What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-01-06 14:49:11 | Iranian Group Delivers Malware via Fake Oxford University Sites (lien direct) | An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims. | APT 34 | ||
 |
2017-01-03 14:00:00 | Top 12 AlienVault Blogs of 2016 (lien direct) | Wow, 2016 was quite a year, which provided the AlienVault team and our guest bloggers with plenty of topics to blog on from InfoSec best practices to OceanLotus to Reverse Engineering to building a home malware lab! We are looking forward to providing more educational and useful blogs in 2017. As in 2016, we welcome and support guest bloggers who have contributions to make to the Infosec community. If you are interested in being a guest blogger, please contact me at kbrew@alienvault.com. Lastly, please subscribe to our blog to ensure you get all the new goodies either daily or a weekly summary in your inbox. With our further ado, following are the top 12 AlienVault blogs of 2016: Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide - The top blog of 2016 was written by @sudosev and explains how he set up his own home malware lab. How Penetration Testers Use Google Hacking - Jayme Hancock describes how to do Google hacking / dorking cleverly as a pen tester. It even includes a helpful "cheat sheet". Security Issues of WiFi - How it Works - Everyone loves WiFi, but Joe Gray explains how WiFi works and describes the many security issues and nuances associated with WiFi. Reverse Engineering Malware - In this blog, I interview some members of our AlienVault Labs team to learn how they reverse engineer malware when they're doing security research. The team describes several approaches and tools to use in analyzing malware samples. The Mirai Botnet, Tip of the IoT Iceberg - Javvad Malik talks about IoT security challenges in general, and focuses on the Mirai botnet which focused on XiongMai Technologies IoT equipment in a recent attack. Web Application Security: Methods and Best Practices - The OWASP top 10 and web application security testing are covered in this educational blog by Garrett Gross. Common Types of Malware, 2016 Update - Lauren Barraco outlines the different categories of malware and highlights What's New in 2016. PowerWare or PoshCoder? Comparison and Decryption - Peter Ewane of the Labs team talks about his research into PowerShell vulnerabilities and exploits. He focuses on PowerWare, whick seems to be heavily based on PoshCoder. Can You Explain Encryption to Me? - In this blog by Javvad Malik, he describes encryption to his boss in a hilarious exchange of notes. Javvad then outlines the basics of encryption in a very understandable way. OceanLotus for OS X – an Application Bundl | Medical | APT 38 APT 32 | |
 |
2016-11-30 22:05:00 | China Cybersecurity Firm Linked With Country\'s Intel Agency For Espionage (lien direct) | Boyusec is working with China's intelligence services and military to doctor security products for spying, says Pentagon report. | APT 3 | ||
 |
2016-11-17 07:14:56 | Example of Getting Analysts & Researchers Away, (Wed, Nov 16th) (lien direct) | It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malwareshave VM evasiontechniques to detect as soon as possible if they are executed in a sandboxenvironment. The same applies for web services like phishing pages or CC control panels. Yesterday, I found a website delivering a malicious PE file. The URL was http://www.[redacted].com/king/prince.exe. This PE file was downloaded and executed by a malicious Office document. Nothing special here, its a classic attack scenario. Usually, when I receive aURL like this one, Im always trying to access the upper directory indexes and also some usual filenames / directories (I built and maintain my own dictionary for this purpose). Playing active-defense" /> The file zz.php is less interesting, its a simple PHP mailer. The dbl directory contains interesting pages that providea fake" /> In this case, attackers made another mistake, the source code of the phishing site was left on the server in the dbl.zip file. Once downloaded and analyzed, it revealed a classic attack trying to lure visitors and collect credentials. Note that the attacker was identified via his gmail.com address present in the scripts. But the most interesting file is called blocker.php"> ...include(blocker.php... Lets have a look at this file. It performs several checks based on the visitors details (IP and browser). First of all, it performs a reverse lookup of the visitor"> $hostname = gethostbyaddr($_SERVER[REMOTE_ADDR$blocked_words = array(above,google,softlayer,amazonaws,cyveillance,phishtank,dreamhost,netpilot,calyxinstitute,tor-exit, paypalforeach($blocked_words as $word) { if (substr_count($hostname, $word) 0) { header(HTTP/1.0 404 Not Found }} Next, the visitorif(in_array($_SERVER[REMOTE_ADDR],$bannedIP)) { header(HTTP/1.0 404 Not Found} else { foreach($bannedIP as $ip) { if(preg_match(/ . $ip . /,$_SERVER[REMOTE_ADDR])){ header(HTTP/1.0 404 Not Found } }} Here is the list of more relevant banned network: Google Digital Ocean Cogent Internet Systems Consortium Amazon Datapipe DoD Network Information Center Omnico"> if(strpos($_SERVER[HTTP_USER_AGENT], google) or strpos($_SERVER[HTTP_USER_AGENT], msnbot) or strpos($_SERVER[HTTP_USER_AGENT], Yahoo! Slurp) or strpos($_SERVER[HTTP_USER_AGENT], YahooSeeker) or strpos($_SERVER[HTTP_USER_AGENT], Googlebot) or strpos($_SERVER[HTTP_USER_AGENT], bingbot) or strpos($_SERVER[HTTP_USER_AGENT], crawler) or strpos($_SERVER[HTTP_USER_AGENT], PycURL) or strpos($_SERVER[HTTP_USER_AGENT], facebookexternalhit) !