One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8611939 |
| Date de publication | 2024-11-15 20:58:06 (vue: 2024-11-15 21:08:38) |
| Titre | Sailing Into Danger: DoNot APT\\'s Attack on Maritime & Defense Manufacturing |
| Texte | #### Targeted Geolocations - Pakistan #### Targeted Industries - Critical Manufacturing - Defense Industrial Base ## Snapshot Researchers from Cyble discovered a recent campaign linked to the [DoNot group](https://malpedia.caad.fkie.fraunhofer.de/actor/viceroy_tiger) targeting Pakistan\'s manufacturing sector, focusing on industries supporting maritime and defense operations. ## Description The attack leverages malicious .LNK files disguised as RTF documents, distributed potentially through spam emails. Once executed, the LNK file uses PowerShell to decrypt and deploy a lure document and stager malware, creating a scheduled task for persistence by executing the DLL payload every five minutes. Key advancements in this campaign include updated encryption methods for command-and-control (C&C) communication, shifting from older XOR-based techniques to AES encryption with Base64 encoding. Additionally, the malware now embeds decryption keys within the downloaded binary rather than hardcoding them into the configuration file, complicating detection and analysis. It also employs dynamic domain generation for backup C&C communication, adding further resilience. The malware collects system information, such as installed security products, before delivering its final payload to determine the target\'s value. It uses environment variables to store key configuration details, including C&C addresses and task schedules. Notably, the DoNot group has shifted its initial infection vector from Microsoft Office files to .LNK files, demonstrating evolving tactics to evade defenses. ## Microsoft Analysis and Additional OSINT Context The [DoNot Team](https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/), also known as APT-C-35 or VICEROY TIGER, is a highly sophisticated threat group with ties to India, active since at least 2016. Initially targeting diverse sectors across multiple countries, their focus has shifted primarily to entities in Pakistan, particularly government and security organizations. The DoNot Team\'s campaigns are motivated by espionage and generally culminate in the collection and exfiltration of data. This group is known for deploying spear-phishing campaigns, often utilizing malicious Microsoft Office documents and Android-targeted malware, as well as phishing schemes designed to steal user credentials. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2016 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed across action active adding additional additionally addresses advancements aes af74 against alert alerts all allow also analysis android antivirus any apt are artifacts attack attacker authority automated backup base base64 based before behind binary block breach breaches c&c caad campaign campaigns can changes cloud collection collects com/2022/01/18/donot com/blog/donots com/en com/microsoft com/threatanalytics3/9382203e command common communication complicating components configuration configure content context control controlled copyright countries cover creating credential credentials critical culminate cyble danger: data de/actor/viceroy decrypt decryption defend defender defense defenses delivered delivering demonstrating deploy deploying description designed details detect detected detection detections/hunting detects determine discovered disguised distributed distribution diverse dll document documents does domain donot downloaded dynamic edr emails embeds employs enable enabled encoding encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure entities environment equivalent espionage evade even every evolving executed executing exfiltration file files final five fkie focus focusing folder folders follow following fraunhofer from full further generally generation geolocations government group hacktool:win32/autokms hardcoding hardening has highly https://cyble https://learn https://malpedia https://security https://www immediate impact include including india industrial industries infection information initial initially installed investigation investigations its key keys known learndoc learning least leverages like linked lnk local lsa lsass lure machine majority malicious malware malware: manage manufacturing manufacturing/ maritime methods microsoft minutes mitigations mode motivated multiple name=hacktool:win32/autokms name=trojan:win32/coinminer name=trojan:win32/killav name=trojan:win32/leonem network new non not notably now ocid=magicti office often older once operations organizations osint overview pakistan part particularly passive payload permission persistence phishing post potentially powershell preferences premises primarily product products prohibited protection protection#how protections queries rapidly rather recent recommendations recommends reduce reducing reduction reference#block references remediate remediation reproduction researchers reserved resilience resolve respawn/ rights rtf rules run running sailing scenes scheduled schedules schemes sector sectors security settings shifted shifting significantly since site snapshot sophisticated spam spear stager steal stealing store subsystem such supporting surface system tactics take tamper target targeted targeting task team techniques than theft them thereof threat threats through ties tiger tools trojan:win32/coinminer trojan:win32/killav trojan:win32/leonem turn unknown updated us/defender us/wdsi/threats/malware user uses utilizing value variables vector viceroy view=o365 volume welivesecurity well when windows within without works worldwide written xor your |
| Tags | Spam Malware Tool Threat Industrial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.