What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-01-08 14:00:00 | 2018 Sees Record Number of Online Retail Data Breaches (lien direct) | During the holiday season people logged on to make purchases through online retailers, like no other time of the year. While there was significant growth in many segments of society on a global scale in 2018, we also saw a significant increase in online retail breaches where personally identifiable information was compromised at an alarming rate. With more and more people using online services for everything from ordering perishable food products to plane tickets and hotel reservations, 2018 proved to be a huge year for online/cybercriminals. Here are some facts around some of the largest and most far-reaching retail breaches of 2018: Data breaches are on the rise, and the total number of accounts breached has become ridiculously high. A report from cybersecurity firm Shape Security showed that almost 90% of the login attempts made on online retailers' websites are hackers using stolen data. Many of these breaches were caused by flaws in payment systems that were taken advantage of by hackers. Dozens of security breaches have occurred in 2018. Many of them were caused by flaws in payment systems, either online or in stores. Data breaches are on the rise for both retailers and other businesses. These data breaches are a real danger for both companies and customers and can affect the trust shoppers have in brands. According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period. Example Breaches Cheddar's Scratch Kitchen Darden Restaurant announced it was notified by government officials on August 16 that it had been the victim of a cyber attack. Customers who visited Darden-owned Cheddar's Scratch Kitchen between November 3, 2017, and January 2, 2018, may have had their credit-card information stolen. Darden estimates that 567,000 payment card numbers could have been compromised. Customers affected would have visited a Cheddar's location in any one of these states: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin. Macy's Macy's confirmed that some customers shopping online at Macys.com and Bloomingdales.com between April 26 and June 12 could have had their personal information and credit card details exposed to a third party. Macy's did not confirm exactly how many people were impacted. However, a spokesperson for the company said the breach was limited to a small group of people. Macy's said in a statement: "We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services." Adidas Adidas announced in June& | Data Breach Threat | Heritage APT 3 | |
 |
2018-12-21 19:00:00 | Rejeté: contenant un adversaire potentiellement destructeur OVERRULED: Containing a Potentially Destructive Adversary (lien direct) |
mise à jour (3 juillet 2019): Le 16 mai 2019, l'équipe Advanced Practices de Fireeye \\ a attribué la "activité APT33 présumée" (appelée GroupB dans cet article de blog) à APT33, opérantà la demande du gouvernement iranien.Les logiciels malveillants et les métiers de cet article de blog sont conformes aux Juin 2019 Campagne d'intrusion Les secteurs financiers, de vente au détail, des médias et de l'éducation & # 8211;ainsi que U.S.Cyber Command \'s Juillet 2019 CVE-2017-11774 Indicateurs , que Fireeye attribue également à APT33.Le processus rigoureux de FireEye \\ pour le regroupement et l'attribution de ce
UPDATE (Jul. 3, 2019): On May 16, 2019 FireEye\'s Advanced Practices team attributed the remaining "suspected APT33 activity" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The malware and tradecraft in this blog post are consistent with the June 2019 intrusion campaign targeting U.S. federal government agencies and financial, retail, media, and education sectors – as well as U.S. Cyber Command\'s July 2019 CVE-2017-11774 indicators, which FireEye also attributes to APT33. FireEye\'s rigorous process for clustering and attributing this |
Malware | APT33 APT 33 APT 33 | ★★★★ |
 |
2018-12-20 12:00:00 | A SpaceX Booster Went for a Swim and Came Back as Scrap Metal (lien direct) | The space company spent several days retrieving and inspecting a rocket booster that made an unplanned ocean landing. Now it appears to be toast. | APT 32 | ||
