What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-04-19 15:00:00 | Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, North Korea, Spearphishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lazarus Targets Chemical Sector
(published: April 14, 2022)
In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information.
Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector
Old Gremlins, New Methods
(published: April 14, 2022)
Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode |
Ransomware Spam Malware Vulnerability Threat Guideline Medical | APT 38 APT 28 | |
 |
2022-04-14 11:00:00 | Threat Source newsletter (April 14, 2022) - It\'s Tax Day, and you know what that means (lien direct) | By Jon Munshaw. Welcome to this week's edition of the Threat Source newsletter. The deadline to file taxes in the United States is Monday. That means a few things: everyone should probably make sure their liquor cabinet is fully stocked, your spam filters are all turned on in your email... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Spam Threat | ||
 |
2022-04-11 15:15:08 | CVE-2022-0949 (lien direct) | The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection | Spam Guideline | ||
|
2022-03-25 12:15:07 | CVE-2022-1064 (lien direct) | SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1. | Spam | ||
|
2022-03-14 15:15:09 | CVE-2022-0254 (lien direct) | The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection | Spam Guideline | ||
 |
2022-03-13 14:26:20 | Filter Blocked 70,000 Emails to Indiana Lawmakers on Bill (lien direct) | A spam filter blocked as many as 70,000 emails sent to Indiana legislators about a contentious bill that aimed to place restrictions on teaching about racism and political topics. | Spam | ||
 |
2022-03-09 20:48:00 | Chinese hackers attempted phishing on emails affiliated with US government (lien direct) | All phishing emails were successfully marked as spam and filtered by Gmail in February. | Spam | ||
|
2022-03-04 17:23:01 | Picking up the phone still might be the best way to do business (lien direct) | State of the Call report shows that voice calls remain preferred form of communication, despite spam risks | Spam | ||
 |
2022-02-15 22:31:33 | SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming (lien direct) | Researchers have never before seen SquirrelWaffle attackers use typosquatting to keep sending spam once a targeted Exchange server has been patched for ProxyLogon/ProxyShell. | Spam | ||
 |
2022-02-15 14:24:51 | CyberheistNews Vol 12 #07 [Heads Up] FBI Warns Against New Criminal QR Code Scams (lien direct) |
[Heads Up] FBI Warns Against New Criminal QR Code Scams
Email not displaying? |
CyberheistNews Vol 12 #07 | Feb. 15th., 2022
[Heads Up] FBI Warns Against New Criminal QR Code Scams
QR codes have been around for many years. While they were adopted for certain niche uses, they never did quite reach their full potential. They are a bit like Rick Astley in that regard, really popular for one song, but well after the boat had sailed. Do not get me wrong, Rick Astley achieved a lot. In recent years, he has become immortalized as a meme and Rick roller, but he could have been so much more.
However, in recent years, with lockdown and the drive to keep things at arms length, QR codes have become an efficient way to facilitate contactless communications, or the transfer of offers without physically handing over a coupon. As this has grown in popularity, more people have become familiar with how to generate their own QR codes and how to use them as virtual business cards, discount codes, links to videos and all sorts of other things.
QRime Codes
As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage. Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals.
The rise in QR code fraud resulted in the FBI releasing an advisory warning against fake QR codes that are being used to scam users. In many cases, a fake QR code will lead people to a website that looks like the intended legitimate site. So, the usual verification process of checking the URL and any other red flags apply.
