One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8648935 |
| Date de publication | 2025-02-18 08:18:48 (vue: 2025-02-19 02:08:09) |
| Titre | An Update on Fake Updates: Two New Actors, and New Mac Malware |
| Texte | Key findings Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new MacOS malware delivered via web inject campaigns that our researchers called FrigidStealer. The web inject campaign landscape is increasing, with a variety of copycat threat actors conducting similar campaigns, which can make it difficult for analysts to track. Overview The malicious website injects threat landscape is incredibly dynamic with multiple threat actors leveraging this malware delivery method. Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors. Historically, TA569 was the main distributor of web inject campaigns, with its SocGholish injects leading to malware installation and follow-on ransomware attacks. This actor became almost synonymous with “fake updates” within the security community. But beginning in 2023, multiple copycats emerged using the same web inject and traffic redirection techniques to deliver malware. The influx of multiple actors – some of which collaborate with each other – paired with the fact that websites can be compromised by multiple injects at one time, makes it difficult to distinctly track and categorize threat actors conducting these attacks. Proofpoint is publishing this report to help delineate two distinct sets of activity. Proofpoint researchers recently designated two new threat actors, TA2726 and TA2727. These are traffic sellers and malware distributors and have been observed in multiple web-based attack chains like compromised website campaigns, including those using fake update themed lures. They are not email-based threat actors, and the activity observed in email campaign data is related to legitimate, but compromised websites. Notably, TA2727 was recently observed delivering a new information stealer for Mac computers alongside malware for Windows and Android hosts. Proofpoint researchers dubbed this FrigidStealer. Proofpoint is reassessing existing activity related to TA569 and previous reporting, and assesses with high confidence TA2726 acts as a traffic distribution service (TDS) for TA569 and TA2727. Definitions SocGholish: Specific inject used by TA569 that will present as a fake update to the visitor. Gholoader: The JavaScript-based loader that is served by SocGholish that can lead to follow-on malware installation. TDS: Traffic distribution system (TDS) (also sometimes known as a traffic delivery system) is a service for tracking and directing users to content on different websites. There are legitimate TDS services, but threat actors use and abuse them to direct people to malicious or compromised websites. Keitaro: A legitimate TDS that is regularly abused by threat actors, operated by a company of the same name. Web injects: Malicious code injected into a legitimate website by a threat actor. Injects can lead to data theft or malware installation, depending on actor objectives. Fake updates: Social engineering lures presented to a user that claim their browser needs to be updated. This lure theme is used by multiple different threat actors. TA569: The threat actor associated with the SocGholish inject and Gholoader malware, uses fake update themed lures. The actor can either inject their own code directly on compromised websites or use a TDS like TA2726 to serve their inject. |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 2013 2022 2023 2024 2025 2025 2054718 2054862 2054863 2055240 2055241 2055242 2055243 2057111 2057112 2057144 2057145 2057146 2057147 2057152 2057153 2057447 2057448 2058047 2058048 2058147 2058148 2058328 2058329 2059061 2059062 2059063 2059064 2059065 2059066 2059067 2059068 2059069 2059070 2059071 2059072 2059073 2059074 2059075 2059076 2059077 2059078 2059371 2059372 274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973 able abuse abused active activities activity actor actors acts adapt added addresses adds advertising against agent aligned almost alongside also america analysis analyst analysts android another any anything apistateupdater apivuecomponent appeared appears apple application are askforupdate assesses associated attack attacks attributed authors banking based became because been beginning believable believe best binary blacksaltys blackshelter blessedwirrow both brickedpack browser building built bundled but button bypassed c2 ca172f8d36326fc0b6adef9ea98784fd216c319754c5fc47aa91fce336c7d79a called campaign campaigns can canada capture categorize chain chains chrome chrome” claim clicked clicking clients cloudfasterapp clusters code collaborate collaborating com com common communicating community company components compromise compromised compromises computer computers conclusion conduct conducting confidence configured confirm consist consistent consumer contained containing content continues controlled cookies copycat copycats corporate countries created cryptocurrency customized cybercrime cybercriminal d34c95c0563c8a944a03ee1448f0084dfb94661c24e51c131541922ebd1a2c75 data december deerstealer deerstealer defense defenses definitions delineate deliver delivered delivering delivery depending depth described description designated deski desktop detailed details: detect detections determine determining device devices different difficult difficulties digdonger direct directed directing directly directory displayed displays disseminate distinct distinctly distribute distribution distributor distributors dlls dmg dns documents does doiloader domain domains download downloaded downloading driven dubbed due dynamic e1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214 each early easily edge effective effectively either email emails embedded emerged emerging enable encoded encouraged end endpoint engineering enter enterprise environments europe example example: executable executed execution exfiltrated existing exploit exploitation extensions facebook facilitate facilitates fact fake far fastcloudcdn fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b feature fetchdataajax file files filtering financial financially findings first focused folders follow following forcing forums foundedbrounded france frequently frigid frigidstealer from further gatekeeper gather geography gets gholoader gholoader: given goneflower google groundrats group growing hard has have hearforpower help high historic historically hoc home host hosting hosts how however icon icons identified identify implying important incidental/collateral included including increase increasing increasingly incredibly indicator indicators influx information infrastructure inject injected injects injects: install installation installed installer instructions integrated interacting investigating isolation its january javascript keitaro keitaro: key kit known landscape lead leading least leatherbook led left legitimate legitimately less leveraging like likely linking loaded loader lookup loopconstruct losttwister lumma lure lure lures m4a mac mach macos main make makes malicious malware malware managed management marcher material may menu messages method microsoft mitigation moderate modernkeys most motivated motives mount msi multiple name named nature needs network new north not notably note: notes number objectives objmapper observed often old once one ongoing online only open |
| Tags | Ransomware Malware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.