One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8608312 |
| Date de publication | 2024-11-08 21:43:02 (vue: 2024-11-08 22:07:26) |
| Titre | New Campaign Uses Remcos RAT to Exploit Victims (Recyclage) |
| Texte | ## Instantané Fortiguard Labs a découvert une campagne de phishing en tirant parti du rat Remcos pour prendre le contrôle des ordinateurs des victimes. ## Description L'attaque commence par un e-mail de phishing contenant un document Ole Excel malveillant qui exploite [CVE-2017-0199] (https://security.microsoft.com/intel-explorer/cves/cve-2017-0199/), une vulnérabilité dansMicrosoft Office et WordPad, pour télécharger et exécuter un fichier HTA.Ce fichier télécharge ensuite un exécutable, dllhost.exe, qui initie un processus PowerShell pour charger et exécuter du code malveillant avec des techniques d'anti-analyse comme la gestion des exceptions vectorée, l'appel dynamiquement des API système et le crochet API.Le logiciel malveillant garantit la persistance en effectuant des creux de processus pour s'injecter dans un nouveau processus, vaccinende.exe, et en modifiant le registre système pour la course automatique. La charge utile REMCOS, une variante inutile de malware, est déployée directement dans la mémoire et communique avec un serveur C&C à l'aide du trafic chiffré.Il recueille des informations de base de l'appareil de la victime, y compris l'état du processeur et de la mémoire, le niveau de privilège des utilisateurs et l'emplacement de l'appareil, entre autres.REMCOS peut exécuter des commandes à partir du serveur C&C, telles que Keylogging, prendre des captures d'écran, enregistrer l'audio et envoyer une liste de tous les processus en cours d'exécution. ## Recommandations Implémentez l'authentification multifactrice (MFA) pour atténuer le vol d'identification des attaques de phishing.Le MFA peut être complété par les solutions et les meilleures pratiques suivantes pour protéger les organisations: - Activer les politiques d'accès conditionnel.[Accès conditionnel] (https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) sont évalués et appliqués chaque fois qu'un attaquant tente d'utiliser un cookie de session volé.Les organisations peuvent se protéger contre les attaques qui exploitent les informations d'identification volées en activant des politiques concernant les appareils conformes ou les exigences d'adresse IP de confiance. - Configurer [Évaluation d'accès continu] (https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation?ocid=Magicti_ta_learndoc) dans votre locataire. - Investissez dans des solutions anti-phishing avancées qui surveilleront les e-mails entrants et les sites Web visités.[Microsoft Defender pour Office365] (https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=Magicti_Ta_learnDoc) rassemble des incidents et une gestion des alertes à travers l'e-mail, les dispositifset identités, centraliser les enquêtes pour les menaces par courrier électronique.Les organisations peuvent également tirer parti des navigateurs Web qui [identifient et bloquent automatiquement les sites Web malveillants] (https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen?ocid=Magicti_TA_Learndoc), y compris ceux utilisés dans cette campagne de phishing.Pour renforcer la résilience contre les attaques de phishing en général, les organisations peuvent utiliser [des politiques anti-phishing] (https://docs.microsoft.com/microsoft-365/security/office-365-security/set-ul-anti-phishing-polices? View = O365-Worldwide) pour activer les paramètres d'intelligence de la boîte aux lettres, ainsi que la configuration des paramètres de protection d'identification pour des messages spécifiques et des domaines de l'expéditeur.Activer [SafeLinks] (https://docs.microsoft.com/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide) garantit une protection en temps réel en scannant au moment de la livraison et au niveau de la livraison et à laheure du clic. - Surveillez les activités suspectes ou anormales et recherchez des tentatives de connexion avec des ca |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 0199 0199/ 0199/description 2017 2024 2024** 365 365/security/defender/microsoft 365/security/office access access/concept access/overview accessed across activate activating activities activity address advanced against agent alert alerts all also among analysis anomalous anonymizer anti antivirus any api apis are attack attacker attacks attempts audio authentication auto automatically available basic before best block breach brings browsers build c&c calling campaign can center centralizing characteristics characteristics click code collects com/azure/active com/blog/threat com/deployedge/microsoft com/en com/intel com/microsoft commands commences communicates complement complemented compliant components computers conditional configure configure containing content context continuous continuously contributes control cookie copyright correlating credential credentials cve defender defenders delivery deployed description detections/hunting detects determined device devices directly directory/conditional distribution dllhost document domains download downloads dynamically edge email emails enable enabling encrypted encyclopedia enforced ensures evaluated evaluation every example excel exception exe executable execute exploit exploits explorer/cves/cve faster file fileless focused following fortiguard fortinet from further gain general handling hollowing hooking hta https://docs https://learn https://security https://www identified identify identities identity impersonation implement incident incidents including incoming information initiates inject intelligence internet invest investigate investigated investigations isp itself jsb key keylogging labs learndoc level leverage leveraging like links list load location mailbox malicious malware malware: management mdi mdo memory messages mfa microsoft mitigate modifying monitor mtb multifactor name=trojan:html/phish name=trojan:win32/leonem name=trojan:win32/remcos new ocid=magicti office office 365 ole one organizations organizations: other others part payload performing permission persistence phishing place policies powershell practices privilege process processes processor products prohibited protect protection provider providing queries rat real recommendations recording references regarding registry remcos reproduction requirements research/new reserved resilience rights run running safelinks scanning scope screenshots search security security/safe security/set sender sending server service services session settings sign site smartscreen snapshot solutions solutions that specific status stolen such suspicious system taking techniques tenant than theft themselves then thereof those threat threats time together traffic trojan:html/phish trojan:win32/leonem trojan:win32/remcos trusted uncovered us/wdsi/threats/malware use used user uses using vaccinerende variant vectored victim victims view=o365 visited vulnerability web websites well which within without with wordpad worldwide written your in policies |
| Tags | Malware Vulnerability Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8608186 |
| Date de publication | 2024-11-08 15:29:17 (vue: 2024-11-08 16:07:39) |
| Titre | BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence (Recyclage) |
| Texte | ## Snapshot SentinelLabs identified a campaign named \'Hidden Risk\' by the suspected DPRK threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), targeting cryptocurrency-related businesses with novel multi-stage malware. The campaign employs phishing emails with fake news about cryptocurrency trends to deliver a malicious application disguised as a PDF file. ## Description The emails use the names of real individuals from unrelated industries and mimic forwarding messages from well-known crypto social media influencers. The initial infection is achieved via a link to this application, which is presented as a PDF document on cryptocurrency topics such as “Hidden Risk Behind New Surge of Bitcoin Price,” “Altcoin Season 2.0-The Hidden Gems to Watch,” and “New Era for Stablecoins and DeFi, CeFi.” The first stage of the attack involves a Mac application that downloads a decoy PDF and a malicious binary named \'growth,\' which acts as a backdoor to execute remote commands. This backdoor uses the SaveAndExec function to create a hidden file with world read, write, and execute permissions in the /Users/Shared directory and executes embedded commands. It is only functional on Intel architecture Mac computers or Apple silicon devices with Rosetta emulation framework installed. The malware installs persistence, gathers environmental information, generates a UUID, and communicates with a command-and-control (C2) server. A novel persistence mechanism is observed, which abuses the Zshenv configuration file, allowing the malware to persist without triggering user notifications for background Login Items in MacOS 13 Ventura and later. While this is a known technique, SentinelLabs reports that it\'s the first time they\'ve observed it in the wild. ## Microsoft Analysis and Additional OSINT Context Sapphire Sleet is a nation-state-sponsored group operating from North Korea since as early as March 2020. The group focuses primarily on organizations in the cryptocurrency sector but has been observed expanding its targets to banks within the financial services sector since 2022, and more recently, to the [aerospace and aviation sectors](https://sip.security.microsoft.com/intel-explorer/articles/aff030bb). Sapphire Sleet\'s targets are often global, with a particular interest in the United States and East Asian and African countries. The primary motivation of this group is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms. Sapphire Sleet typically uses LinkedIn as a primary method to lure users to click on links containing malicious files, often hosted in attacker-owned OneDrive or Google Drive locations. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Implement multifactor authentication (MFA) to mitigate credential theft from phishing attacks. MFA can be complemented with the following solutions and best practices to protect organizations: - Activate conditional access policies. [Conditional access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by activating policies regarding compliant devices or trusted IP address requirements. - Configure [continuous access evaluation](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc) in your tenant. - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defende |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© /users/shared 2020 2022 2024 2024** 365 365/security/defender/microsoft 365/security/office about abuses access access/concept access/overview accessed achieved across activate activating activities activity actor acts additional address advanced aerospace african against age agent alert alerts all allowing also analysis anomalous anonymizer anti any apple application architecture are asian attack attacker attacks attempts authentication automatically available aviation backdoor background banks baseline been before behavior behind best binary bitcoin block blockchain bluenoroff breach brings browser browsers build businesses but campaign can card cefi center centralizing characteristics characteristics check click com/azure/active com/defender com/deployedge/microsoft com/en com/intel com/labs/bluenoroff com/microsoft command commands common communicates complemented compliant computers conditional configuration configure configure containing content context continuous continuously contributes control cookie copyright correlating countries create credential credentials criterion crypto cryptocurrency customers decoy defaults defender defi deliver delivery deployment description detection detections/hunting determined devices directory directory/conditional directory/fundamentals/concept disguised distribution document domains downloads dprk drive early east edge email emails embedded employs emulation enable enabling endpoint endpoint/attack endpoints enforced ensures environmental era evaluated evaluation every example executable execute executes execution expanding explorer/articles/aff030bb fake faster file files financial first focused focuses following forwarding framework from function functional fundamentals gathers gems general generate generates global google group growth has hidden hosted https://docs https://learn https://security https://sip https://www identified identify identities identity impact impersonation implement implement improve incident incidents including incoming indicate individuals industries infection influencers information initial installed installs intel intellectual intelligence interest internet invest investigate investigated investigations involves isp items its key known korea korean later learndoc learndoc#block leverage link linkedin links list location locations login lure mac macos macs mailbox malicious malware management march mdi mdo mechanism media meet messages method mfa microsoft mimic mitigate mitigations monitor monitored more motivation multi multifactor named names nation network: new news north notifications novel obfuscated observed ocid=magicti office often one onedrive only operating organizations organizations: osint other owned part particular pdf permission permissions persist persistence persistence/ phishing place platforms policies posture potentially practices presented prevalence prevent price primarily primary products profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1 prohibited property protect protection protection/microsoft provider providing queries ransomware read real recently recommendations recommends reduce reduction reference reference#block reference#use references regarding related remote reports reproduction requirements reserved resilience revenue rights risk rosetta rules running safelinks sapphire saveandexec scanning scope scripts search season sector sectors security security/safe security/set security/virus sender sentinellabs sentinelone server service services session set settings sign silicon since site sleet smartscreen smartscreen/ snapshot social solutions solutions that south specific sponsored stablecoins stage state states status steal stolen such surface surge suspected suspicious system target targeting targetingcryptocurrency targets technique techniques: technology tenant than theft themselves thereof they those threat threats through time titles together topics tracked trading trends triggering trusted turn typically united unless unrelated urls us/windows/security/ |
| Tags | Malware Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.