One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8616253 |
| Date de publication | 2024-11-22 21:40:13 (vue: 2024-11-22 22:08:21) |
| Titre | Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell (Recyclage) |
| Texte | #### Targeted Geolocations - Pakistan - Bangladesh - Türkiye ## Snapshot Researchers from the Knownsec 404 Advanced Threat Intelligence team released a report detailing an attack campaign attributed to APT-K-47, also known as Mysterious Elephant, using Hajj-themed lures to distribute Asyncshell. ## Description The attackers deployed a malicious CHM file to execute an upgraded payload, Asyncshell-v4, which establishes a command shell using asynchronous programming. This payload uses a base64 variant algorithm to conceal its server address, disguising communication as legitimate web service requests. APT-K-47, believed to originate from South Asia, has been active since at least 2022, targeting countries such as Pakistan, Bangladesh, and Turkey. Their tactics have evolved significantly, with Asyncshell undergoing multiple updates since its first appearance in January 2024. Early versions of the malware exploited vulnerabilities like [CVE-2023-38831](https://security.microsoft.com/intel-explorer/cves/CVE-2023-38831/), while later iterations introduced encrypted files, decoy documents, and dynamic command-and-control (C2) infrastructure. The group\'s recent attacks leverage CHM files to silently execute payloads alongside decoy Hajj-related content, increasing the likelihood of victim engagement. Asyncshell has been further refined to support variable C2 servers and encrypted data transfer, enhancing its stealth and flexibility. Knownsec\'s findings highlight the group\'s ongoing investment in developing and upgrading attack tools to sustain long-term operations. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2022 2023 2024 2024** 21562b1004d5/analystreport 365/security/defender 38831 38831/ 404 4b5e 5155 5a98f75c2d68 access accessed action active address advanced af74 against alert alerts algorithm all allow alongside also antivirus any appearance apt are artifacts asia asynchronous asyncshell attack attacker attackers attacks attributed authority automated bangladesh base64 based been behind believed block breach breaches campaign can card changes check chm cloud com/@knownsec404team/unveiling com/en com/intel com/microsoft com/threatanalytics3/9382203e command common communication components conceal configure content control controlled copyright countries cover credential cve data decoy defend defender delivered deployed deployment description detailing detect detected detections/hunting detects developing disguising distribute distribution documents does dynamic early edr elephant enable enabled encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engagement enhancing ensure equivalent establishes even evolved evolving execute exploited explorer/cves/cve file files findings first flexibility folder folders follow following from full further geolocations group hajj hardening has have highlight https://learn https://medium https://security https://www immediate impact increasing infrastructure intelligence introduced investigation investigations investment iterations its january known knownsec later learndoc learning least legitimate leverage like likelihood local long lsa lsass lures machine majority malicious malware malware: manage microsoft mitigations mode monitored msr multiple mysterious name=trojan:msil/malgent name=trojan:win32/casdet network new non not ocid=magicti ongoing operations originate overview pakistan part passive past payload payloads permission post preferences premises present product programming prohibited protection protection#how protections queries rapidly recent recommendations recommends reduce reducing reduction reference#block references refined related released remediate remediation report reproduction requests researchers reserved resolve rfn rights rules run running scenes security server servers service settings shell significantly silently since site snapshot south status stealing stealth subsystem such support surface sustain tactics take tamper targeted targeting team techniques term theft themed thereof threat threats tools transfer trojan:msil/malgent trojan:win32/casdet turkey turn türkiye undergoing unknown unveiling updates upgraded upgrading us/defender us/wdsi/threats/malware uses using variable variant versions victim view=o365 volume vulnerabilities weapon weapon: web when which windows without works worldwide written your |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8616156 |
| Date de publication | 2024-11-22 17:24:02 (vue: 2024-11-22 18:08:34) |
| Titre | Unveiling WolfsBane: Gelsemium\\'s Linux counterpart to Gelsevirine |
| Texte | ## Snapshot Researchers at ESET have discovered a sophisticated set of Linux backdoors and malware tools used by the Gelsemium APT group, a threat actor with suspected ties to China. The Linux/Agent.WF family includes the WolfsBane backdoor, launcher, dropper, and a privilege escalation helper tool, alongside a trojanized SSH client and various JSP webshells. TWolfsBane, which is the Linux equivalent of the Windows malware Gelsevirine, features a dropper and a userland rootkit named WolfsBane Hider for evading detection. The FireWood backdoor, a Linux variant of the Project Wood backdoor, is attributed to Gelsemium with low confidence and may be shared among multiple Chinese AP groups. The attackers likely gained initial access through an unknown web application vulnerability, as evidenced by the presence of multiple webshells on compromised servers in Taiwan, the Philippines, and Singapore. The WolfsBane backdoor uses encrypted libraries for communication with its C&C server and can update itself, while FireWood uses the Netlink protocol and the TEA encryption algorithm for C&C communication and can execute a range of commands for data exfiltration. The malware suite also includes an SSH password stealer and a privilege escalation tool named \'ccc\', highlighting the group\'s capabilities. The C&C servers for the WolfsBane and FireWood backdoors have been traced to domains such as dsdsei\[.\]com and asidomain\[.