== false) { header(HTTP/1.0 404 Not Found } Surprisingly, this last"> Wget/1.13.4 (linux-gnu)curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5python-requests/2.9.1Python-urllib/2.7Java/1.8.0_111... Many ranges of IP addresses belongs to hosting companies. Many researchers use VPS and servers located there, thats why they are banned. In the same way, interesting targets for the phishing page are residential customers of the bank, connected via classic big ISPs. Conclusion: if you are hunting for malicious code / sites, use an anonymous IP address (a residential DSL line or cable is top) and be sure to use the right User-Agents to mimic classic targets. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Yahoo APT 32 | ||
 |
2016-10-12 08:31:00 | IDG Contributor Network: A night to remember: Engineering lessons from the Titanic (lien direct) | Some 31 years ago, the RMS Titanic was discovered resting on the ocean floor. The legend of its sinking has been retold many times in books and movies. One compelling aspect of the story is the safety claims made by its creators. Even as reports of the disaster began to filter into New York, the vice president of the White Star Line stated, without qualification, “We place absolute confidence in the Titanic. We believe that the boat is unsinkable.†Obviously reality betrayed those maritime engineers' confidence.What lessons might this famous disaster teach engineers in modern data centers? In particular, how do we prevent hostile attacks-the “icebergs†that lurk on the seas we sail-from causing catastrophic breaches?To read this article in full or to leave a comment, please click here | APT 32 | ||
 |
2016-10-08 11:00:23 | Palo Alto Networks News of the Week – October 8, 2016 (lien direct) | Did you miss any of this week's Palo Alto Networks action? Don't worry, we've rounded up the top news right here. Unit 42 shared new research about EITest, a long-running campaign that uses exploit kits to distribute a variety of malware. Unit 42 also investigated recent OilRig malware campaign activity and shared details about their updated toolset and new targets. We released solutions for the Random track, the last track of Unit 42's LabyREnth Capture the Flag challenge. Navneet Singh shared 5 steps for preventing data breaches due to insider … | APT 34 | ||
 |
2016-10-05 18:17:24 | Oil \'slick\': Sneaky OilRig malware campaign flows into new territory (lien direct) | A backdoor malware campaign dubbed OilRig that in May was discovered targeting organizations in Saudi Arabia is now trying to drill into government entities in Turkey, Israel and the U.S., as well as Qatari companies and organizations. |
APT 34 | ||
|
2016-10-04 20:10:16 | OilRig Malware Campaign Updates Toolset and Expands Targets (lien direct) | Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity. In recent weeks we’ve discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims. Additionally, the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations in Turkey, Israel and the United States. Expanded Targeting The group behind the OilRig … | APT 34 | ||
 |
2016-09-30 09:07:00 | IDG Contributor Network: Treasures attackers look for in the sea of email (lien direct) | As we dive into October, cybersecurity awareness month, there are lots of strategies to help us all become stronger swimmers in the digital waters. Given that there are 112 billion business emails sent around the world every day, that is one huge ocean that everyone can learn how to better navigate.Since its inception, email has become mission critical, and so many necessities beyond mail service have grown up along with it. Enterprises have become burdened by the complexities of email, which additionally requires the added protections of encryption gateways, spam filters, phishing protections, and much more.In order to attack all of the issues of email security in the age of digital disruption, you first have to know what is beneath the rough seas.To read this article in full or to leave a comment, please click here | Guideline | APT 32 | |
|
2016-09-07 08:33:35 | China-Linked APT3 Group Focuses Attacks on Hong Kong (lien direct) | A China-linked cyberespionage group has shifted its attention from the United States to Hong Kong, where it has targeted more than a dozen organizations over the past year. | APT 3 | ||
