What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
TechWorm.webp 2024-05-01 23:25:26 Les logiciels malveillants ciblent les routeurs pour voler les mots de passe des demandes Web
Malware Targets Routers To Steal Passwords From Web Requests (lien direct)		 Les chercheurs ont récemment suivi un nouveau malware, "Sweetfish", qui cible les équipements de mise en réseau, en particulier les petits routeurs de bureau / bureau à domicile (SOHO), pour voler le matériel d'authentification trouvé dans les demandes Web qui transitent le routeur de la locale adjacenteréseau régional (LAN). Lumen Technologies & # 8217;Black Lotus Labs, qui a examiné les logiciels malveillants, a déclaré que la seiche crée un tunnel proxy ou VPN via un routeur compromis pour exfiltrer les données en contournant l'analyse basée sur la connexion anormale, puis utilise des informations d'identification volées pour accéder aux ressources ciblées. Le malware a également la capacité d'effectuer un détournement HTTP et DNS pour les connexions aux adresses IP privées, qui sont normalement associées aux communications dans un réseau interne. Les chercheurs déclarent que la plate-forme de logiciels malveillants de secteur offre une approche zéro clique pour capturer les données des utilisateurs et des appareils derrière le bord du réseau ciblé. «Toutes les données envoyées sur les équipements réseau infiltrés par ce malware sont potentiellement exposés.Ce qui rend cette famille de logiciels malveillants si insidie-the-cuttlefish-malware / "data-wpel-link =" external "rel =" nofollow nopenner noreferrer "> avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » Malware Threat Cloud Technical APT 32 ★★★★
AlienVault.webp 2023-08-10 10:00:00 Les systèmes Mac se sont transformés en nœuds de sortie proxy par adcharge
Mac systems turned into proxy exit nodes by AdLoad (lien direct)		 This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers. Executive summary  AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet. Key takeaways:  AdLoad malware is still present and infecting systems, with a previously unreported payload. At least 150 samples have been observed in the wild during the last year. AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes. The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild. Analysis  AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack. These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems. The main purpose of the malware has always been to act as a downloader for subsequent payloads. It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne. In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system. This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code. This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme. AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022. bar chart of AdLoad samples Figure 1. Histogram of AdLoad samples identified by Alien Labs. The vast numb Spam Malware Threat Cloud APT 32 ★★
Anomali.webp 2021-10-06 19:06:00 Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct) Authored By: Tara Gould Key Findings Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT. The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments. Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server. This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools. Overview Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials. TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2] Technical Analysis Scripts (/cmd/) Overview of /cmd/ Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Snippet of AWS Credential Stealer Script Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Chimaera_Kubernetes_root_PayLoad_2.sh Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Overview of /bin Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. Malware Tool Threat Uber APT 32
The_Hackers_News.webp 2021-02-01 03:15:16 New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers (lien direct) A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group Rocke, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors Malware Threat APT 32
SecurityAffairs.webp 2021-01-31 11:27:14 New Pro-Ocean crypto-miner targets Apache ActiveMQ, Oracle WebLogic, and Redis installs (lien direct) The Rocke group is using a new piece of cryptojacking malware dubbed Pro-Ocean to target Apache ActiveMQ, Oracle WebLogic, and Redis installs. The cybercrime group Rocke is using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable Apache ActiveMQ, Oracle WebLogic, and Redis intalls. The malware is an evolution of a Monero cryptocurrency […] Malware APT 32
bleepingcomputer.webp 2021-01-29 14:06:49 New Pro-Ocean malware worms through Apache, Oracle, Redis servers (lien direct) The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis. [...] Malware APT 32
Kaspersky.webp 2021-01-28 20:06:57 Rocke Group\'s Malware Now Has Worm Capabilities (lien direct) The Pro-Ocean cryptojacking malware now comes with the ability to spread like a worm, as well as harboring new detection-evasion tactics. Malware APT 32
Kaspersky.webp 2020-12-11 17:05:37 Facebook Shutters Accounts Used in APT32 Cyberattacks (lien direct) Facebook shut down accounts and Pages used by two separate threat groups to spread malware and conduct phishing attacks. Malware Threat APT 32
grahamcluley.webp 2020-12-02 16:26:10 Mac users warned of more Ocean Lotus malware targeted attacks (lien direct) Security researchers have warned of the latest incarnation of a backdoor trojan horse that has been used in the past to target Mac users. If you're a Mac user, I really hope you're running anti-virus software. Malware APT 32
itsecurityguru.webp 2020-12-01 11:11:20 MacOS users targeted with updated malware (lien direct) A new form of malware has been discovered to be targeting Apple MacOS user, with researches saying that it is tied to a state-backed hacking operation. The malware campaign has been identified by cybersecurity analysts at Trend Micro, who have linked campaign back to the Vietnamese backed group OceanLotus, also known as APT32. OceanLotus has […] Malware APT 32
MalwarebytesLabs.webp 2019-04-22 15:47:02 (Déjà vu) A week in security (April 15 – 21) (lien direct) A roundup of security news from April 15–21, including an explanation of like-farming, Ellen DeGeneres scam, flaws in VPN services, funky malware formats found in Ocean Lotus, and more. Categories: Security world Week in security Tags: (Read more...) Malware APT 32
MalwarebytesLabs.webp 2019-04-19 18:37:05 Funky malware format found in Ocean Lotus sample (lien direct) Recently, one of our researchers presented at the SAS conference on "Funky malware formats"-atypical executable formats used by malware that are only loaded by proprietary loaders. In this post, we analyze one of those formats in a sample called Ocean Lotus from the APT 32 threat group in Vietnam. Categories: Malware Threat analysis Tags: (Read more...) Malware Threat APT 32
ESET.webp 2019-04-09 09:30:05 OceanLotus: macOS malware update (lien direct) >Latest ESET research describes the inner workings of a recently found addition to OceanLotus's toolset for targeting Mac users Malware APT 32
SecurityAffairs.webp 2018-10-19 07:06:03 Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew (lien direct) Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada. The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1. “McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report. “We […] Malware Threat APT 32 APT 1
ZDNet.webp 2018-10-18 04:01:00 Oceansalt cyberattack wave linked to defunct Chinese APT Comment Crew (lien direct) The source code of malware from the ancient Chinese military-affiliated group appears to have changed hands. Malware APT 32 APT 1
Last update at: 2024-05-19 23:08:19
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter