What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-04-16 06:00:54 | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct) |
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr | Malware Tool Threat Conference | APT 37 APT 43 | ★★ |
 |
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
 |
2023-01-26 00:01:00 | British cyber agency issues warning over Russian and Iranian espionage campaigns (lien direct) |  Two separate but similar espionage campaigns from Russian and Iranian-linked groups have prompted a warning from Britain's National Cyber Security Centre. In a document published on Thursday local time the NCSC warned how instead of sending surprise phishing emails, the hacking groups – identified as “Russia-based” SEABORGIUM and “Iran-based” APT42, or Charming Kitten – are [… |
Conference | APT 35 APT 42 | ★★ |
 |
2022-12-14 10:20:58 | Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research (lien direct) | Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research Cybersecurity researchers at Proofpoint have released new threat intelligence into Iranian state-aligned threat actor TA453 (AKA Charming Kitten, PHOSPHORUS, APT42), showing how the group has deviated from its traditional phishing techniques and is targeting new victims. - Malware Update | Threat Conference | APT 35 APT 42 | ★★ |
 |
2022-09-14 05:09:00 | Iranian cyberspies use multi-persona impersonation in phishing threads (lien direct) | One of the most prolific state-sponsored Iranian cyber espionage groups is targeting researchers from different fields by setting up sophisticated spear-phishing lures in which they use multiple fake personas inside the same email thread for increased credibility.Security firm Proofpoint tracks the group as TA453, but it overlaps with activity that other companies have attributed to Charming Kitten, PHOSPHORUS and APT42. Incident response company Mandiant recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization (IRGC-IO) and specializes in highly targeted social engineering.To read this article in full, please click here | Conference | APT 35 APT 42 |
1
We have: 5 articles.
We have: 5 articles.
To see everything:
Our RSS (filtrered)