 |
2016-09-06 13:21:27 | Buckeye cyberespionage group shifts gaze from US to Hong Kong (lien direct) | Several organizations in Hong Kong are being targeted by a cyberespionage group known as Buckeye. | APT 3 | ||
 |
2016-08-27 03:54:01 | TEAM CYMRU: Floating Domains - Taking Over 20K DigitalOcean Domain Names via a Lax Domain Import System http://bit.ly/2bDCPcv pic.twitter.com/uELSfrHeVR (lien direct) | TEAM CYMRU: Floating Domains - Taking Over 20K DigitalOcean Domain Names via a Lax Domain Import System http://bit.ly/2bDCPcv pic.twitter.com/uELSfrHeVR | APT 32 | ||
|
2016-08-09 13:00:00 | OnionDog – An Example of a Regional, Targeted Attack (lien direct) | BackgroundBad actors are getting more sophisticated with the techniques they employ, including their ability to target specific industries and geographical regions. OnionDog is a good example of an attack that exploits a vulnerability in an application that is both popular in the target region, and is commonly deployed in the organizations the attackers wish to compromise.The Helios team at 360 SkyEye Labs published a detailed analysis of the OnionDog APT earlier this year, and during the dog-days of Summer (see what I did there?) it seems appropriate to revisit this malware. OnionDog has been around for several years and exploits a vulnerability in Hangul office software, which is a popular Korean-language productivity suite. Hangul software is also widely deployed in South Korean Government agencies and facilities.The group behind OnionDog is the Lazarus Group, exposed by AlienVault and other threat intelligence teams as part of Operation Blockbuster for its targeting of Sony Pictures and a range of other targets.How it WorksOnionDog used various techniques to entice victims to open the malicious attachment. The attachments targeted a range of government agencies and utilities, such as power, water, ports, transit, and rail to lure its victims (see the screenshot of the ‘Investigation Report of the Korean Railway Accident” below). Source: 360 SkyEye LabsThe malware installs a back door to the compromised system, collects and forwards information about the compromised systems to the C&C server, as well as infecting any device attached to the USB drive.Impact on youThe regional nature of OnionDog will likely limit your exposure to this particular version of the threat if you’re not located in South Korea. However, if there is a user of Hangul software on your network, or if someone in your office may have visited an office that uses Hangul software and plugged a device into a compromised system, you may be at risk of data loss. However, although this version of the malware is localized to South Korea, the Lazarus Group could easily choose another popular application to target specific organizations in other countries.How AlienVault HelpsThe AlienVaultâ Unified Security Management (USM)™ platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like OnionDog. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep you up to date with new and evolving threats such as OnionDog. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by OnionDog. Learn more about the |
Medical | APT 38 | |
|
2016-07-25 16:05:22 | Dan Kaminsky (@dakami) will present the #BHUSA 2016 Keynote on Wednesday, August 3 at 09:00 in Oceanside Ballroom http://ow.ly/CnmE302wu9Q (lien direct) | Dan Kaminsky (@dakami) will present the #BHUSA 2016 Keynote on Wednesday, August 3 at 09:00 in Oceanside Ballroom http://ow.ly/CnmE302wu9Q | APT 32 | ||
|
2016-07-20 18:09:11 | Guest Diary, Etay Nir: Flipping the Economy of a Hacker, (Wed, Jul 20th) (lien direct) | Flipping the economy of a HackerPalo Alto Networks partnered with the Ponemon Institute to answer a very specific question: what is the economic incentive for adversaries?Ponemon was chosen as they have a history of crafting well respected cybersecurity research, including their well know annual cost of a data breach reports. The findings are based on surveys and interviews with Cybersecurity experts, including current or former attacks. These are all individuals who live and breathe security, many of whom have conducted attacks. Nearly 400 individuals were part of the research, across the United States, Germany and the United Kingdom.When you think about security research, most of the focus has been on how attackers get in, and the damage they cause once they are inside. We set out to approach this problem from a completely different angle: understand the economic motivations of an attack, the factors that influence this, and be able to leverage this data to help organizations better respond to attacks. If we can remove the motivation, we can decrease the number of successful attacks. It is as simple as that.You can download the full report from: http://media.paloaltonetworks.com/lp/ponemon/report.html andhttp://www.ponemon.org/library/flipping-the-economics-of-attacksThere are clear highlights I believe that can influence your understanding of attackers, and influence your ability to defend yourself from them:The majority of attackers (72 percent) were opportunistic, not wasting time on efforts that do not quickly yield high-value information. While advanced nation state actors employ lots of planning, think about the average attacker as the mugger on the street, versus Oceans Eleven crew that spends weeks planning a complicated high stakes heist. When put into this context, organizations that prioritize making themselves a harder target, will actively deter a significant amount of potential breaches.There is a common notion that they are in for a big payday. This is really the exception, rather than the rule, with average annual earnings from malicious activity totaling less than $30,000, which is a quarter of a cybersecurity professionals average yearly wage. This limited earning power becomes even less attractive when you consider the added legal risks including fines and jail time.Time is the defining factor to change the adversarys arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We found that increasing the time it takes to break into and carry out successful attacks by less than 2 days (40 hours), will deter the vast majority of attacks.Finally, it is all about how you protect yourself. Because attackers are so opportunistic, and their time is so valuable, we can change the attack equation with next-generation security approaches. We found that organizations rated as having excellent security took twice as long to breach, when compared to those rated as typical. Putting the right security in place makes all the difference.To understand how to influence an attackers economic motivation, we must consider what I call the adversary arithmetic, which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. What we have seen is simple, more malware and exploits, more effective toolkits, combined with cheaper computing power has lowered the barrier to entry for an attack, and resulted in the increase in attacks we covered in the last slide.Using the survey finding as a guideline, lets walk through what we can do to reverse this trend.It is a random mugging, not a | APT 32 | ||
|
2016-06-27 15:58:00 | Reverse Engineering Malware (lien direct) | The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it.Here are some of the approaches and tools and techniques they use for reverse engineering malware, which may be helpful to you in your own malware hunting endeavors. Please watch the webcast they did recently with Javvad Malik on reverse engineering malware and hear details and examples of how the Labs team investigated OceanLotus, PowerWare and Linux malware in recent situations.Approaches in reverse engineering a malware sampleReverse engineer: The most obvious approach is to completely reverse engineer a piece of malware. This obviously takes a great amount of time, so other approaches are more practical.Exploitation techniques: Another approach you can take is to focus on the exploitation techniques of a piece of malware. Occasionally you will see a piece of malware that is using a new exploitation technique, or is exploiting a zero-day vulnerability. In this case you may be interested only in the specific exploitation technique so you can timebox your analysis and only look at the exploitation mechanisms.Obfuscation: Malware will often obfuscate itself and make itself difficult to analyze. You might come across malware that you have seen before without obfuscation. In that case you may only want to focus on reverse engineering the new parts.Encryption methods: A common type of malware these days is ransomware. Ransomware essentially encrypts the victim's files and locks them up so that they can't be accessed or read. Oftentimes the authors of ransomware will make mistakes when they implement the encryption mechanisms. So if you focus your research on the encryption mechanisms you might be able to find weaknesses in their implementation and/or you might be able to find hard-coded keys or weak algorithms.C&C communication: This is something that is pretty commonly done when looking at malware. Analysts often want to figure out what the communication protocol is between a piece of malware on the client's side and the server on the command and control side. The communication protocol can actually give you a lot of hints about the malware’s capabilities.Attribution: Murky area - kind of like a dark art. It usually involves a lot of guesswork, knowledge of malicious hacking teams and looking at more than one piece of malware.Categorization and clustering: You can reverse engineer malware from a broader point of view. This involves looking at malware in bulk and doing a broad-stroke analysis on lots of different malware, rather than doing a deep dive.TechniquesNow, let’s look at techniques that can be utilized while analyzing malware.First of all, we use static analysis. This is the process of analyzing malware or binaries without actually running them. It can be as simple as looking at metadata from a file. It can range from doing disassembly or decompilation of malware code to symbolic execution, which is something like virtual execution of a binary without actually executing it in a real environment.Conversely, dynamic analysis is the process of analyzing a piece of malware when you are running it in a live environment. In this case, you are often looking at the behavior of the malware and looking at the side effects of what it is doing. You are running tools like process monitor and sysmon to see what kinds of artifacts a piece of malware produces after it is run.We also use | APT 32 | ||
 |
2016-06-17 10:00:38 | ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks (lien direct) | The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily. | Cloud | APT 37 | |
 |
2016-06-14 03:00:49 | Don\'t Fear the Reaper – Getting the Most Out of Your Penetration Tests (lien direct) | PCI-DSS v3.2 will be in full-force this October. At that time, service providers will be required to complete penetration tests by an external third party twice a year. The term “service provider” leaves significant room for interpretation. Discuss PCI-DSS v3.2 with your QSA to determine how changes may impact your organization. Whether to be PCI […]… Read More | Cloud | APT 37 | |
 |
2016-06-05 07:55:06 | SWIFT annonce un renforcement de la sécurité après une multitudes d\'attaques (lien direct) | Les cas de cyberattaques contre des organismes bancaires se multiplient de manière inquiétante. Le goupe de cybercriminels Lazarus est soupçonné. SWIFT vient quant à lui d'annoncer un renforcement de ses mesures de sécurité concernant le réseau interbancaire mondial. |
APT 38 | ||
|
2016-05-26 21:05:54 | The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor (lien direct) | In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the… | APT 34 | ★★★ | |
|
2016-05-25 16:25:48 | Anonymous group takes aim at Fla. Gov. Rick Scott (lien direct) | In a video on Facebook, a figure in a Guy Fawkes mask accused Florida Gov. Rick Scott of a "collusion of corruption" following the dumping of polluted water from Lake Okeechobee into the Atlantic Ocean. |
APT 32 | ||
 |
2016-05-22 08:01:01 | Attaques ciblées contre les banques au Moyen-Orient Targeted Attacks against Banks in the Middle East (lien direct) |
Mise à jour (8 décembre 2017): Nous attribuons maintenant cette campagne à APT34, un groupe de menace de cyber-espionnage iranien présumé qui, selon nous, est actif depuis au moins 2014. En savoir plus sur apt34 et leur ciblage fin 2017 d'une organisation gouvernementaleau Moyen-Orient.
Introduction
Au cours de la première semaine de mai 2016, DTI de FireEye \\ a identifié une vague de courriels contenant des pièces jointes malveillantes envoyées à plusieurs banques de la région du Moyen-Orient.Les acteurs de la menace semblent effectuer une reconnaissance initiale contre des cibles potentielles, et les attaques ont attiré notre attention car ils utilisaient
UPDATE (Dec. 8, 2017): We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat group that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting of a government organization in the Middle East. Introduction In the first week of May 2016, FireEye\'s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using |
Threat | APT 34 | ★★★ |
 |
2016-04-18 14:07:50 | “Operation C-Major” Actors Also Used Android, BlackBerry Mobile Spyware Against Targets (lien direct) | Last March, we reported on Operation C-Major, an active information theft campaign that was able to steal sensitive information from high profile targets in India. The campaign was able to steal large amounts of data despite using relatively simple malware because it used clever social engineering tactics against its targets. In this post, we will focus on the mobile part of their operation and discuss in detail several Android and BlackBerry apps they are using. Based on our investigation, the actors behind Operation C-Major were able to keep their Android malware on Google Play for months and they advertised their apps on Facebook pages which have thousands of likes from high profile targets.Post from: Trendlabs Security Intelligence Blog - by Trend Micro“Operation C-Major” Actors Also Used Android, BlackBerry Mobile Spyware Against Targets | APT 36 | ||
|
