What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-07 20:14:06 | JFROG Security Research découvre les attaques coordonnées contre Docker Hub qui ont planté des millions de référentiels malveillants JFrog Security Research Discovers Coordinated Attacks on Docker Hub that Planted Millions of Malicious Repositories (lien direct) |
## Instantané
JFROG Security Research a découvert trois campagnes de logiciels malveillants à grande échelle qui ont ciblé Docker Hub, plantant des millions de référentiels "sans image" avec des métadonnées malveillantes.
## Description
Docker Hub est une plate-forme qui offre de nombreuses fonctionnalités aux développeurs, présentant de nombreuses opportunités de développement, de collaboration et de distribution d'images Docker.Actuellement, il s'agit de la plate-forme de conteneur numéro un de choix pour les développeurs du monde entier.Pourtant, une préoccupation importante survient lors de l'examen du contenu de ces référentiels publics.La recherche révèle que près de 20% de ces référentiels publics ont en fait hébergé un contenu malveillant.
Ces référentiels ne contiennent pas d'images de conteneurs mais contiennent plutôt des métadonnées malveillantes.Le contenu allait du simple spam qui favorise le contenu piraté, aux entités extrêmement malveillantes telles que les logiciels malveillants et les sites de phishing, téléchargés par des comptes générés automatiquement.Avant cette publication, l'équipe de recherche JFROG a révélé toutes les résultats à l'équipe de sécurité de Docker, y compris des référentiels de 3,2 millions qui étaient soupçonnés d'accueillir un contenu malveillant ou indésirable.L'équipe de sécurité Docker a rapidement supprimé tous les référentiels malveillants et indésirables de Docker Hub
## Recommandations
JFROG Security Research recommande les utilisateurs devraient préférer utiliser des images Docker qui sont marquées dans Docker Hub comme «Contenu de confiance».
## Les références
["Jfrog Security Research découvre les attaques coordonnées contre Docker Hub qui ont planté des millions de référentiels malveillants"] (https://jfrog.com/blog/attadiques-on-with-with-millions-of-malicious-repositories-spread-malware--And-Phishing-Scams / # new_tab) JFrog.(Consulté en 2024-05-07)
## Snapshot JFrog Security Research has discovered three large-scale malware campaigns that targeted Docker Hub, planting millions of "imageless" repositories with malicious metadata. ## Description Docker Hub is a platform that delivers many functionalities to developers, presenting numerous opportunities for development, collaboration, and distribution of Docker images. Currently, it is the number one container platform of choice for developers worldwide. Yet, a significant concern arises when considering the content of these public repositories. The research reveals that nearly 20% of these public repositories actually hosted malicious content. These repositories do not contain container images but instead contain metadata that is malicious. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts. Prior to this publication, the JFrog research team disclosed all findings to the Docker security team, including 3.2M repositories that were suspected as hosting malicious or unwanted content. The Docker security team quickly removed all of the malicious and unwanted repositories from Docker Hub ## Recommendations JFrog Security Research reccommends Users should prefer using Docker images that are marked in Docker Hub as “Trusted Content”. ## References ["JFrog Security Research Discovers Coordinated Attacks on Docker Hub that Planted Millions of Malicious Repositories"](https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/#new_tab) JFrog. (Accessed 2024-05-07) |
Spam Malware | ★★★ | |
|
2024-04-26 19:12:08 | Todckat APT Group Honne les tactiques d'expiltration des données, exploite les outils légitimes ToddyCat APT Group Hones Data Exfiltration Tactics, Exploits Legitimate Tools (lien direct) |
#### Targeted Geolocations - Oceania - Southeast Asia - South Asia - East Asia - Central Asia #### Targeted Industries - Government Agencies & Services - Defense ## Snapshot Kaspersky reports the APT group ToddyCat has been observed targeting governmental organizations, particularly defense-related ones in the Asia-Pacific region, with the goal of stealing sensitive information on an industrial scale. ## Description They employ various tools and techniques, including traffic tunneling and the creation of reverse SSH tunnels, to maintain constant access to compromised infrastructure. The attackers utilize disguised OpenSSH private key files, execute scripts to modify folder permissions, create SSH tunnels to redirect network traffic, and employ the SoftEther VPN package to potentially facilitate unauthorized access and data exfiltration. Additionally, they use various files and techniques, such as concealing file purposes, copying files through shared resources, and tunneling to legitimate cloud providers, to gain access to victim hosts and evade detection. The threat actors initially gain access to systems by installing servers, modifying server settings, and utilizing tools like Ngrok and Krong to redirect C2 traffic and create tunnels for unauthorized access. They also employ the FRP client, a data collection tool named "cuthead", and a tool called "WAExp" to search for and collect browser local storage files containing data from the web version of WhatsApp. The attackers demonstrate a sophisticated and evolving approach to data collection and exfiltration, utilizing multiple tools and techniques to achieve their objectives. