What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-14 21:30:35 | Emotet Distributed Through U.S. Election Themed Link Files (lien direct) | FortiGuard Labs has discovered that Emotet was recently delivered through an archive file that has a file name targeting those interested in the U.S. midterm elections. The archive file is "US midterm elections The six races that could decide the US Senate.zip" that has a link file with the same name, which leads to Emotet.Why is this Significant?This is significant because Emotet is trying to leverage the interest of the U.S. midterm elections for infection. While FortiGuard Labs has not observed the infection vector, the file name "US midterm elections The six races that could decide the US Senate.zip" was likely distributed via emails. "The six races" likely refers to Arizona, Georgia, Michigan, Nevada, Pennsylvania, and Wisconsin where Democrats and Republican are expected to have close race in the elections, which gives better chance that recipients will open the archive contents. Emotets' modus operandi includes distribution via malicious spam campaigns and thread hijacking of emails.What's in "US midterm elections The six races that could decide the US Senate.zip"?The zip file contains a link file named "US midterm elections The six races that could decide the US Senate.lnk". When the link file is executed, it drops a further script in %tmp% that will attempt to cycle through several URLs to download a Emotet DLL.The downloaded Emotet connects to C2 server and will likely deliver additional malware.FortiGuard Labs discovered that the same script is present in other link files "New York Election news and updates....lnk" and "Amazon warns of slower sales as economy weakens.lnk" that were submitted to VirusTotal at the end of October and beginning of November respectively.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for the archive and link file involved in the attack:• LNK/Agent.AMY!tr.dldr• PossibleThreat.PALLAS.HC2 address is blocked by FortiGuard Webfiltering Client. | Spam Guideline | ||
|
2022-10-14 01:24:52 | Guloader Spam Indiscriminately Sent to State Elections Board (lien direct) | Recently, the United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement - Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections (9I-100622-PSA). The focus of the PSA was to inform the public of the potential manipulation of the midterm election cycle in the United States by foreign agents using social engineering and social media disinformation tactics to influence voters and to sow discord as well.Around the same time of the announcement, FortiGuard Labs observed a Guloader campaign being sent to an elections body in the United States. Although there is no sign that they were specifically targeted, we want to highlight what's involved in these attacks given the 2022 U.S. midterm elections in November. The infection vectors are simple malicious spam that do not rely on exploiting a vulnerability or macros.FortiGuard Labs found a campaign from a purported industrial equipment manufacturer in Indonesia, containing a malicious ISO attachment. Figure 1. Email used in this spam campaignISO email attachments are often used to avoid detection by security solutions. Clicking on the attachment triggers the ISO file. Once mounted, an EXE file-a GuLoader malware variant-becomes visible. The victim then needs to run the "Requisition order-PT. LFC Teknologi,pdf.exe" executable manually to start the infection routine. Figure 2. GuLoader file in the mounted ISO fileThis file is digitally signed via an untrusted root certificate, seen below.Figure 3. Digital signature information for "Requisition order-PT. LFC Teknologi,pdf.exe".The GuLoader payload is a so-called first stage malware that has been seen in the wild for the past few years. It is designed to deliver a second stage payload that can be tailored to the attacker's liking. Some reported second stage payloads include Remote Access Trojans (RATs), infostealers, and ransomware.This particular GuLoader variant reaches out to 195[.]178[.]120[.]184/sMHxAbMCsvl181[.]java, which was no longer available at the time of the investigation. However, we believe the java file to either be a decryption key or a payload download. Another, GuLoader sample (SHA2: 46f8a8cec6bb92708a185cfea876ea1ae0cdef2321dc50f140f23c7cc650b65e) was submitted to VirusTotal on September 14th. This sample accesses 195[.]178[.]120[.]184/uFLBwGvx55[.]java and available OSINT suggests that the payload is the Azorult infostealer. Azorult is capable of exfiltrating data such as passwords from browsers, email, and FTP servers, and harvesting files with extensions specified by an attacker. It can also collect machine information such as user and computer name, installed programs, Windows version, and installed programs. Such stolen information can be a precursor to future attacks.Based