What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-03-27 10:52:01 | North Korean hackers continue attacks on cryptocurrency businesses (lien direct) | Lazarus Group hackers seamlessly integrate Mac malware into their normal attack routine. | Malware Medical | APT 38 | |
 |
2019-03-05 21:23:03 | Iran-Linked Chafer APT recently used python-based backdoor (lien direct) | The Iran-linked Chafer APT group used a new Python-based backdoor in recent attacks aimed at a Turkish government entity. The Iran-linked Chafer APT group used a new Python-based backdoor in attacks carried out in November 2018 that targeted a Turkish government entity. The Chafer APT group has distributed data stealer malware since at least mid-2014, […] | Malware Prediction | APT 39 | |
 |
2019-02-01 19:35:02 | Chafer APT Takes Aim at Diplomats in Iran with Improved Custom Malware (lien direct) | The Remexi spyware has been improved and retooled. | Malware | APT 39 | |
 |
2019-01-16 15:51:01 | Disclosure of Chilean Redbanc Intrusion Leads To Lazarus Ties. (lien direct) | By Vitali Kremez, Director of Research, Flashpoint Flashpoint analysts believe that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked advanced persistent threat (APT) group Lazarus. Redbanc confirmed that the malware was installed on the company's corporate network without triggering antivirus […] | Malware Threat | APT 38 | |
|
2019-01-16 08:59:01 | Experts link attack on Chilean interbank network Redbanc NK Lazarus APT (lien direct) | Researchers from Flashpoint linked the recently disclosed attack on Chilean interbank network Redbanc to the North Korean APT group Lazarus. Security experts at Flashpoint linked the recently disclosed attack on the Chilean interbank network to the dreaded Lazarus APT group. The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware […] | Malware | APT 38 | |
 |
2019-01-10 14:00:00 | Top 12 Blogs of 2018 (lien direct) |
Time to look back on the top AlienVault blogs of 2018! Here we go:
A North Korean Monero Cryptocurrency Miner by Chris Doman
Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.
VLAN Hopping and Mitigation by Pam
This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques.
DNS Poisoning and How To Prevent It by Jeff Thompson
The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]
4 SIEM Use Cases That Will Dramatically Improve Your Enterprise Security by Stephen Roe
Companies both large and small must plan to protect their data. Failing to do so puts you at risk for financial trouble, legal liability, and loss of goodwill.
Make sure to deploy SIEMs to prevent such misfortunes befalling your business. If you know how to put them to use, SIEMs provide value out of the box. Here’s a quick recap on how SIEMs can benefit you with a few clicks.
Prevent SQL injection attacks by keeping an eye on the health of your systems. This will keep you ready if and when attacks do happen.
For handling watering hole intruders, SIEMs make it easy to monitor suspicious communication hinting at an attack in progress.
If you’re worried about malware infection, commun |
Malware Guideline | Wannacry APT 38 | |
 |
2018-12-21 19:00:00 | Rejeté: contenant un adversaire potentiellement destructeur OVERRULED: Containing a Potentially Destructive Adversary (lien direct) |
mise à jour (3 juillet 2019): Le 16 mai 2019, l'équipe Advanced Practices de Fireeye \\ a attribué la "activité APT33 présumée" (appelée GroupB dans cet article de blog) à APT33, opérantà la demande du gouvernement iranien.Les logiciels malveillants et les métiers de cet article de blog sont conformes aux Juin 2019 Campagne d'intrusion Les secteurs financiers, de vente au détail, des médias et de l'éducation & # 8211;ainsi que U.S.Cyber Command \'s Juillet 2019 CVE-2017-11774 Indicateurs , que Fireeye attribue également à APT33.Le processus rigoureux de FireEye \\ pour le regroupement et l'attribution de ce
UPDATE (Jul. 3, 2019): On May 16, 2019 FireEye\'s Advanced Practices team attributed the remaining "suspected APT33 activity" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The malware and tradecraft in this blog post are consistent with the June 2019 intrusion campaign targeting U.S. federal government agencies and financial, retail, media, and education sectors – as well as U.S. Cyber Command\'s July 2019 CVE-2017-11774 indicators, which FireEye also attributes to APT33. FireEye\'s rigorous process for clustering and attributing this |
Malware | APT33 APT 33 APT 33 | ★★★★ |
|
2018-12-20 05:16:00 | Shamoon data-wiping malware believed to be the work of Iranian hackers (lien direct) | Researchers say the Iranian hacker group APT33 is responsible for recent attacks in the Middle East and Europe. | Malware | APT33 APT 33 | |
|
2018-12-13 15:01:02 | Operation Sharpshooter targets critical infrastructure and global defense (lien direct) | McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure. Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in […] | Malware Threat | APT 38 | |
 |