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentic | Ransomware Spam Malware Tool Threat Industrial Cloud | ★★ | |
|
2024-04-15 15:15:00 | Faits saillants hebdomadaires, 15 avril 2024 Weekly OSINT Highlights, 15 April 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a landscape of diverse cyber threats characterized by sophisticated attack tactics and adaptable threat actors. One key trend was the increasing use of artificial intelligence (AI) by cybercriminals, including AI-powered malvertising on social media platforms and suspected LLM-generated content in a malware campaign targeting German organizations. Additionally, several OSINT articles reported on the trend of exploiting popular platforms like YouTube and GitHub to distribute malware. Threat actors demonstrate a keen understanding of user behavior, leveraging enticing content and fake webpages to lure victims into downloading malicious payloads, highlighting the importance of proactive defense strategies to mitigate evolving threats effectively. ## Description 1. **[German Organizations Targeted with Rhadamanthys Malware](https://security.microsoft.com/intel-explorer/articles/119bde85):** Proofpoint identifies TA547 launching an email campaign targeting German organizations with Rhadamanthys malware, representing a shift in techniques for the threat actor. The campaign involves impersonating a German retail company in emails containing password-protected ZIP files containing LNK files triggering PowerShell scripts to load Rhadamanthys into memory, bypassing disk writing. The incorporation of suspected LLM-generated content into the attack chain provides insight into how threat actors are leveraging LLM-generated content in malware campaigns. 2. **[Russian-Language Cybercrime Operation Leveraging Fake Web3 Gaming Projects](https://security.microsoft.com/intel-explorer/articles/0cdc08b5):** The Insikt Group uncovers a large-scale Russian-language cybercrime operation distributing infostealer malware through fake Web3 gaming projects targeting both macOS and Windows users. Threat actors entice users with the potential for cryptocurrency earnings, distributing malware like Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro upon visiting imitation Web3 gaming projects\' webpages. 3. **[AI-Powered Malvertising Campaigns on Social Media](https://security.microsoft.com/intel-explorer/articles/1e1b0868):** Bitdefender discusses the use of artificial intelligence (AI) by cybercriminals in malvertising campaigns on social media platforms, impersonating popular AI software to distribute stealers like Rilide, Vidar, IceRAT, and Nova Stealer. These campaigns target European users through fake AI software webpages on Facebook, organized by taking over existing accounts and boosting page popularity through engaging content. 4. **[Exploitation of YouTube Channels for Infostealer Distribution](https://security.microsoft.com/intel-explorer/articles/e9f5e219):** AhnLab identifies a trend where threat actors exploit YouTube channels to distribute Infostealers like Vidar and LummaC2, disguising them as cracked versions of legitimate software. Attackers hijack popular channels with hundreds of thousands of subscribers, distributing malicious links through video descriptions and comments, highlighting concerns about the potential reach and impact of distributed malware. 5. **[VenomRAT Distribution via Phishing Email with Malicious SVG Files](https://security.microsoft.com/intel-explorer/articles/98d69c76):** FortiGuard Labs reveals a threat actor distributing VenomRAT and other plugins through phishing emails containing malicious Scalable Vector Graphics (SVG) files. The email attachment downloads a ZIP file containing an obfuscated Batch file, subsequently loading VenomRAT using ScrubCrypt to maintain a connection with a command and control (C2) server and install plugins on victims\' environments. 6. **[Malware Distribution through GitHub Repositories Manipulation](https://security.microsoft.com/intel-explorer/articles/4d0ffb2c):** Checkmarx reports a cybercriminal attack campaign manipulating GitHub\'s search functionality to distribute malware through repositories. Attackers create repositories with popular names and topics, hiding malicious code withi | Ransomware Spam Malware Tool Threat Prediction | ★★ | |