CONTINUED with links and 4 example malicious QR codes on the KnowBe4 blog:
https://blog.knowbe4.com/qr-codes-in-the-time-of-cybercrime
|
Ransomware Data Breach Spam Malware Threat Guideline | APT 15 APT 43 | |
 |
2022-02-14 11:52:32 | Half of all emails in 2021 were spam (lien direct) | Email spam rates averaged 46% over the year globally, according to a new report by Kaspersky. In its new Spam and Phishing in 2021 report, the Russian AV company revealed that spam rates peaked at 48% in June. The majority came from machines in Russia (25%), followed by Germany (14%), the US (10%) and China (9%). […] | Spam | ||
 |
2022-02-11 10:08:00 | Half of Global Emails Were Spam in 2021 (lien direct) | COVID-19 still looms large in corporate inboxes | Spam | ||
 |
2022-02-09 10:00:28 | Spam and phishing in 2021 (lien direct) | Statistics on spam and phishing with the key trends in 2021: investment scams, fake streaming websites, theft of corporate credentials and COVID-19. | Spam | ||
 |
2022-01-28 03:10:59 | Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing (lien direct) | Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim's network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take | Spam | ||
 |
2022-01-24 12:05:20 | Emotet spam uses unconventional IP address formats to evade detection (lien direct) | Experts warn Emotet malware campaign using “unconventional” IP address formats in an attempt to evade detection. Threat actors behind a recent Emotet malware campaign have been observed using using “unconventional” IP address formats to evade detection. Trend Micro researchers reported that threat actors are using hexadecimal and octal representations of the IP address. “We observed Emotet spam […] | Spam Malware Threat | ||
 |
2022-01-10 14:54:48 | Email spam is breaking through again. Here\'s what you can do to minimize it (lien direct) | Pas de details / No more details | Spam | ||
|
2021-12-20 16:56:12 | Spam Calling Rates Spike Globally (lien direct) |
Spam calls in the US spiked in October, according to Truecaller's annual Global Spam Report. The report observed that Truecaller customers in the US received 3,115,861 spam calls in October. The researchers note that a user in the US receives an average of 4.8 spam calls per month, totalling approximately 1.4 billion calls across the country every month. |
Spam | ||
|
2021-12-17 11:47:21 | Phorpiex botnet is back, in 2021 it $500K worth of crypto assets (lien direct) | Experts reported the resurgence of the Phorpiex botnet, in one year it allowed to steal crypto assets worth of half a million dollars. Experts at Check Point Research have monitored the resurgence of the Phorpiex botnet, an old threat that was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in […] | Spam Threat | ||
|
2021-12-13 11:15:09 | CVE-2021-24863 (lien direct) | The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection | Spam Guideline | ||
|
2021-12-08 16:00:01 | Fight back against spam calls with this subscription to the RoboKiller app (lien direct) | RoboKiller will nip those annoying, automated calls in the bud. Now it's available for a discount on a five-year subscription. | Spam | ||
|
2021-12-08 15:47:28 | Credential-Harvesting Phishing Campaign Urges Review of Spam (lien direct) |
Researchers at MailGuard have observed a phishing campaign that's using phony “spam notification” emails that purport to come from Microsoft Office 365. The emails tell recipients that an important-looking email has been sent to their spam folder, and they'll need to click a link to view the supposed message. |
Spam | ||
 |
2021-12-05 11:07:37 | Convincing Microsoft phishing uses fake Office 365 spam alerts (lien direct) | A persuasive and ongoing series of phishing attacks are using fake Office 365 notifications asking the recipients to review blocked spam messages, with the end goal of stealing their Microsoft credentials. [...] | Spam | ||
|
2021-12-03 07:46:29 | Talos Takes Ep. #79: Emotet\'s back with the worst type of holiday present (lien direct) | By Jon Munshaw. The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page. Emotet is back, and it brought the worst possible holiday present (just in time for peak spam season, too!). We... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Spam | ||
|
2021-12-02 15:28:25 | Twitter removes 3,400 accounts used in govt propaganda campaigns (lien direct) | Twitter today announced the permanent removal of more than 3,400 accounts linked to governments of six countries running manipulation or spam campaigns. [...] | Spam | ||
|
2021-11-23 20:30:00 | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware Spam Malware Tool Vulnerability Threat Patching | ||
|
2021-11-22 05:01:13 | Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021 (lien direct) | Executive summary Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Spam Malware Threat Guideline | ||
|
2021-11-22 03:47:12 | Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns (lien direct) | Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems. The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a | Spam Malware | ||
|
2021-11-16 18:07:17 | Here are the new Emotet spam campaigns hitting mailboxes worldwide (lien direct) | The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide. [...] | Spam Malware | ||
 |
2021-11-16 14:28:03 | RansomOps: Detecting Complex Ransomware Operations (lien direct) |