2018-12-12 11:26:05 | Op \'Sharpshooter\' Uses Lazarus Group Tactics, Techniques, and Procedures (lien direct) | A new advanced threat actor has emerged on the radar, targeting organizations in the defense and the critical infrastructure sectors with fileless malware and an exploitation tool that borrows code from a trojan associated with the Lazarus group [...] | Malware Tool Threat Medical | APT 38 | |
|
2018-11-24 10:23:02 | North Korea-linked group Lazarus targets Latin American banks (lien direct) | According to security reearchers at Trend Micro, the North Korea-linked APT group Lazarus recently targeted banks in Latin America. The North Korea-linked APT group Lazarus recently targeted banks in Latin America, Trend Micro experts reported. The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts […] | Malware Medical | APT 38 | |
|
2018-11-10 14:47:00 | (Déjà vu) Symantec shared details of North Korean Lazarus\'s FastCash Trojan used to hack banks (lien direct) | North Korea-linked Lazarus Group has been using FastCash Trojan to compromise AIX servers to empty tens of millions of dollars from ATMs. Security experts from Symantec have discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs. The ATP group has been using this malware […] | Malware Hack Medical | APT 38 | |
 |
2018-11-08 17:45:00 | Symantec Uncovers North Korean Group\'s ATM Attack Malware (lien direct) | Lazarus Group has been using FastCash Trojan on obsolete AIX servers to empty tens of millions of dollars from ATMs. | Malware Medical | APT 38 | |
 |
2018-11-06 08:56:00 | Worst malware and threat actors of 2018 so far (lien direct) | What's the worst malware so far into 2018? The worst botnets and banking trojans, according to Webroot, were Emotet, Trickbot, and Zeus Panda. Crysis/Dharma, GandCrab, and SamSam were the worst among ransomware. The top three in cryptomining/cryptojacking were GhostMiner, Wanna Mine, and Coinhive.And included in the list of top 10 threat actors so far this year, we find Lazarus Group, Sofacy and MuddyWater coming in the top three spots, according to AlienVault. Lazarus Group took the top spot from Sofacy this year. The reported locations for the top 10 threat actors are North Korea, with two groups; Russia, with three groups; Iran, with two groups; China, with two groups; and India, with one. Microsoft Office was the most exploited application, but Adobe Flash, WebLogic, Microsoft Windows, Drupal and GPON routers were also listed in the top 10. | Malware Threat Medical | APT 38 | |
|
2018-10-19 07:06:03 | Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew (lien direct) | Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada. The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1. “McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report. “We […] | Malware Threat | APT 32 APT 1 | |
|
2018-10-18 04:01:00 | Oceansalt cyberattack wave linked to defunct Chinese APT Comment Crew (lien direct) | The source code of malware from the ancient Chinese military-affiliated group appears to have changed hands. | Malware | APT 32 APT 1 | |
|
2018-10-03 07:00:00 | APT38: Détails sur le nouveau groupe de menaces soutenu par le régime nord-coréen APT38: Details on New North Korean Regime-Backed Threat Group (lien direct) |
Aujourd'hui, nous publions des détails sur un un groupe avancé de menace persistante qui, selon nous, est responsable de la conduite d'un crime financierAu nom du régime nord-coréen, volant des millions de dollars aux banques dans le monde.Le groupe est particulièrement agressif;Ils utilisent régulièrement des logiciels malveillants destructeurs pour rendre les réseaux de victimes inopérables après le vol.Plus important encore, les efforts diplomatiques, y compris la récente plainte du ministère de la Justice (DOJ) qui ont décrit l'attribution à la Corée du Nord, n'ont jusqu'à présent pas mis fin à leur activité.Nous appelons ce groupe apt38.
nous publions un
Today, we are releasing details on a advanced persistent threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38. We are releasing a |
Malware Threat | APT 38 APT 38 | ★★★★ |
|
2018-10-02 19:23:03 | NOKKI Malware Sports Mysterious Link to Reaper APT Group (lien direct) | The relationship between the malware and the APT group remains somewhat murky. | Malware | APT 37 | |
|
2018-10-01 11:00:00 | Report Ties North Korean Attacks to New Malware, Linked by Word Macros (lien direct) | Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government. [...] | Malware Cloud | APT 37 | |
|
2018-09-13 21:19:00 | OilRig APT Continues Its Ongoing Malware Evolution (lien direct) | The Iran-linked APT appears to be in a state of continuous tool development, analogous to the DevOps efforts seen in the legitimate software world. | Malware Tool | APT 34 | |
|
2018-09-06 21:43:04 | How US authorities tracked down the North Korean hacker behind WannaCry (lien direct) | US authorities put together four years worth of malware samples, domain names, email and social media accounts to track down one of the Lazarus Group hackers. | Malware Medical | Wannacry APT 38 | |
|
2018-09-06 13:00:00 | Malware Analysis using Osquery Part 2 (lien direct) |
In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload.