 |
2018-12-20 05:16:00 | Shamoon data-wiping malware believed to be the work of Iranian hackers (lien direct) | Researchers say the Iranian hacker group APT33 is responsible for recent attacks in the Middle East and Europe. | Malware | APT33 APT 33 | |
 |
2018-12-17 16:42:04 | Charming Kitten Iranian Espionage Campaign Thwarts 2FA (lien direct) | The campaign targets politicians involved in economic and military sanctions against Iran, along with various journalists and human rights activists. | APT 35 | ||
 |
2018-12-15 12:07:04 | Charming Kitten, pirates Iraniens, infiltrent les Gmail et Yahoo de responsables US (lien direct) | Charming Kitten, des pirates informatiques iraniens tentent d’infiltrer les comptes mails de responsables américains en passant outre la double authentification proposée par les deux webmails. La société britannique Certfa annonce que des pirates informatiques iraniens auraient réussi à infilt... Cet article Charming Kitten, pirates Iraniens, infiltrent les Gmail et Yahoo de responsables US est apparu en premier sur ZATAZ. | Conference | Yahoo APT 35 | |
 |
2018-12-13 15:01:02 | Operation Sharpshooter targets critical infrastructure and global defense (lien direct) | McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure. Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in […] | Malware Threat | APT 38 | |
 |
2018-12-12 11:26:05 | Op \'Sharpshooter\' Uses Lazarus Group Tactics, Techniques, and Procedures (lien direct) | A new advanced threat actor has emerged on the radar, targeting organizations in the defense and the critical infrastructure sectors with fileless malware and an exploitation tool that borrows code from a trojan associated with the Lazarus group [...] | Malware Tool Threat Medical | APT 38 | |
 |
2018-12-03 12:02:01 | OceanLotus Targets Southeast Asia in New Watering Hole Campaign (lien direct) | A cyber-espionage group believed to be operating out of Vietnam has compromised over 20 websites as part of a watering hole campaign targeting users in Southeast Asia, ESET reports. | APT 32 | ||
|
2018-11-24 10:23:02 | North Korea-linked group Lazarus targets Latin American banks (lien direct) | According to security reearchers at Trend Micro, the North Korea-linked APT group Lazarus recently targeted banks in Latin America. The North Korea-linked APT group Lazarus recently targeted banks in Latin America, Trend Micro experts reported. The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts […] | Malware Medical | APT 38 | |
 |
2018-11-23 15:32:05 | North Korean Hackers Hit Latin American Banks (lien direct) | The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered. | APT 38 | ||
 |
2018-11-20 13:56:00 | OceanLotus: New watering hole attack in Southeast Asia (lien direct) | >ESET researchers identified 21 distinct websites that had been compromised including some particularly notable government and media sites | APT 32 | ||
|
2018-11-20 09:31:03 | Experts analyzed how Iranian OilRIG hackers tested their weaponized documents (lien direct) | Security experts at Palo Alto Networks analyzed the method used by Iran-linked OilRig APT Group to test weaponized docs before use in attacks. Security researchers Palo Alto Networks have analyzed the techniques adopted by Iran-linked APT group OilRig (aka APT34) to test the weaponized documents before use in attacks. The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly […] | APT 34 | ||
|
2018-11-19 14:26:03 | Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs (lien direct) | Researchers Analyzed How the Iran-linked "OilRig" Hacking Group Tests Malicious Documents Before Use in Attacks | APT 34 | ||
|
2018-11-10 14:47:00 | (Déjà vu) Symantec shared details of North Korean Lazarus\'s FastCash Trojan used to hack banks (lien direct) | North Korea-linked Lazarus Group has been using FastCash Trojan to compromise AIX servers to empty tens of millions of dollars from ATMs. Security experts from Symantec have discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs. The ATP group has been using this malware […] | Malware Hack Medical | APT 38 | |
