SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8626791
Date de publication	2024-12-17 22:39:16 (vue: 2024-12-17 23:08:46)
Titre	Analysis on the Case of TIDRONE Threat Actor\\'s Attacks on Korean Companies
Texte	#### Targeted Geolocations - Korea ## Snapshot The AhnLab Security Intelligence Center (ASEC) has identified recent attacks by TIDRONE, a Chinese-speaking threat group that has been [previously observed attacking Taiwanese defense and drone manufacturing companies](https://security.microsoft.com/intel-explorer/articles/14a1a551). ## Description In these attacks, ASEC has observed TIDRONE targeting organizations through the exploitation of Enterprise Resource Planning (ERP) software to distribute a backdoor called CLNTEND. The group uses DLL side-loading techniques to install backdoor malware, including CXCLNT and CLNTEND by exploiting ERP software and remote monitoring and management (RMM) tools like UltraVNC. ASEC discovered that since the first half of 2024, Korean companies have been targeted with CLNTEND. The attacks often leverage small-scale, customized ERP solutions that lack official websites and have limited user bases. TIDRONE either replaces legitimate ERP versions with malware or combines ERP software with malicious droppers. Key executable files exploited include winword.exe, VsGraphicsDesktopEngine.exe, and rc.exe, which load the malicious DLL and execute the encrypted backdoor malware. CLNTEND is a Remote Access Trojan (RAT) that supports multiple communication protocols, including TCP, TLS, HTTP, HTTPS, and SMB, making it versatile for covert operations. TIDRONE\'s loaders are highly obfuscated and use techniques like FlsCallback and Fiber structure overwriting to evade analysis. According to ASEC, the continued targeting of Korean companies underscores TIDRONE\'s expanded focus beyond Taiwan. By exploiting ERP vulnerabilities, particularly those developed by small firms, the group maintains a foothold for delivering its malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. ## Detections/Hu
Notes	★★★
Envoyé	Oui
Condensat	### #### © 2024 2024 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action actor af74 against ahnlab alert alerts all allow analysis antivirus any are artifacts asec attacker attacking attacks authority automated backdoor based bases been behind beyond block breach breaches called can case center changes chinese clntend cloud com/en com/en/85119/ com/intel com/microsoft com/threatanalytics3/9382203e combines common communication companies components configure content continued controlled copyright cover covert credential customized cxclnt defend defender defense delivered delivering description detect detected detections/hunting detects developed discovered distribute distribution dll does drone droppers edr either enable enabled encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure enterprise equivalent erp evade even evolving exe executable execute expanded exploitation exploited exploiting explorer/articles/14a1a551 fiber files firms first flscallback focus folder folders follow following foothold from full geolocations group half hardening has have highly http https https://asec https://learn https://security https://www identified immediate impact include including install intelligence investigation investigations its key korea korean lack learndoc learning legitimate leverage like limited load loaders loading local lsa lsass machine maintains majority making malicious malware malware: manage management manufacturing microsoft mitigations mode monitoring multiple name=trojan:win32/casdet network new non not obfuscated observed ocid=magicti official often operations organizations overview overwriting part particularly passive permission planning post preferences premises previously product prohibited protection protection#how protections protocols queries rapidly rat recent recommendations recommends reduce reducing reduction reference#block references remediate remediation remote replaces reproduction reserved resolve resource rfn rights rmm rules run running scale scenes security settings side significantly since site small smb snapshot software solutions speaking stealing structure subsystem supports surface taiwan taiwanese take tamper targeted targeting tcp techniques theft thereof these those threat threats through tidrone tls tools trojan trojan:win32/casdet turn ultravnc underscores unknown us/defender us/wdsi/threats/malware use user uses versatile versions view=o365 volume vsgraphicsdesktopengine vulnerabilities websites when which windows winword without works worldwide written your
Tags	Malware Tool Vulnerability Threat
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 2 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-12-18 18:56:30	(Déjà vu) Hidden in Plain Sight: TA397\'s New Attack Chain Delivers Espionage RATs (lien direct)	#### Targeted Geolocations - Türkiye #### Targeted Industries - Defense Industrial Base ## Snapshot Proofpoint recently observed TA397, an advanced persistent threat (APT) group also known as Bitter, targeting a Turkish defense organization using spearphishing emails. The campaign leveraged lures related to public infrastructure projects in Madagascar, containing RAR archives with NTFS alternate data streams (ADS). These ADS streams delivered a malicious shortcut (LNK) file, which executed PowerShell commands to create a scheduled task for downloading additional payloads. ## Description In this attack, TA397 deployed two remote access trojans (RATs): WmRAT and MiyaRAT, both designed for intelligence gathering and data exfiltration. WmRAT is a C++-based backdoor capable of executing commands, capturing screenshots, determing geolocation data, and stealing system information. MiyaRAT, also written in C++, offers similar functionality. According to Proofpoint, this attack aligns with TA397\'s established tactics, which include using RAR archives and scheduled tasks for persistence, targeting defense sector organizations in the EMEA and APAC regions, and leveraging RATs historically attributed to the group. Notably, MiyaRAT appears to be reserved for high-value targets, as evidenced by its limited use. Proofpoint assesses that TA397\'s activities are likely intelligence-gathering efforts in support of a South Asian government. The group\'s consistent focus on the defense, energy, and engineering sectors in EMEA and APAC regions underscores their ability to adapt tools and techniques to target high-value entities effectively. ## Microsoft Analysis and Additional OSINT Context TA397, also known as [Bitter and T-APT-17](https://attack.mitre.org/groups/G1002/), is a likely South Asian cyber espionage threat group, active since at least 2013. The[group\'s targets](https://blog.talosintelligence.com/bitter-apt-adds-bangladesh-to-their/) have included organizations within the energy, engineering, government, and military sectors of China, Bangladesh, Pakistan, and Saudi Arabia, among others. The group is primarily motivated by espionage and has been observed targeting both mobile and desktop platforms. TA397 has used a number of RATs including Bitter RAT, SlideRAT, AndroRAT, and Almond RAT in addition to WmRAT and MiyaRAT, mentioned above. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [ne	Ransomware Malware Tool Threat Mobile Industrial		★★★
	2024-12-18 19:29:52	(Déjà vu) Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercriminals (lien direct)	#### Targeted Geolocations - China - United States ## Snapshot According to research from the Chinese cybersecurity company Qianxin, the Winnti hacking group (tracked by Microsoft as Leopard Typhoon) has been utilizing a new PHP backdoor dubbed "Glutton" to infiltrate organizations in China and the United States, as well as to target other cybercriminals. ## Description Qianxin first discovered Glutton in April 2024, but has observed evidence of its deployment dating back to at least December 2023. Glutton is an ELF-based modular backdoor with components such as \'task\_loader,\' \'init\_task,\' \'client\_loader,\' and \'client\_task,\' which together form a comprehensive attack framework that can be executed individually or sequentially. The backdoor operates by masquerading as a \'php-fpm\' process, enabling fileless execution and injecting malicious code into PHP files on various frameworks like ThinkPHP, Yii, Laravel, and Dedecms. Glutton can modify system files to establish persistence and steal credentials and configurations, particularly targeting the Baota web panel. It supports 22 commands from the C2 server, enabling actions like file manipulation, shell command execution, PHP code evaluation, and system information retrieval. Winnti has been using Glutton to attack IT services, social security agencies, and web app developers, as well as to embed the backdoor in software packages sold on cybercrime forums, which are then used to extract sensitive information from the browsers of other cybercriminals. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [	Ransomware Malware Tool Threat		★★★