In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables.
Registry Persistence
In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back.
https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707
Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system.
If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds.
Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query.
The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters.
|
Malware Threat | APT 34 | ★★★ |
 |
2018-09-01 15:54:03 | (Déjà vu) Lazarus (lien direct) | Type: Malware Platform: Mac OS X Last updated: 09/01/18 10:50 pm Threat Level: High Description Lazarus is malware. Lazarus Threat Removal MacScan can detect and remove Lazarus Malware from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan | Malware Threat | APT 38 | |
|
2018-08-23 15:07:00 | Lazarus Group Builds its First MacOS Malware (lien direct) | This isn't the first time Lazarus Group has infiltrated a cryptocurrency exchange as the hacking team has found new ways to achieve financial gain. | Malware Medical | APT 38 | |
|
2018-08-23 08:00:00 | AppleJeus: macOS users targeted in new Lazarus attacks (lien direct) | The campaign includes the distribution of Apple macOS malware for the first time. | Malware | APT 38 | |
|
2018-08-10 16:15:03 | The analysis of the code reuse revealed many links between North Korea malware (lien direct) | Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123. The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code […] | Malware Medical Cloud | APT 38 APT 37 | |
 |
2018-08-09 19:34:03 | Researchers Say Code Reuse Links North Korea\'s Malware (lien direct) | Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous | Malware Threat | APT 38 | |
 |
2018-08-09 13:00:01 | Examining Code Reuse Reveals Undiscovered Links Among North Korea\'s Malware Families (lien direct) | 
This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story. Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to …
|
Malware Guideline Medical Cloud | APT 38 APT 37 | |
|
2018-06-25 18:30:00 | Malware in South Korean Cyberattacks Linked to Bithumb Heist (lien direct) | Lazarus Group is likely behind a spearphishing campaign containing malicious code to download Manuscrypt malware. | Malware Medical | Bithumb Bithumb APT 38 | |
|
2018-06-11 13:00:00 | More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea (lien direct) | Written By Chris Doman and Jaime Blasco Introduction Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea. Below we’ve shared our brief analysis of of the attack. Profiling Script The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ. This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit. Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time: | Malware Vulnerability | APT 38 | ★★★★ |
|
2018-02-20 13:30:00 | APT37 (Reaper): l'acteur nord-coréen négligé APT37 (Reaper): The Overlooked North Korean Actor (lien direct) |
Le 2 février 2018, nous avons publié un Blog détaillant l'utilisation d'une vulnérabilité Adobe Flash Zero-Day (CVE-2018-4878) par un groupe de cyber-espionnage nord-coréen présumé que nous suivons maintenant comme APT37 (Reaper).
Notre analyse de l'activité récente d'APT37 \\ révèle que les opérations du groupe \\ se développent en portée et en sophistication, avec un ensemble d'outils qui comprend l'accès aux vulnérabilités zéro-jour et aux logiciels malveillants d'essuie-glace.Nous évaluons avec une grande confiance que cette activité est réalisée au nom du gouvernement nord-coréen compte tenu des artefacts de développement de logiciels malveillants et ciblant qui s'aligne sur l'État nord-coréen
On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Our analysis of APT37\'s recent activity reveals that the group\'s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state |
Malware Vulnerability | APT 37 APT 37 | ★★★★ |
|
2017-09-20 09:00:00 | Aperçu du cyber-espionnage iranien: APT33 cible les secteurs de l'aérospatiale et de l'énergie et a des liens avec des logiciels malveillants destructeurs Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware (lien direct) |
Lorsque vous discutez des groupes de pirates suspects du Moyen-Orient avec des capacités destructrices, beaucoup pensent automatiquement à la Groupe iranien présumé qui utilisait auparavant Shamoon & # 8211;AKA distrtrack & # 8211;pour cibler les organisations dans le golfe Persique.Cependant, au cours des dernières années, nous avons suivi un groupe iranien suspect séparé et moins largement connu avec des capacités destructrices potentielles, que nous appelons APT33.Notre analyse révèle que l'APT33 est un groupe capable qui a effectué des opérations de cyber-espionnage depuis au moins 2013. Nous évaluons les œuvres APT33 à la demande du gouvernement iranien.
récent
When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. Recent |
Malware | APT33 APT 33 APT 33 | ★★★★ |
To see everything:
Our RSS (filtrered)