 |
2018-11-08 17:45:00 | Symantec Uncovers North Korean Group\'s ATM Attack Malware (lien direct) | Lazarus Group has been using FastCash Trojan on obsolete AIX servers to empty tens of millions of dollars from ATMs. | Malware Medical | APT 38 | |
 |
2018-11-06 08:56:00 | Worst malware and threat actors of 2018 so far (lien direct) | What's the worst malware so far into 2018? The worst botnets and banking trojans, according to Webroot, were Emotet, Trickbot, and Zeus Panda. Crysis/Dharma, GandCrab, and SamSam were the worst among ransomware. The top three in cryptomining/cryptojacking were GhostMiner, Wanna Mine, and Coinhive.And included in the list of top 10 threat actors so far this year, we find Lazarus Group, Sofacy and MuddyWater coming in the top three spots, according to AlienVault. Lazarus Group took the top spot from Sofacy this year. The reported locations for the top 10 threat actors are North Korea, with two groups; Russia, with three groups; Iran, with two groups; China, with two groups; and India, with one. Microsoft Office was the most exploited application, but Adobe Flash, WebLogic, Microsoft Windows, Drupal and GPON routers were also listed in the top 10. | Malware Threat Medical | APT 38 | |
|
2018-11-02 13:00:00 | Photo Gallery: Look Inside the Scrap Yards Sending Copper to China (lien direct) | When Christian Delfino's father ended up working as a sorter at the Tampa facility, the photographer saw an apt metaphor. | APT 33 | ||
|
2018-11-01 16:04:03 | The Sea May Be Absorbing Way More Heat Than We Thought (lien direct) | Scientists have developed a radical new method for measuring global warming-induced rising ocean temperatures: They aren't sampling water, but air. | APT 32 | ||
 |
2018-10-26 15:00:00 | The 10 programming languages developers use most in open source projects (lien direct) | More than half of developers are contributing to open source projects in React.js, Kubernetes, Docker, and more, according to a DigitalOcean report. | Uber APT 32 | ★★ | |
 |
2018-10-22 16:23:01 | A week in security (October 15 – 21) (lien direct) |
A roundup of the security news from October 15–21, including how to build your own security camera, the FIDO standard, Twitter information operations, and our Q3 CTNT report.
Categories:
Security world
Week in security
Tags: a week in securityCTNT reportfacebookfidograndcrabgreyenergyoceansaltpentagonsecurity camerastwitter
(Read more...)
|
APT 32 | ||
 |
2018-10-19 15:30:05 | (Déjà vu) Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew (lien direct) | News broke today that newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States. Dubbed Oceansalt, the threat has been spotted on machines in South Korea, the United States, and Canada. … The ISBuzz Post: This Post Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew | Tool Threat | APT 32 APT 1 | |
|
2018-10-19 13:00:00 | Things I Hearted this Week, 19th October 2018 (lien direct) |
It’s been another eventful week in the world of cyber security. So let’s just jump right into it.
NCSC has Been Busy
NCSC collaborated with Australia, Canada, New Zealand, UK, and the USA to give us a report that highlights which publicly-available tools criminals are using to aid their cyber crimes.
Joint report on publicly available hacking tools | NCSC
The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week.
NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre.
Targeting Crypto Currencies
It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen.
Targeted attacks on crypto exchanges resulted in a loss of $882 million | HelpNet Security
Twitter Publishes Data on Iranian and Russian Troll Farms
In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms.
Twitter’s focus is on a healthy public conversation | Twitter
In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran.
British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents | Motherboard
Equifax Engineer Sentenced
An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop.
Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet
Mind the Skills Gap
(ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million.