|
2024-04-08 15:09:15 | Faits saillants hebdomadaires, 8 avril 2024 Weekly OSINT Highlights, 8 April 2024 (lien direct) |
Last week\'s OSINT reporting reveals several key trends emerge in the realm of cybersecurity threats. Firstly, there is a notable diversification and sophistication in attack techniques employed by threat actors, ranging from traditional malware distribution through phishing emails to advanced methods like DLL hijacking and API unhooking for evading detection. Secondly, the threat landscape is characterized by the presence of various actors, including state-sponsored groups like Earth Freybug (a subset of APT41) engaging in cyberespionage and financially motivated attacks, as well as cybercrime actors orchestrating malware campaigns such as Agent Tesla and Rhadamanthys. Thirdly, the targets of these attacks span across different sectors and regions, with organizations in America, Australia, and European countries facing significant threats. Additionally, the emergence of cross-platform malware like DinodasRAT highlights the adaptability of threat actors to target diverse systems, emphasizing the need for robust cybersecurity measures across all platforms. Overall, these trends underscore the dynamic and evolving nature of cyber threats, necessitating continuous vigilance and proactive defense strategies from organizations and cybersecurity professionals. **1. [Latrodectus Loader Malware Overview](https://sip.security.microsoft.com/intel-explorer/articles/b4fe59bf)** Latrodectus is a new downloader malware, distinct from IcedID, designed to download payloads and execute arbitrary commands. It shares characteristics with IcedID, indicating possible common developers. **2. [Earth Freybug Cyberespionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/327771c8)** Earth Freybug, a subset of APT41, engages in cyberespionage and financially motivated attacks since at least 2012. The attack involved sophisticated techniques like DLL hijacking and API unhooking to deploy UNAPIMON, evading detection and enabling malicious commands execution. **3. [Agent Tesla Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/cbdfe243)** Agent Tesla malware targets American and Australian organizations through phishing campaigns aimed at stealing email credentials. Check Point Research identified two connected cybercrime actors behind the operation. **4. [DinodasRAT Linux Version Analysis](https://sip.security.microsoft.com/intel-explorer/articles/57ab8662)** DinodasRAT, associated with the Chinese threat actor LuoYu, is a cross-platform backdoor primarily targeting Linux servers. The latest version introduces advanced evasion capabilities and is installed to gain additional footholds in networks. **5. [Rhadamanthys Information Stealer Malware](https://sip.security.microsoft.com/intel-explorer/articles/bf8b5bc1)** Rhadamanthys utilizes Google Ads tracking to distribute itself, disguising as popular software installers. After installation, it injects into legitimate Windows files for data theft, exploiting users through deceptive ad redirects. **6. [Sophisticated Phishing Email Malware](https://sip.security.microsoft.com/intel-explorer/articles/abfabfa1)** A phishing email campaign employs ZIP file attachments leading to a series of malicious file downloads, culminating in the deployment of PowerShell scripts to gather system information and download further malware. **7. [AceCryptor Cryptors-as-a-Service (CaaS)](https://sip.security.microsoft.com/intel-explorer/articles/e3595388)** AceCryptor is a prevalent cryptor-as-a-service utilized in Rescoms campaigns, particularly in European countries. Threat actors behind these campaigns abuse compromised accounts to send spam emails, aiming to obtain credentials for further attacks. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog). Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to ge | Ransomware Spam Malware Tool Threat Cloud | APT 41 | ★★★ |
|
2024-04-01 20:02:08 | Rescoms monte des vagues de spam d'acceptor Rescoms Rides Waves of AceCryptor Spam (lien direct) |
#### Description
ESET Research partage des informations sur l'accryptor, l'une des Cryptors-as-a-Service les plus populaires et les plus répandues en seconde période de 2023, en mettant l'accent sur les campagnes de rescoms dans les pays européens.Même si bien connu selon les produits de sécurité, la prévalence d'Acecryptor \\ ne montre pas les indications de déclin: au contraire, le nombre d'attaques a considérablement augmenté en raison des campagnes Rescoms.
L'acteur de menace derrière ces campagnes dans certains cas a abusé des comptes a compromis les comptes pour envoyer des e-mails de spam afin de les rendre aussi crédibles que possible.L'objectif des campagnes de spam était d'obtenir des titres de compétences stockés dans des navigateurs ou des clients de messagerie, ce qui, en cas de compromis réussi, ouvrirait des possibilités d'attaques supplémentaires.