2016-03-21 13:00:00 | OS X Malware Samples Analyzed (lien direct) | By Eddie Lee and Krishna KonaA couple of months ago, as we rang in 2016, we thought it would be interesting to take a quick look back at some OSX malware from 2015 and 2014. As reported by the team at Bit9+Carbon Black [1], 2015 marked “the most prolific year in history for OS X malware”. We collected a few samples of malware named in that report, along with some samples of other notable OSX malware, with the intention of learning more about them and fill in any gaps in our detection mechanisms (NIDS and Correlation rules). Although our primary objective was to capture network traffic from the malware samples, we were also interested in other aspects of the malware like persistence mechanisms (if any) that they utilized, so we documented that activity as well.To start off with, we reviewed Flashback, one of the most infamous pieces of OS X malware that reminded everyone to the fact that OS X is not immune to malware. After that, we played with KitM, which is spyware, and LaoShu, a RAT. Then we analyzed Mask, a sophisticated malware that was used for cyber espionage. We also looked into CoinThief malware that steals bitcoins from the infected machine and the WireLurker malware that is capable of infecting iPhone devices connected to the compromised machine. Finally, we analyzed OceanLotus that was discovered May last year and found to be attacking Chinese government infrastructure. Below is a summary of our findings from analyzing the samples in a sandbox – the findings include links to fully executable samples, IDS signatures, persistence mechanisms and C&C details.OS X Malware DetailsFlashbackDescription: Flashback masquerades as Adobe Flash player update or a signed-java applet. Downloads/installs Web Traffic Interception component to inject ads into HTTP/HTTPS streams [4].Sample: https://www.virustotal.com/en/file/58029f84c3826a0bd2757d2fe7405611b75ffc2094a80606662919dae68f946e/analysis/Persistence mechanism: Installs a malicious file in user's home directory with the filename starting with a ‘dot' to hide itself and installs a LaunchAgent in ~/Library/LaunchAgents to refer to the created malicious file.C&C communication: Uses DGA for CnC domain names and twitter hashtags to decode the address of CnC server.AlienVault Detections:IDSExisting SIDs: 2014596, 2014597, 2014598, 2014599, 2014534, 2014522, 2014523, 2014524, 2014525System Compromise, Trojan infection, FlashbackKumar in the Mac (KitM)Description: KitM is a signed malware that can take screenshots, download and install programs, and steal data [5].Sample: https://www.virustotal.com/en/file/07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce/analysis/Persistence mechanism: Adds a Login Item at ~/Library/Preferences/com.apple.loginitems.plistC&C server: liveapple[dot]eu (down)AlienVault Detections:IDS rules: https://github.com/AlienVault-Labs/AlienVaultLabs/blob/master/malware_analysis/OSX_Malware/snort_kitm.rulesSystem Compromise, Trojan infection, KitM | APT 32 | ||
|
2016-02-24 14:00:00 | Operation BlockBuster unveils the actors behind the Sony attacks (lien direct) | Today, a coordinated coalition involving AlienVault and several other security companies led by Novetta is announcing Operation BlockBuster. This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group. The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment in 2014.Part of our research on this actor was presented at the Kaspersky Security Analyst Summit (SAS) in Tenerife, Spain on February 9th, 2016 as a joint talk between AlienVault and Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group. This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection. We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema. |
Medical | Yahoo APT 38 | |
|
2016-02-17 14:00:00 | OceanLotus for OS X – an Application Bundle Pretending to be an Adobe Flash Update (lien direct) | In May 2015, researchers at Qihoo 360 published a report on OceanLotus that included details about malware targeting Chinese infrastructure. In that report, there is a description about a piece of malware that targets OS X systems. A sample of that malware was uploaded to VirusTotal a few months ago. Curiously, as of February 8th, 2016, none of the 55 anti-virus solutions used by VirusTotal are detecting the sample as malicious. As such, we thought it would be interesting to take a closer look at the OS X version of OceanLotus.AnalysisOceanLotus for OS X is packaged as an application bundle pretending to be an Adobe Flash update. Although there are other files in the bundle, the files of interest are:FlashUpdate.app/Contents/MacOS/EmptyApplicationFlashUpdate.app/Contents/Resources/en.lproj/.en_iconFlashUpdate.app/Contents/Resources/en.lproj/.DS_StoresThe LoaderAs you can see below, EmptyApplication is a universal binary that can run on both i386 and x86_64 architectures. It is a fairly simple program that ROL3 decodes the "hidden" files .en_icon and .DS_Stores then executes them.