on the traits of the GuLoader sample, FortiGuard Labs tracked down additional files involved in the same malicious spam campaign. The attacker mostly used IMG and ISO attachments along with file names in English, German, Spanish, Turkish, and Chinese. Taking a look at VirusTotal, submissions of the attachments are from the US, Czechia, China, Turkey, Germany, UK, Israel, Ireland, and Hungary. The GuLoader variant was also submitted to VirusTotal from the US, Bulgaria, Canada, China, the United Arab Emirates, and Korea. The email delivered to a board of elections in the United States was sent to a publicly available webmaster address. This indicates that the attacker sent these malicious emails to as many recipients as possible in the hope that someone would manually execute the malware. This is the first step to a potential compromise of machines related to the elections board of this United States state, and will allow the attacker to obtain a foothold to obtain unauthorized data for dissemination or simply various angles of disruption (ransomware, wiping, extortion, etc.) and even worse, perhaps sell access to an adversary for financial gain.Fortinet ProtectionsFortinet customers are already protected fr | Spam Malware Vulnerability | ||
|
2022-07-07 08:10:19 | Alert (AA22-181A) #StopRansomware: MedusaLocker (lien direct) | FortiGuard Labs is aware that a joint Cybersecurity Advisory (CSA) on MedusaLocker ransomware was released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN). MedusaLocker infection typically occurs through Remote Desktop Protocol (RDP) compromise, propagates MedusaLocker throughout the network, and uses AES-256 encryption to encrypt files.Why is this Significant?This is significant as the joint Cybersecurity Advisory (CSA) is the latest #StopRansomware advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN), which provides observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.What is MedusaLocker Ransomware?MedusaLocker is a ransomware that encrypts files in the compromised machines with the AES-256 encryption algorithm and demands victims to pay a ransom in order to recover the affected files. According to the advisory, MedusaLocker primarily takes advantage of an insecure RDP configuration as an initial infection vector, however email spam and malicious attachments are also used.The advisory also states that MedusaLocker ransomware uses multiple infection processes:Uses a batch file to execute PowerShell script, which propagates the ransomware throughout the network. Restarts the LanmanWorkstation service, which allows registry edits to take effect. Kills the processes belonging to well-known security, accounting, and forensic software. Restarts the machine in safe mode.Encrypts files in the compromised machines with the AES-256 encryption algorithmRuns every 60 seconds, encrypting all files except those critical to the functionality of the victim's machine and those that have the designated encrypted file extension. Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes. Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies.Leaves a ransom note into every folder containing instruction on how to reach out to the attacker either via MedusaLocker's Tor sites or emails.The following is a list of known file extensions that MedusaLocker adds to the encrypts files:.1btc.bec.cn.datalock.deadfilesgr.decrypme.encrypted.faratak.FartingGiraffeAttacks.fileslock.fileslocked.jpz.nz.key1.lock.lockdata7.lockfiles.lockfilesUS.marlock01.marlock02.marlock08.marlock11.marlock13.marlock25.marlock6.marlock011.matlock20.mylock.newware.NET1.NZ.perfection.Readinstruction.READINSTRUCTION.ReadInstructions.readinstructions.rs.skynet.stopflies.tyco.tyco.uslockhh.uslockhh.zoomzoomn.exent_lock20.networkmaze.VinDizelPux.EG.support.deadfiles.readtheinstructions.lr.divsouth.lockfilesCO.lockfilesKR.EMPg296LCKThe following is a list of known MedusaLocker's ransom notes:! _HOW_RECOVERY_FILES _!. HTML!!!HOW_TO_DECRYPT!!!how_to_ recover_data.html HOW_TO_OPEN_FILES.htmlHOW_TO_RECOVER_DATA.htmlhow_to_recover_data.html.marlock01How_to_recovery.txtinstructions.html READINSTRUCTION.html readinstructions.html readme_to_recover_filesrecovery_instruction.htmlrecovery_instructions.html What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of MedusaLocker ransomware:W32/MedusaLocker.0FEB!trW32/MedusaLocker.9106!tr.ransomW32/MedusaLocker.C!tr.ransomW32/Ransom_Win32_MEDUSALOCKER.SMTHW32/Ransom_Win32_MEDUSALOCKER.SMTH!trW32/Ransom_Win32_MEDUSALOCKER.SMTH!tr.ransomW32/DelShad.BMQ!tr.ransomW32/Filecoder.FV!trW32/Filecoder.NSF!tr.ransomW32/Filecoder.NYA!tr.ransomW32/Generic.AC.171!trW32/Generik.DGWKQJO!trW32/Kryptik.HFBI!trW32/PossibleThreatW32/Ransomware.GUN!trW32/Zudochka.VHO!tr.ransomW64/Filecoder.DF!tr.ransomPossibleThreat.FAIRiskware/DelShad | Ransomware Spam |
1
We have: 3 articles.
We have: 3 articles.
To see everything:
Our RSS (filtrered)