#### URL de référence (s)
1. https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/
#### Date de publication
20 mars 2024
#### Auteurs)
Jakub Kaloč
#### Description ESET research shares insights into AceCryptor, one of the most popular and prevalent cryptors-as-a-service (CaaS) in the second half of 2023, with a focus on Rescoms campaigns in European countries. Even though well known by security products, AceCryptor\'s prevalence is not showing indications of decline: on the contrary, the number of attacks significantly increased due to the Rescoms campaigns. The threat actor behind those campaigns in some cases abused compromised accounts to send spam emails in order to make them look as credible as possible. The goal of the spam campaigns was to obtain credentials stored in browsers or email clients, which in case of a successful compromise would open possibilities for further attacks. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/ #### Publication Date March 20, 2024 #### Author(s) Jakub Kaloč |
Spam Threat | ★★ | |
|
2024-04-01 13:51:22 | Faits saillants hebdomadaires, 1er avril 2024 Weekly OSINT Highlights, 1 April 2024 (lien direct) |
Last week\'s OSINT reporting reveals an array of cyber threats marked by sophisticated attack tactics and diverse targets. From malvertising campaigns deploying stealers like Rhadamanthys to the first known attack campaign targeting AI workloads, threat actors exhibit a range of attack vectors targeting both individuals and organizations. Notably, the evolution of malware such as Vultur and StrelaStealer highlights a continual arms race between attackers and defenders, with adversaries demonstrating adaptability and persistence in their pursuit of data theft and system compromise. The targeting of specific platforms like WordPress sites and email clients underscores the threat to online ecosystems, while the widespread impact across industries emphasizes the need for robust cybersecurity measures and constant vigilance against evolving threats. 1. [Go Malvertising Campaign with Rhadamanthys Stealer](https://security.microsoft.com/intel-explorer/articles/e6d270fc): A malvertising campaign had utilized a Go language loader to deploy the Rhadamanthys stealer, targeting users through a fake PuTTY homepage ad at the top of Google search results. The loader, closely linked to the malvertising infrastructure, had retrieved the payload, Rhadamanthys, which had been executed by the parent process PuTTY.exe, indicating a coordinated attack by the same threat actor. 2. [Active Attack Campaign Exploiting Ray Framework Vulnerability](https://security.microsoft.com/intel-explorer/articles/e4cd5bc2): An ongoing active attack campaign had exploited a critical vulnerability in the Ray open-source AI framework, known as ShadowRay (CVE-2023-48022), impacting thousands of companies globally. Attackers had exploited this vulnerability to take control of computing resources, steal sensitive data, and conduct cryptocurrency mining operations, demonstrating the severity of the issue and its widespread impact across industries. 3. [Evolution of Android Banking Malware Vultur](https://security.microsoft.com/intel-explorer/articles/3f7c3599): Authors behind the Android banking malware Vultur had enhanced its capabilities, including remote interaction with victim devices and encryption of C2 communication, showcasing continual development to evade detection and carry out malicious actions with greater sophistication. 4. [Agent Tesla Phishing Email Infection Chain](https://security.microsoft.com/intel-explorer/articles/5ffaa8a4): SpiderLabs had identified a phishing email leading to an infection chain deploying Agent Tesla, utilizing obfuscation, packing techniques, and polymorphic behavior to evade detection and ensure stealthy execution, posing challenges for traditional antivirus systems. 5. [Sign1 Malware Campaign Exploiting WordPress Sites](https://security.microsoft.com/intel-explorer/articles/063f7fac): Sucuri and GoDaddy Infosec had discovered the Sign1 malware campaign infecting over 2,500 WordPress sites, injecting malicious code into custom HTML widgets to redirect visitors to scam sites, demonstrating the threat to website integrity and visitor security. 6. [StrelaStealer Email Client Targeting Malware](https://security.microsoft.com/intel-explorer/articles/82785858): StrelaStealer, a malware targeting email clients to steal login data, had launched large-scale email campaigns impacting over 100 organizations, particularly targeting high-tech industries. The malware\'s evolving infection chain and updated payloads had underscored its adaptability and the challenge it had posed to security analysts and products. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog). Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this summa | Ransomware Spam Malware Tool Vulnerability Threat Mobile Cloud | ★★ | |
|
2024-03-25 13:28:48 | Faits saillants hebdomadaires, 25 mars 2024 Weekly OSINT Highlights, 25 March 2024 (lien direct) |
La semaine dernière, les rapports OSINT de \\ présentent une gamme de cyber-menaces, des campagnes d'espionnage parrainées par l'État russe par Secret Blizzard à l'infosteller malware comme Formbook et le lecteur Adobe Infosaler, démontrant l'adaptabilité et la persistance entre les acteurs de la menace.Des tactiques trompeuses telles que la typosquat et la distribution de faux logiciels sont utilisées pour le camouflage des activités et ciblent des groupes d'utilisateurs spécifiques, comme on le voit dans le cas du ciblage chinois des moteurs de recherche.De plus, le malvertising basé sur la recherche, notamment avec le malware FakeBat, met en évidence l'abus de sites Web légitimes et de certificats numériques pour échapper aux mesures de sécurité.Dans l'ensemble, ces tendances soulignent la nécessité de mesures de cybersécurité robustes et de l'intelligence continue des menaces pour atténuer efficacement les menaces en évolution. 