$file EmptyApplicationEmptyApplication: Mach-O universal binary with 2 architecturesEmptyApplication (for architecture x86_64): Mach-O 64-bit executable x86_64EmptyApplication (for architecture i386): Mach-O executable i386For obfuscation, EmptyApplication uses XOR encryption with the key "xc" to obfuscate strings within the binary. Below is the simple decryption function. In the 64-bit version, strings shorter than 8 bytes are stored as integer values. Encrypted strings longer than 8 bytes are stored in adjacent variables and the decrypting function reads past the variable's 8 byte boundary. As you can see below, &v34 is passed to the decrypting function, but the function actually decrypts the combination of v34 and v35. After decoding .en_icon, EmptyApplication writes it to a temporary directory with the name "pboard" (presumably to mimic the OS X paste board daemon) and executes the binary. EmptyApplication then deletes itself, decodes .DS_Stores, and writes the decoded binary as "EmptyApplication" – replacing the original EmptyApplication executable. Finally, the new EmptyApplication is relaunched with a call to NSTask.launch(). The decrypted .DS_Stores binary does almost the same thing as the original EmptyApplication, except it does not look for .DS_Stores.The TrojanEncrypted StringsThe decoded .en_icon file is the main Trojan. It has anti-debugging capabilities and handles the connection to the command and control servers. As we'll discuss later, the Trojan takes advantage of several OS X specific commands and API calls, so it's clear that this Trojan was tailor-made for OS X rather than a port from another operating system.Again, most strings in the binary are XOR encrypted but this binary uses multiple keys and the keys themselves are XOR encrypted. In fact, the first thing the Trojan does is to decrypt several XOR keys. It is interesting to note that the code that sets up the decryption keys is executed before the "main" entry point by using C++ static constructors. This code is referenced in the __mod_init_func section of mach-o binaries. As you can see from the image above, the primary decryption key used throughout the executable is "Variable". However, there are several different instances of the "Variable" string, a |
APT 32 | ||
|
2015-07-13 08:31:00 | Démontrant Hustle, les groupes de l'APT chinois utilisent rapidement une vulnérabilité zéro-jour (CVE-2015-5119) après une fuite d'équipe de piratage Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak (lien direct) |
Le Fireeye en tant qu'équipe de service a détecté des campagnes de phishing indépendantes menées par deux groupes de menace persistante avancés chinois (APT) que nous suivons, APT3 et APT18.Chaque groupe de menaces a rapidement profité d'une vulnérabilité zéro-jour (CVE-2015-5119), qui a été divulguée dans la divulgation des données internes de l'équipe de piratage.Adobe a publié un patch pour la vulnérabilité le 8 juillet 2015. Avant ce patcha été publié, les groupes ont lancé des campagnes de phishing contre plusieurs sociétés de l'aérospatiale et de la défense, de la construction et de l'ingénierie, de l'éducation, de l'énergie
The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly took advantage of a zero-day vulnerability (CVE-2015-5119), which was leaked in the disclosure of Hacking Team\'s internal data. Adobe released a patch for the vulnerability on July 8, 2015. Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy |
Vulnerability Threat | APT 18 APT 3 | ★★★★ |
|
2015-06-23 11:21:00 | Opération Clandestine Wolf & # 8211;Adobe Flash Zero-Day dans APT3 PHISHISHing Campagne Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign (lien direct) |
En juin, Fireeye \'s Fireeye en tant que service Campagne de phishing exploitant une vulnérabilité Adobe Flash Player Zero-Day (CVE-2015-3113).Les e-mails des attaquants comprenaient des liens vers des serveurs Web compromis qui ont servi de contenu bénin ou d'un fichier de lecteur flash malveillant malveillant qui exploite CVE-2015-3113.
Adobe a déjà publié un correctif pour CVE-2015-3113 avec un bulletin de sécurité hors bande ( https://helpx.adobe.com/security/products/flash-player/apsb15-14.html ).FireEye recommande aux utilisateurs d'Adobe Flash Player à mettre à jour la dernière version dès que possible.
Fire
In June, FireEye\'s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers\' emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113. Adobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). FireEye recommends that Adobe Flash Player users update to the latest version as soon as possible. Fire |
Vulnerability | APT 3 APT 3 | ★★★★ |
|
2014-11-21 19:36:00 | Opération Double Tap Operation Double Tap (lien direct) |
apt3 (également connu sous le nom d'UPS), les acteurs responsables de Operation Clandestine Fox a tranquillement continué à envoyer des vagues de messages de spearphish au cours des derniersmois.Cet acteur a lancé sa dernière campagne le 19 novembre 2014 ciblant plusieurs organisations.L'attaquant a exploité plusieurs exploits, ciblant les deux CVE-2014-6332 et CVE-2014-4113 .Le CVE-2014-6332 a été divulgué publiquement le 2014-2011-11 et est une vulnérabilité d'exécution de code à distance de tableau d'automatisation Windows Ole.CVE-2014-4113 est une vulnérabilité d'escalade privilégiée qui était divulgué publiquement le 2014-10-14 .
l'utilisation de cve
APT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14. The use of CVE |
Vulnerability Technical | APT 3 APT 3 | ★★★★ |
To see everything:
Our RSS (filtrered)