It’s worth bearing in mind that estimating the skills gap isn’t an eas |
Guideline | Equifax APT 38 | |
|
2018-10-19 07:06:03 | Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew (lien direct) | Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada. The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1. “McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report. “We […] | Malware Threat | APT 32 APT 1 | |
|
2018-10-18 12:03:00 | \'Operation Oceansalt\' Reuses Code from Chinese Group APT1 (lien direct) | A recently observed cyber-espionage campaign targeting South Korea, the United States and Canada is reusing malicious code previously associated with state-sponsored Chinese group APT1, McAfee reports. | APT 32 | ||
|
2018-10-18 04:01:00 | Oceansalt cyberattack wave linked to defunct Chinese APT Comment Crew (lien direct) | The source code of malware from the ancient Chinese military-affiliated group appears to have changed hands. | Malware | APT 32 APT 1 | |
 |
2018-10-18 04:01:00 | \'Operation Oceansalt\' Delivers Wave After Wave (lien direct) | 
A wall eight feet high with three strands of barbed wire is considered sufficient to deter a determined intruder, at least according to the advice offered by the CISSP professional certification. Although physical controls can be part of a multifaceted defense, an electronic attack affords the adversary time to develop the necessary tools to bypass …
|
APT 32 | ||
|
2018-10-05 11:00:00 | We\'re Destroying the Sea-But It Could Save Us From Ourselves (lien direct) | A new review looks at more than 1,000 studies of potential oceanic solutions to climate change. A good idea? Wind energy. Maybe not so good? Loading the sea with iron. | Studies | APT 32 | |
|
2018-10-04 06:55:00 | APT38 is behind financially motivated attacks carried out by North Korea (lien direct) | Security experts from FireEye published a report on the activity of financially motivated threat actors, tracked as APT38, linked to the North Korean government. The attacks aimed at financial institutions, FireEye estimates APT38 has stolen at least a hundred million dollars from banks worldwide. APT38 appears to be a North Korea-linked group separate from the […] | Threat Medical | APT 38 | |
|
2018-10-03 20:02:03 | Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide (lien direct) | A joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” used by Hidden Cobra APT. The US-CERT has released a joint technical alert from the DHS, the FBI, and the Treasury warning about a new ATM cash-out scheme, dubbed “FASTCash,” being used by the […] | Medical | APT 38 | |
|
2018-10-03 19:42:00 | North Korean Attacks on Banks Attributed to \'APT38\' Group (lien direct) | A report published on Wednesday by FireEye details the activities of a financially motivated threat actor believed to be operating on behalf of the North Korean government. | Threat | APT 38 | |
|
2018-10-03 15:01:00 | North Korea\'s APT38 hacking group behind bank heists of over $100 million (lien direct) | New FireEye report provides insight into North Korea's financially-motivated hacking operations. | APT 38 | ||
|
2018-10-03 07:00:00 | APT38: Détails sur le nouveau groupe de menaces soutenu par le régime nord-coréen APT38: Details on New North Korean Regime-Backed Threat Group (lien direct) |
Aujourd'hui, nous publions des détails sur un un groupe avancé de menace persistante qui, selon nous, est responsable de la conduite d'un crime financierAu nom du régime nord-coréen, volant des millions de dollars aux banques dans le monde.Le groupe est particulièrement agressif;Ils utilisent régulièrement des logiciels malveillants destructeurs pour rendre les réseaux de victimes inopérables après le vol.Plus important encore, les efforts diplomatiques, y compris la récente plainte du ministère de la Justice (DOJ) qui ont décrit l'attribution à la Corée du Nord, n'ont jusqu'à présent pas mis fin à leur activité.Nous appelons ce groupe apt38.
nous publions un
Today, we are releasing details on a advanced persistent threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38. We are releasing a |
Malware Threat | APT 38 APT 38 | ★★★★ |
 |
2018-10-03 04:18:05 | Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash (lien direct) | The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations,
|
Medical | APT 38 | |
|
2018-10-02 19:23:03 | NOKKI Malware Sports Mysterious Link to Reaper APT Group (lien direct) | The relationship between the malware and the APT group remains somewhat murky. | Malware | APT 37 | |
|
2018-10-01 11:00:00 | Report Ties North Korean Attacks to New Malware, Linked by Word Macros (lien direct) | Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government. [...] | Malware Cloud | APT 37 | |
|
2018-09-19 11:00:00 | This Supple, Squishy Robo-Jellyfish Can Explore Ocean Reefs (lien direct) | A new robotic jellyfish can squeeze through holes smaller than its body size. | APT 32 | ||
|
2018-09-14 13:15:04 | Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation (lien direct) | Researchers from the Unit42 at Palo Alto Networks observed Iran-Linked OilRig APT group targeting high-ranking office in a Middle Eastern nation The Iran-linked APT group OilRig continues to very active, it continues to improve the weapons in its arsenal. The OilRig hacker group has been around since at least 2015, since then it targeted mainly organizations in the financial and government […] | APT 34 | ||
|
2018-09-13 21:19:00 | OilRig APT Continues Its Ongoing Malware Evolution (lien direct) | The Iran-linked APT appears to be in a state of continuous tool development, analogous to the DevOps efforts seen in the legitimate software world. | Malware Tool | APT 34 | |
 |
2018-09-13 11:16:00 | OilRig Launching Attack Campaigns With Updated BONDUPDATER Trojan (lien direct) | The OilRig group conducted at least one attack campaign containing an updated variant of the BONDUPDATER trojan as its final payload. In August 2018, Palo Alto Networks’ Unit 42 threat research team detected an OilRig campaign targeting a high-ranking government organization in the Middle East. The email campaign leveraged spear-phishing, one of the most common […]… Read More | Threat | APT 34 | |
|
2018-09-13 11:00:00 | Hurricane Florence: Underwater Drones Help Track the Storm\'s Path (lien direct) | A new tool called a Slocum glider measures the ocean heat that fuels super-storms like Florence, filling in data gaps to help make forecasting more accurate. | Tool | APT 32 | ★★★★ |
 |
2018-09-07 18:26:02 | North Korean hacker charged for WannaCry and Sony cyberattacks (lien direct) | U.S. charges North Korean hacker for WannaCry, Sony cyber attacks The U.S. government on Thursday charged and sanctioned a North Korean hacker for the 2014 Sony hack and the 2017 WannaCry global ransomware cyberattack, U.S. officials said. The accused, Park Jin Hyok worked as part of a team of hackers, also known as the Lazarus […] | Ransomware Hack | Wannacry APT 38 | |
|
2018-09-07 17:29:00 | (Déjà vu) Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday (lien direct) | A North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the notorious Lazarus Group. | Medical | APT 38 | |
|
2018-09-07 11:00:00 | Ocean Cleanup\'s Plastic Catcher Heads to Sea. But Scientists Are Skeptical (lien direct) | Ocean Cleanup has raised $40 million to deploy a massive device to capture plastic pollution. But many scientists don't think the plan holds water. | APT 32 | ||
|
2018-09-07 09:00:01 | Opsec Mistakes Allowed U.S. to Link North Korean Man to Hacks (lien direct) | A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor. | Threat Medical | APT 38 | |
|
2018-09-06 23:00:05 | U.S. Ties Lazarus to North Korea and Major Hacking Conspiracy (lien direct) | The DoJ said a DPRK spy, Park Jin-hyok, was involved in “a conspiracy to conduct multiple destructive cyberattacks around the world." | APT 38 | ||
|
2018-09-06 21:43:04 | How US authorities tracked down the North Korean hacker behind WannaCry (lien direct) | US authorities put together four years worth of malware samples, domain names, email and social media accounts to track down one of the Lazarus Group hackers. | Malware Medical | Wannacry APT 38 | |
|
2018-09-06 18:04:01 | U.S. Charges North Korean Over Lazarus Group Hacks (lien direct) | The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks. | Medical | APT 38 | |
|
2018-09-06 13:00:00 | Malware Analysis using Osquery Part 2 (lien direct) |
In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload.
In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables.
Registry Persistence
In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back.
https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707
Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system.
If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds.
Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query.
The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters.
|
Malware Threat | APT 34 | ★★★ |
|
2018-09-06 07:44:04 | New OilRig APT campaign leverages a new variant of the OopsIE Trojan (lien direct) | The Iran-linked APT group OilRig was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities. Experts at Palo Alto observed a new campaign carried out by the Iran-linked APT group OilRig that was leveraging on a new variant of the OopsIE Trojan. The OilRig hacker group is an Iran-linked APT that has been around […] | APT 34 |
To see everything:
Our RSS (filtrered)