1. ** [Campagne d'espionnage de Turla] (https://security.microsoft.com/intel-explorer/articles/bf6723e9?): ** Le groupe d'espionnage russe Turla, également connu sous le nom de Blizzard secret par Microsoft, orchestraciblant une ONG européenne, employant des tactiques comme le vol d'information et l'infiltration du réseau.Les activités post-compromises de Turla \\ impliquent le déploiement d'implants comme Tinyturla-ng et la reconnaissance de la reconnaissance, la démonstration de persistance et de furtivité dans leurs opérations. 2. ** [Linux Server RCE Attack] (https://security.microsoft.com/intel-explorer/articles/9b8f807f?): ** Cybereason Security Services rapporte un incident impliquant un serveur Linux exploité via une exécution de code distante (RCE) Vulnérabilité dans Apache ActiveMQ, facilitant le déploiement de VADes charges utiles malveillantes comme Mirai Botnet, Hellokitty Ransomware et Coinminers.Attaquer les méthodologiesClude l'automatisation et les séances interactives via les coquilles inversées de Netcat, mettant en évidence le divers arsenal des acteurs de la menace et leurs tactiques adaptables. 3. ** [Formbook InfoSteller Malware] (https://security.microsoft.com/intel-explorer/articles/7b321c6c?): ** Formbook, un logiciel malveillant infoséaler, présente des capacités avancées comme le suivi de la touche et la capture de l'écran, pendant l'évasion de l'évasion, comme le suivi des touches de touche et la capture d'écran, pendant l'évadisation, toutDétection par des techniques d'obscurcissement et de chiffrement.Les cybercriminels distribuent Formbook par courrier électronique, avec des cas d'utilisation notés lors des conflits géopolitiques, soulignant sa flexibilité et sa menace persistante. 4. ** [Ciblage de moteurs de recherche chinois] (https://security.microsoft.com/intel-explorer/articles/5a806c77?): ** Kaspersky découvre une menace ciblant les utilisateurs chinois via des versions modifiées de rédacteurs de texte populaires distribués via le type typosquattinget d'autres techniques trompeuses, soulignant les acteurs de la menace \\ 'efforts pour imiter les ressources légitimes à des fins malveillantes. 5. ** [Phantomblu Malware Campaign] (https://security.microsoft.com/intel-explorer/articles/356f4d44?): ** Perception Point révèle la campagne Phantomblu ciblant les organisations américaines avec le rat Netsupport, l'utilisation de la campagne avancée AdvanceLes tactiques d'évasion comme la manipulation des modèles OLE et l'ingénierie sociale pour compromettre efficacement les systèmes, présentant une évolution des stratégies de livraison de logiciels malveillants mélangeant l'évasion et l'ingénierie sociale. 6. ** [Surge malvertising basé sur la recherche] (https://security.microsoft.com/intel-explorer/articles/7cc81ecb?): ** MalwareBytes rapporte une augmentation des incidents malvertisons basés sur la recherche, impliquant notamment le malware FakeBat malveillant FakeBat.Distribué par le biais des installateurs de MSIX avec le code PowerShell obsc | Ransomware Spam Malware Tool Vulnerability Threat | ★★★ | |
|
2024-03-18 13:23:03 | Faits saillants hebdomadaires OSINT, 18 mars 2024 Weekly OSINT Highlights, 18 March 2024 (lien direct) |
## Weekly OSINT Highlights, 18 March 2024 Last week\'s OSINT reporting revealed a common theme: cyberattacks targeting specific user groups are becoming more sophisticated. Take, for instance, the Notion installer malware, which dupes users by posing as a legitimate software installer, showcasing adept social engineering. Similarly, the BIPClip campaign demonstrates a highly targeted approach towards developers involved in cryptocurrency projects, with the threat actors leveraging multiple open-source packages to steal sensitive mnemonic phrases. Despite distinct attack methods, both instances underscore threat actors\' adaptability in tailoring attacks to their targets. Additionally, the analysis highlights a growing trend where attackers focus on specific sectors or user demographics, indicating a shift towards more targeted and stealthy cyber threats rather than indiscriminate attacks. This trend underscores the importance of user vigilance and the necessity for industry-specific cybersecurity measures to mitigate evolving risks. 1. **[Notion Installer Malware](https://security.microsoft.com/intel-explorer/articles/f21ac4ec?):** A new MSIX malware posing as the Notion installer is distributed through a fake website resembling the official Notion homepage. The malware, signed with a valid certificate, infects Windows PCs when users attempt to install Notion, compromising their systems with malware. 2. **[BIPClip Crypto Wallet Theft Campaign](https://security.microsoft.com/intel-explorer/articles/21aa5484?):** ReversingLabs uncovered the BIPClip campaign, which utilizes seven open-source packages across 19 versions from PyPI to steal mnemonic phrases for crypto wallet recovery. The campaign targets developers involved in cryptocurrency wallet projects, particularly those implementing Bitcoin Improvement Proposal 39 (BIP39), and employs sophisticated methods to avoid detection. The BIPClip campaign underscores how crypto assets are one of the most popular targets of cybercriminal groups and other threat actors, such as North Korean APTs. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog). Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this summary. The following reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: - Tool Profile: [Information stealers](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) - [Financially motivated threat actors misusing App Installer](https://security.microsoft.com/intel-explorer/articles/74368091?) ## Recommendations to protect against Information stealers Microsoft recommends the following mitigations to reduce the impact of Information stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-sec | Ransomware Spam Malware Tool Threat Prediction | ★★★ | |
|
2024-03-06 01:05:06 | Faits saillants hebdomadaires d'osint, 4 mars 2024 Weekly OSINT Highlights, 4 March 2024 (lien direct) |
## Weekly OSINT Highlights, 4 March 2024 Ransomware loomed large in cyber security research news this week, with our curated OSINT featuring research on Abyss Locker, BlackCat, and Phobos. Phishing attacks, information stealers, and spyware are also in the mix, highlighting the notable diversity in the cyber threat landscape. The OSINT reporting this week showcases the evolving tactics of threat actors, with operators increasingly employing multifaceted strategies across different operating systems. Further, the targets of these attacks span a wide range, from civil society figures targeted by spyware in the Middle East and North Africa to state and local governments victimized by ransomware. The prevalence of attacks on sectors like healthcare underscores the significant impact on critical infrastructure and the potential for substantial financial gain through ransom payments. 1. [**Abyss Locker Ransomware Evolution and Tactics**](https://ti.defender.microsoft.com/articles/fc80abff): Abyss Locker ransomware, derived from HelloKitty, exfiltrates victim data before encryption and targets Windows systems, with a subsequent Linux variant observed. Its capabilities include deleting backups and employing different tactics for virtual machines, indicating a growing sophistication in ransomware attacks. 2. [**ALPHV Blackcat Ransomware-as-a-Service (RaaS)**:](https://ti.defender.microsoft.com/articles/b85e83eb) The FBI and CISA warn of ALPHV Blackcat RaaS, which targets multiple sectors, particularly healthcare. Recent updates to ALPHV Blackcat include improved defense evasion, encryption capabilities for Windows and Linux, reflecting the increasing sophistication in ransomware operations. 3. [**Phobos RaaS Model**](https://ti.defender.microsoft.com/articles/ad1bfcb4): Phobos ransomware, operating as a RaaS model, frequently targets state and local governments. Its use of accessible open-source tools enhances its popularity among threat actors, emphasizing the ease of deployment and customization for various environments. 4. [**TimbreStealer Phishing Campaign**](https://ti.defender.microsoft.com/articles/b61544ba): Talos identifies a phishing campaign distributing TimbreStealer, an information stealer disguised as Mexican tax-related themes. The threat actor was previously associated with banking trojans, underscoring the adaptability and persistence of malicious actors. 5. [**Nood RAT Malware Features and Stealth**](https://ti.defender.microsoft.com/articles/cc509147): ASEC uncovers Nood RAT, a Linux-based variant of Gh0st RAT, equipped with encryption and disguised as legitimate software. The malware\'s flexibility in binary creation and process naming underscores the threat actor\'s intent to evade detection and carry out malicious activities with sophistication. 6. [**Predator Spyware Infrastructure and Targeting**](https://ti.defender.microsoft.com/articles/7287eb1b): The Insikt Group\'s discovery highlights the widespread use of Predator spyware, primarily targeting journalists, politicians, and activists in various countries. Despite its purported use for counterterrorism and law enforcement, Predator is employed by threat actors outside these contexts, posing significant privacy and safety risks. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog) and the following blog posts: - [Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself](https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/?ocid=magicti_ta_blog#defending-against-ransomware) Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this summary. The following | Ransomware Spam Malware Tool Threat Legislation Medical | ★★★★ | |
|
2024-02-27 20:31:31 | La campagne Timbrester cible les utilisateurs mexicains avec des leurres financiers TimbreStealer Campaign Targets Mexican Users with Financial Lures (lien direct) |
#### Description
Talos a observé une campagne de spam de phishing ciblant les victimes potentielles au Mexique, attirant les utilisateurs à télécharger un nouveau voleur d'informations obscurcis Talos appelle Timbrester, qui est actif depuis au moins novembre 2023. Il contient plusieurs modules intégrés utilisés pour l'orchestration, le décryptage et la protection dele malware binaire.
Cet acteur de menace a été observé distribuant Timbrester via une campagne de spam utilisant des thèmes mexicains liés à l'impôt à partir du moins en novembre 2023. L'acteur de menace a déjà utilisé des tactiques, des techniques et des procédures similaires (TTPS) pour distribuer un trojan bancaire connu sous le nom de «Mispadu».
#### URL de référence (s)
1. https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/
#### Date de publication
27 février 2024
#### Auteurs)
Guilherme Veree
Jacob Finn
Tucker Favreau
Jacob Stanfill
James Nutland
#### Description Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer Talos is calling TimbreStealer, which has been active since at least November 2023. It contains several embedded modules used for orchestration, decryption and protection of the malware binary. This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as “Mispadu.” #### Reference URL(s) 1. https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/ #### Publication Date February 27, 2024 #### Author(s) Guilherme Venere Jacob Finn Tucker Favreau Jacob Stanfill James Nutland |
Spam Malware Threat | ★★ | |
|
2024-02-16 20:41:12 | SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud (lien direct) | #### Description
Les chercheurs de Sentinelone ont découvert un nouveau script Python appelé SNS Sender qui utilise AWS Simple Notification Service (SNS) pour envoyer des messages SMS en vrac dans le but de spammer des liens de phishing, également connus sous le nom de swishing.