\]com. The threat actors employ a variety of MITRE ATT&CK techniques, including RC scripts and systemd services for persistence, dynamic linker hijacking, rootkits for evasion, and masquerading malware to match legitimate files. This campaign underscores the trend of APT groups increasingly targeting Linux systems due to the enhanced security measures on Windows platforms. *This summary was generated by an AI model. It should be broadly accurate, but remember to verify information against the original article.* ## Description Researchers at ESET have discovered a sophisticated set of Linux backdoors used by the Gelsemium advanced persistent threat (APT) group, China-linked threat actor active since at least 2014. The first backdoor, named WolfsBane by ESET, is the Linux equivalent of the Windows malware Gelsevirine. WolfsBane features a dropper, launcher, and backdoor and employs a rootkit to evade detection. The second backdoor, dubbed FireWood, is the Linux version of Project Wood. It has been attributed by ESET to Gelsemium with low confidence as the malware may be shared among multiple Chinese threat groups. ESET\'s analysis revealed that the goal of these backdoors is cyberespionage that targets a range of sensitive data including system information, user credentials, and specific files and directories. Further, both WolfsBane and FireWood have capabilities that allow them to maintain persistent, stealthy access to victim networks, enabling prolonged intelligence collection. ESET researchers have observed a growing emphasis by advanced persistent threat (APT) groups on developing Linux malware. This trend appears to stem from advancements in Windows security measures, such as the increasing deployment of endpoint detection and response (EDR) tools and Microsoft\'s default disabling of Visual Basic for Applications (VBA) macros. As a result, threat actors are shifting their strategies to exploit vulnerabilities in internet-facing systems, the majority of which are Linux-based. ## Microsoft Analysis and Additional OSINT Context Threats to Linux (GNU/Linux OS) have made OSINT headlines in recent months as threat actors continue to evolve attack techniques and increasingly prioritize Linux-based targets. To learn more about these threats, read [recent OSINT trends in Linux malware](https://security.microsoft.com/intel-explorer/articles/ccbece59). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - T |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© *this 2014 2024 2024** 21562b1004d5/analystreport 365/security/defender 496d 4b5e 5155 about accept access accessed accurate action active actor actors ad3c additional advanced advancements adverse af74 against age alert alerts algorithm all allow alongside also among analysis antivirus any appears application applications apt ap groups are article artifacts asidomain assess att&ck attack attacker attackers attributed authority automated backdoor backdoor:java/dirtelti backdoor:linux/wolfsbane backdoors based basic been behind block blocking both breach breaches broadly but c&c c6a795a33c27/analystreport campaign can capabilities card ccc changes check china chinese client cloud collection com com/en com/en/eset com/intel com/microsoft com/security com/threatanalytics3/05658b6c com/threatanalytics3/9382203e commands common communication components compromised confidence configure content context continue controlled copyright counterpart cover credential credentials criterion customers cyberespionage data dc62 default defend defender delivered deployment description details detect detected detection detections/hunting detects determine developing devices directories disabling discovered distribution does domains dropper dsdsei dubbed due dynamic edr email emphasis employ employs enable enabled enabling encrypted encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent enhanced ensure equivalent escalation eset evade evading evasion even evidenced evolve evolving executable execute exfiltration exploit explorer/articles/ccbece59 facing family features files firewood first folder folders follow following from full further gained gelsemium gelsemiums gelsevirine gelsevirine/ generated gnu/linux goal group groups growing hardening has have headlines helper hider highlighting hijacking how https://learn https://security https://www human immediate impact includes including increasing increasingly information initial intelligence internet investigation investigations its itself jsp launcher learn learndoc learning least legitimate libraries like likely linked linker linux linux/agent list local low lsa lsass machine macros made maintain majority malicious malware malware: manage management masquerading match may measures meet microsoft might mitigations mitre mode model monitored monitoring months more multiple name=backdoor:java/dirtelti name=trojan:linux/multiverze named netlink network networks new non not observed ocid=magicti opening operated original osint overview pane part passive password percentage permission persistence persistent philippines platforms policy post preferences premises presence prevalence prevent prioritize privilege product productivity prohibited project prolonged protection protection#how protections protocol queries range ransomware rapidly read recent recommendation recommendations recommends reduce reducing reduction refer reference#block reference#use references remediate remediation remember reproduction research/unveiling researchers reserved resolve response result revealed rights rootkit rootkits rule rules run running scenes scripts second security sensitive server servers services set settings shared shifting should significantly since singapore site snapshot sophisticated specific ssh status stealer stealing stealthy stem strategies subsystem such suite summary surface suspected system systemd systems ta2 taiwan take tamper targeting targets tea techniques theft them thereof these threat threats through ties tool tools traced trend trends trojan:linux/multiverze trojanized trusted turn tvmsecreco twolfsbane underscores unknown unless unveiling update us/defender us/wdsi/threats/malware use used user userland uses variant variety various vba verify version victim view=o365 visual volume vulnerabilities vulnerability web webmail webshells welivesecurity what when which windows without wolfsbane wolfsbane: wood works worldwide written xdr your |
| Tags | Ransomware Malware Tool Vulnerability Threat Prediction |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.