In a recent blog post we discussed how today's more complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaign of old, and how there are multiple players from the larger Ransomware Economy at work, each with their own specializations. |
Ransomware Spam | ||
|
2021-11-15 15:04:23 | (Déjà vu) Emotet malware is back and rebuilding its botnet via TrickBot (lien direct) | The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. [...] | Spam Malware | ||
|
2021-11-15 15:04:23 | The Emotet malware is back and rebuilding its botnet via TrickBot (lien direct) | The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. [...] | Spam Malware | ||
|
2021-11-15 09:22:00 | FBI Fixes Misconfigured Server After Hoax Email Alert (lien direct) | Spam sent from FBI address warned of imminent cyber-threat | Spam | ||
 |
2021-11-15 01:07:00 | Il a humilié le FBI en utilisant son domaine pour envoyer du spam (lien direct) | Un hacker a profité de la mauvaise configuration d'un site web de l'agence fédérale pour envoyer de faux messages. Un hoax pas bien méchant, mais quand même sacrément vexant.  |
Spam | ★★★ | |
 |
2021-11-13 22:46:53 | Hoax Email Blast Abused Poor Coding in FBI Website (lien direct) | The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities. | Spam | ||
|
2021-11-13 22:35:26 | Hundreds of thousands of fake warnings of cyberattacks sent from a hacked FBI email server (lien direct) | Threat actors hacked email servers of the FBI to distribute spam email impersonating FBI warnings of fake cyberattacks. The email servers of the FBI were hacked to distribute spam email impersonating the Department of Homeland Security (DHS) warnings of fake sophisticated chain attacks from an advanced threat actor. The message tells the recipients that their […] | Spam Threat | ||
|
2021-11-13 13:36:16 | FBI system hacked to email \'urgent\' warning about fake cyberattacks (lien direct) | The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients' network was breached and data was stolen. [...] | Spam | ||
|
2021-11-11 16:34:07 | Windows 10 App Installer abused in BazarLoader malware attacks (lien direct) | The TrickBot gang operators are now abusing the Windows 10 App Installer to deploy their BazarLoader malware on the systems of targets who fall victim to a highly targeted spam campaign. [...] | Spam Malware | ||
|
2021-11-08 18:15:09 | CVE-2021-24731 (lien direct) | The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. | Spam Guideline | ||
|
2021-11-08 18:15:08 | CVE-2021-24647 (lien direct) | The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username | Spam | ||
|
2021-11-02 17:03:52 | Signal Working on Improving Anti-Spam Capabilities (lien direct) | Privacy-focused communication platforms Signal is sharing information on the improvements it has made to its spam-prevention capabilities. The task of keeping spam out of user's inboxes, Signal says, is more difficult compared to other messaging services, because the company does not have access to the contents of messages, and has to fight spam without social graphs. | Spam | ||
|
2021-11-01 17:55:04 | Signal now lets you report and block spam messages (lien direct) | Signal has added an easy way for users to report and block spam straight from message request screens with a single mouse click. [...] | Spam | ||
|
2021-11-01 12:00:26 | Spam and phishing in Q3 2021 (lien direct) | This report contains spam and phishing statistics for Q3 2021, plus descriptions of scams linked to the Olympics, Euro 2020, COVID-19, and other relevant events. | Spam | ||
|
2021-10-28 11:00:00 | Threat Source newsletter (Oct. 28, 2021) (lien direct) | Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.
Most people know about chicken and waffles. But what about squirrel and waffles? They may not be the most appetizing brunch, but they are teaming up for one heck of a spam campaign.
We have new research out...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam | ||
|
2021-10-27 11:15:00 | HM Treasury Hit by Five Million Malicious Emails in Past Three Years (lien direct) | A total of 4,870,389 phishing, malware and spam emails targeting HM Treasury were blocked in the past three years | Spam Malware | ||
|
2021-10-27 06:47:55 | Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike (lien direct) | A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems.
"These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed |
Spam Malware | ||
|
2021-10-26 22:25:05 | SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike (lien direct) | Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader. | Spam Malware | ||
|
2021-10-26 05:01:17 | SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike (lien direct) | By Edmund Brumaghin, Mariano Graziano and Nick Mavis.
Executive summary
Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam Malware | ||
|
2021-10-25 16:15:08 | CVE-2021-37624 (lien direct) | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. | Spam Guideline | ||
|
2021-10-22 08:31:00 | Over 80% of Brits Deluged with Scam Calls and Texts (lien direct) | Summer of spam sees scammers ramp-up their fraud campaigns | Spam | ||
|
2021-10-19 15:00:00 | Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia
(published: October 18, 2021)
A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.
Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
(published: October 14, 2021)
Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.
Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.
Tags: Interactsh, Exploits
|
Ransomware Spam Malware Tool Vulnerability Threat Patching Guideline |
To see everything:
Our RSS (filtrered)