Il s'agit du premier script observé à l'aide d'AWS SNS, et on pense que l'acteur derrière cet outil utilise des services cloud pour envoyer des messages de phishing SMS en vrac.L'auteur du script est connu par l'alias Arduino_Das et est prolifique dans la scène du kit Phish.
Le script nécessite une liste de liens de phishing nommés links.txt dans son répertoire de travail.SNS Sender prend également plusieurs arguments entrés en entrée: un fichier texte contenant une liste de clés d'accès AWS, de secrets et de région délimitées par un côlon;un fichier texte contenant une liste de numéros de téléphone à cibler;un ID de l'expéditeur, similaire à un nom d'affichage pour un message;et le contenu du message.Le script remplace toutes les occurrences de la chaîne dans la variable de contenu du message par une URL du fichier links.txt, qui arme le message en tant que SMS de phishing.L'acteur derrière cet outil a été lié à de nombreux kits de phishing utilisés pour cibler les victimes \\ 'Informations personnellement identifiables (PII) et les détails de la carte de paiement sous le couvert d'un message de laUnited States Postal Service (USPS) concernant une livraison de colis manquée.
#### URL de référence (s)
1. https://www.sentinelone.com/labs/sns-sender-active-campaignes-se détendre
#### Date de publication
15 février 2024
#### Auteurs)
Alex Delamotte
#### Description SentinelOne researchers have discovered a new Python script called SNS Sender that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, also known as Smishing. This is the first script observed using AWS SNS, and it is believed that the actor behind this tool is using cloud services to send bulk SMS phishing messages. The script author is known by the alias ARDUINO_DAS and is prolific in the phish kit scene. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input: a text file containing a list of AWS access keys, secrets, and region delimited by a colon; a text file containing a list of phone numbers to target; a sender ID, similar to a display name for a message; and the message content. The script replaces any occurrences of the string in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The actor behind this tool has been linked to many phishing kits used to target victims\' personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. #### Reference URL(s) 1. https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/ #### Publication Date February 15, 2024 #### Author(s) Alex Delamotte |
Spam Tool Cloud | ★★★ | |
|
2024-01-10 21:33:16 | Black Basta-Affiliated Water Curupira\'s Pikabot Spam Campaign (lien direct) | #### Description
L'ensemble d'intrusion Water Curupera, connu pour avoir utilisé le ransomware Black Basta, a utilisé Pikabot, un logiciel malveillant de chargeur similaire à Qakbot, dans des campagnes de spam tout au long de 2023.
Pikabot est un logiciel malveillant en plusieurs étapes avec un chargeur et un module de base dans le même fichier, ainsi qu'un code shellcopted décrypté qui décrypte un autre fichier DLL à partir de ses ressources.Le malware gagne un premier accès à la machine de sa victime via des e-mails de spam contenant une archive ou une pièce jointe PDF.Les e-mails utilisent des filetages, une technique où les acteurs malveillants utilisent des fils de messagerie existants et créent des e-mails qui semblent être censés faire partie du fil pour inciter les destinataires à croire qu'ils sont légitimes.
#### URL de référence (s)
1. https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html
#### Date de publication
10 janvier 2024
#### Auteurs)
Micro-recherche tendance
#### Description The Water Curupira intrusion set, known for using the Black Basta ransomware, has been using Pikabot, a loader malware similar to Qakbot, in spam campaigns throughout 2023. Pikabot is a multi-stage malware with a loader and core module within the same file, as well as a decrypted shellcode that decrypts another DLL file from its resources. The malware gains initial access to its victim\'s machine through spam emails containing an archive or a PDF attachment. The emails employ thread-hijacking, a technique where malicious actors use existing email threads and create emails that look like they were meant to be part of the thread to trick recipients into believing that they are legitimate. #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html #### Publication Date January 10, 2024 #### Author(s) Trend Micro Research |
Ransomware Spam Malware | ★★★ | |
|
2024-01-04 22:13:12 | UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (lien direct) | #### Description
Le groupe de menaces UAC-0050 s'est avéré utiliser une stratégie avancée qui permet un canal de transfert de données plus clandestin, contournant efficacement les mécanismes de détection utilisés par la détection et la réponse des terminaux (EDR) et les systèmes antivirus.
L'arme de choix du groupe est Remcosrat, un logiciel malveillant notoire pour la surveillance et le contrôle à distance, qui a été à l'avant-garde de son arsenal d'espionnage.Cependant, dans leur dernière tournure opérationnelle, le groupe UAC-0050 a intégré une méthode de tuyau pour la communication interprodique, présentant leur adaptabilité avancée.Le vecteur d'attaque initial n'a pas encore été identifié, bien que des indications penchent vers le phishing ou les e-mails de spam.Le fichier LNK est chargé de lancer le téléchargement d'un fichier HTA.Dans ce fichier HTA se trouve unLe script VBS qui, lors de l'exécution, déclenche un script PowerShell.Ce script PowerShell s'efforce de télécharger un malveillantPayload (word_update.exe) à partir d'un serveur.Lors du lancement, word_update.exe exécute CMD.exe et partage des données malveillantes via un tuyau.Par conséquent, cela conduit au lancement d'Explorer.exe avec le remcosrat malveillant résidant à la mémoire d'Explorer.exe.
La version REMCOS identifiée est 4.9.2 Pro, et elle a recueilli avec succès des informations sur la victime, y compris le nom de l'ordinateur et le nom d'utilisateur.Le remcosrat supprime les cookies et les données de connexion des navigateurs suivants: Internet Explorer, Firefox et Chrome.
#### URL de référence (s)
1. https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method
#### Date de publication
4 janvier 2024
#### Auteurs)
Recherche de menace de monture
#### Description The UAC-0050 threat group has been found to be using an advanced strategy that allows for a more clandestine data transfer channel, effectively circumventing detection mechanisms employed by Endpoint Detection and Response (EDR) and antivirus systems. The group\'s weapon of choice is RemcosRAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal. However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability. The initial attack vector is yet to be pinpointed, though indications lean towards phishing or spam emails. The LNK file is responsible for initiating the download of an HTA file. Within this HTA file lies a VBS script that, upon execution, triggers a PowerShell script. This PowerShell script endeavors to download a malicious payload (word_update.exe) from a server. Upon launching, word_update.exe executes cmd.exe and shares malicious data through a pipe. Consequently, it leads to the launch of explorer.exe with the malicious RemcosRAT residing in the memory of explorer.exe. The Remcos version identified is 4.9.2 Pro, and it has successfully gathered information about the victim, including the computer name and username. RemcosRAT removes cookies and login data from the following browsers: Internet Explorer, Firefox, and Chrome. #### Reference URL(s) 1. https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method #### Publication Date January 4, 2024 #### Author(s) Uptycs Threat Research |
Spam Malware Threat | ★★ | |
|
2023-11-07 21:33:55 | Unmasking AsyncRAT New Infection Chain (lien direct) | #### Description
McAfee Labs a observé une récente campagne asyncrat en cours de distribution via un fichier HTML malveillant.Toute cette stratégie d'infection utilise une gamme de types de fichiers, notamment PowerShell, Windows Script File (WSF), VBScript (VBS), et plus encore, afin de contourner les mesures de détection des antivirus.
Un destinataire reçoit un e-mail de spam contenant un lien Web néfaste.Lorsqu'il est accessible, ce lien déclenche le téléchargement d'un fichier HTML.Dans ce fichier HTML, un fichier ISO est intégré, et ce fichier image ISO abrite un WSF (fichier de script Windows).Le fichier WSF établit par la suite des connexions avec diverses URL et procède à l'exécution de plusieurs fichiers dans des formats tels que PowerShell, VBS (VBScript) et BAT.Ces fichiers exécutés sont utilisés pour effectuer une injection de processus dans REGSVCS.EXE, un utilitaire Microsoft .NET légitime.Cette manipulation de Regsvcs.exe permet à l'attaquant de masquer secrètement leurs activités dans une application système de confiance.
#### URL de référence (s)
1. https://www.mcafee.com/blogs/other-logs/mcafee-nabs/unmasking-asyncrat-new-infection-chain/
#### Date de publication
3 novembre 2023
#### Auteurs)
McAfee Labs
Vignesh dhatchanamoorthy
Lakshya Mathur
#### Description McAfee Labs has observed a recent AsyncRAT campaign being distributed through a malicious HTML file. This entire infection strategy employs a range of file types, including PowerShell, Windows Script File (WSF), VBScript (VBS), and more, in order to bypass antivirus detection measures. A recipient receives a spam email containing a nefarious web link. When accessed, this link triggers the download of an HTML file. Within this HTML file, an ISO file is embedded, and this ISO image file harbors a WSF (Windows Script File). The WSF file subsequently establishes connections with various URLs and proceeds to execute multiple files in formats such as PowerShell, VBS (VBScript), and BAT. These executed files are employed to carry out a process injection into RegSvcs.exe, a legitimate Microsoft .NET utility. This manipulation of RegSvcs.exe allows the attacker to covertly hide their activities within a trusted system application. #### Reference URL(s) 1. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/ #### Publication Date November 3, 2023 #### Author(s) McAfee Labs Vignesh Dhatchanamoorthy Lakshya Mathur |
Spam | ★★★ |
1
We have: 14 articles.
We have: 14 articles.
To see everything:
Our RSS (filtrered)
