What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
RiskIQ.webp 2024-07-11 22:03:33 Dodgebox: une plongée profonde dans l'arsenal mis à jour d'APT41 |Partie 1
DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1 (lien direct)		 ## Instantané En avril 2024, Zscaler ThreatLabz a découvert un nouveau chargeur nommé Dodgebox, une version améliorée et évoluée de Stealthvector, un outil précédemment utilisé par le groupe chinois APT, APT41, suivi par Microsofoft.com / Intel-Profiles / ByExternalid / E49C4119AFE798DB103058C3FFDA5BD85E83534940247449478524d61ae6817a). ## Description Après leur analyse de Dodgebox, les chercheurs de Zscaler KenenceLabz évaluent que le malware est une version améliorée du chargeur Stealthvector car il existe des similitudes importantes entre les deux Malwares.Écrit en C, Dodgebox est un chargeur de DLL réfléchissant qui a un certain nombre d'attributs, y compris la possibilité de décrypter et de charger des DLL intégrées, d'effectuer des vérifications de l'environnement et d'effectuer des procédures de nettoyage.Notamment, Dodgebox utilise également l'usurpation de pile d'appels, une technique utilisée par les logiciels malveillants pour obscurcir les origines des appels API, ce qui rend difficile la détection et les programmes de réponse aux points finaux (EDR) et les programmes antivirus pour détecter les logiciels malveillants.Dodgebox a été utilisé par APT41 pour livrer la porte dérobée Moonwalk, une nouvelle porte dérobée utilisée par le groupe de menaces.  Dodgebox et Stealthvector ont tous deux des similitudes dans leur:  - Ducchissement de la somme de contrôle et de la configuration, - Format de configuration déchiffré, - Keying environnemental - Stratégie de correction de la Flux Guard (CFG), et - Utilisation de DLL CALOWING Zscaler note que leur confiance dans l'attribution des activités Dodgebox à APT41 est modérée car la charge de touche DLL est une technique souvent utilisée par les groupes chinois APT.De plus, les échantillons de Dodgebox téléchargés sur Virustotal proviennent de la Thaïlande et de Taïwan, alimentant avec le ciblage historique de l'Asie du Sud-Est par APT41 en utilisant Stealthvector. ## Détections / requêtes de chasse ### Microsoft Defender Antivirus Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - * [Trojan: win64 / dllhijack] (https: //www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-description?name=trojan:win64/dllhijack.ah!mtb)* - * [Trojan: Win64 / CoBaltstrike] (https://www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-description?name=trojan:win64/cobaltsstrike.off!mtb) * ## Les références [Dodgebox: une plongée profonde dans l'aresenal mis à jour d'APT41 |Partie 1] (https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-parte-1).Zscaler (consulté en 2024-07-11)
## Snapshot In April 2024, Zscaler ThreatLabz discovered a new loader named DodgeBox, an upgraded and evolved version of StealthVector, a tool previously used by the Chinese APT group, APT41, tracked by Microsoft as [Brass Typhoon](https://security.microsoft.com/intel-profiles/byExternalId/e49c4119afe798db103058c3ffda5bd85e83534940247449478524d61ae6817a). ## Description After their analysis of DodgeBox, researchers from Zscaler ThreatLabz assess that the malware is an enhanced version of StealthVector loader as there are significant similarities between the two malwares. Written in C, DodgeBox is a reflective DLL loader that has a number of attributes, including the ability to decrypt and load embedded DLLs, perform environment checks, and carry out cleanup procedures. Notably, DodgeBox also employs call stack spoofing, a technique used by malware to obfuscate the origins of API calls, making it difficult for Endpoint Detection and Response (EDR) solutions and antivirus programs to detect the malware. DodgeBox has been used by APT41 to deliver the MoonWalk backdoor, a new backdoor being employed by the threat group.  DodgeBox and StealthVector both have similarities in their:  - checksum and configuration decryption, - decrypted conf		 Malware Tool Threat Patching APT 41 ★★★
RiskIQ.webp 2024-04-08 15:09:15 Faits saillants hebdomadaires, 8 avril 2024
Weekly OSINT Highlights, 8 April 2024 (lien direct)		 Last week\'s OSINT reporting reveals several key trends emerge in the realm of cybersecurity threats. Firstly, there is a notable diversification and sophistication in attack techniques employed by threat actors, ranging from traditional malware distribution through phishing emails to advanced methods like DLL hijacking and API unhooking for evading detection. Secondly, the threat landscape is characterized by the presence of various actors, including state-sponsored groups like Earth Freybug (a subset of APT41) engaging in cyberespionage and financially motivated attacks, as well as cybercrime actors orchestrating malware campaigns such as Agent Tesla and Rhadamanthys. Thirdly, the targets of these attacks span across different sectors and regions, with organizations in America, Australia, and European countries facing significant threats. Additionally, the emergence of cross-platform malware like DinodasRAT highlights the adaptability of threat actors to target diverse systems, emphasizing the need for robust cybersecurity measures across all platforms. Overall, these trends underscore the dynamic and evolving nature of cyber threats, necessitating continuous vigilance and proactive defense strategies from organizations and cybersecurity professionals. **1. [Latrodectus Loader Malware Overview](https://sip.security.microsoft.com/intel-explorer/articles/b4fe59bf)** Latrodectus is a new downloader malware, distinct from IcedID, designed to download payloads and execute arbitrary commands. It shares characteristics with IcedID, indicating possible common developers. **2. [Earth Freybug Cyberespionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/327771c8)** Earth Freybug, a subset of APT41, engages in cyberespionage and financially motivated attacks since at least 2012. The attack involved sophisticated techniques like DLL hijacking and API unhooking to deploy UNAPIMON, evading detection and enabling malicious commands execution. **3. [Agent Tesla Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/cbdfe243)** Agent Tesla malware targets American and Australian organizations through phishing campaigns aimed at stealing email credentials. Check Point Research identified two connected cybercrime actors behind the operation. **4. [DinodasRAT Linux Version Analysis](https://sip.security.microsoft.com/intel-explorer/articles/57ab8662)** DinodasRAT, associated with the Chinese threat actor LuoYu, is a cross-platform backdoor primarily targeting Linux servers. The latest version introduces advanced evasion capabilities and is installed to gain additional footholds in networks. **5. [Rhadamanthys Information Stealer Malware](https://sip.security.microsoft.com/intel-explorer/articles/bf8b5bc1)** Rhadamanthys utilizes Google Ads tracking to distribute itself, disguising as popular software installers. After installation, it injects into legitimate Windows files for data theft, exploiting users through deceptive ad redirects. **6. [Sophisticated Phishing Email Malware](https://sip.security.microsoft.com/intel-explorer/articles/abfabfa1)** A phishing email campaign employs ZIP file attachments leading to a series of malicious file downloads, culminating in the deployment of PowerShell scripts to gather system information and download further malware. **7. [AceCryptor Cryptors-as-a-Service (CaaS)](https://sip.security.microsoft.com/intel-explorer/articles/e3595388)** AceCryptor is a prevalent cryptor-as-a-service utilized in Rescoms campaigns, particularly in European countries. Threat actors behind these campaigns abuse compromised accounts to send spam emails, aiming to obtain credentials for further attacks. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog).  Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to ge Ransomware Spam Malware Tool Threat Cloud APT 41 ★★★
RiskIQ.webp 2024-04-03 20:46:53 Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (lien direct) #### Description Trend Micro a analysé une attaque de cyberespionnage que la société a attribuée à Earth Freybug, un sous-ensemble d'APT41 (suivi par Microsoft comme [typhon en laiton] (https: // sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05afc0d4158b0e389b4078112d37c6?)).Selon Trend Micro, Earth Freybug est actif depuis àAu moins 2012 et le groupe lié au chinois a été actif dans l'espionnage et les attaques financièrement motivées.Earth Freybug utilise divers outils tels que Lolbins et les logiciels malveillants personnalisés, ciblant les organisations à l'échelle mondiale.L'attaque a utilisé des techniques telles que Dynamic Link Library (DLL) détournement et décrocheur API pour éviter la surveillance d'un nouveau malware appelé Unapimon.Unapimon élude la détection en empêchant les processus enfants d'être surveillés. Le flux d'attaque a consisté à créer des tâches planifiées à distance et à exécuter des commandes de reconnaissance pour recueillir des informations système.Par la suite, une porte dérobée a été lancée à l'aide d'un chargement latéral DLL via un service appelé sessionnv, qui charge une DLL malveillante.Unapimon, la DLL injectée, utilise le crochet de l'API pour échapper à la surveillance et à l'exécution de commandes malveillantes non détectées, présentant les attaquants \\ 'sophistication. [Consultez la rédaction de Microsoft \\ sur Dynamic-Link Library (DLL) Rijacking ici.] (Https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### URL de référence (s) 1. https://www.trendmicro.com/en_us/research/24/d/arth-freybug.html #### Date de publication 2 avril 2024 #### Auteurs) Christopher So
#### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So		 Malware Tool Prediction APT 41 ★★
Last update at: 2024-07-12 08:08:10
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter