices? View = O365-Worldwide) pour activer les paramètres d'intelligence de la boîte aux lettres, ainsi que la configuration des paramètres de protection d'identification pour des messages spécifiques et des domaines de l'expéditeur.Activer [SafeLinks] (https://docs.microsoft.com/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide) garantit une protection en temps réel en scannant au moment de la livraison et au niveau de la livraison et à laheure du clic. - Surveillez les activités suspectes ou anormales et recherchez des tentatives de connexion avec des ca | Malware Vulnerability Threat | ★★★ |