What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-11-25 12:11:18 | Weekly OSINT Highlights, 25 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting reveals a persistent focus on sophisticated attacks targeting diverse sectors, from critical infrastructure to financial services and national defense. Attack types ranged from ransomware and phishing to cyberespionage and supply chain attacks, often leveraging advanced malware like LODEINFO, Asyncshell, and DEEPDATA. Threat vectors predominantly exploit unpatched vulnerabilities, malvertising, supply chain attacks, and credential harvesting, with phishing and social engineering remaining prominent tactics. Notable actors include APT groups such as Gelsemium and BrazenBamboo, alongside cybercriminal collectives like Ignoble Scorpius and Water Barghest, targeting organizations across the US, Europe, and Asia. The findings underscore the growing complexity of cyber threats, emphasizing the need for proactive threat intelligence and robust cybersecurity defenses. ## Description 1. [Helldown Ransomware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/2af97093): Sekoia researchers detailed the Helldown ransomware exploiting a Zyxel firewall vulnerability (CVE-2024-42057) to infiltrate corporate networks. Primarily targeting SMBs in the US and Europe, the attackers deploy Linux and Windows ransomware variants for data extortion and VM encryption. 1. [APT-K-47 Asyncshell Malware](https://sip.security.microsoft.com/intel-explorer/articles/aac966a9): Knownsec reported APT-K-47\'s use of Hajj-themed lures and malicious CHM files to distribute Asyncshell malware. The campaign, targeting South Asian countries, utilizes upgraded stealth tactics and evolving C2 infrastructure for long-term espionage. 1. [Linux Backdoors by Gelsemium](https://sip.security.microsoft.com/intel-explorer/articles/fc22b3bb): ESET researchers identified WolfsBane and FireWood backdoors used by the China-linked APT group Gelsemium for cyberespionage. These tools enable stealthy, persistent access to Linux systems, targeting sensitive data and emphasizing APT trends toward exploiting Linux environments. 1. [Lottie-Player Supply Chain Attack](https://sip.security.microsoft.com/intel-explorer/articles/86e2a9b6): ReversingLabs discovered a supply chain attack on the npm package @lottiefiles/lottie-player, compromising web3 wallets through malicious code. This incident highlights vulnerabilities in open-source ecosystems and the risk of compromised developer credentials. 1. [VMware Vulnerabilities Exploited](https://sip.security.microsoft.com/intel-explorer/articles/2eda898d): CISA added two VMware vulnerabilities, CVE-2024-38812 and CVE-2024-38813, to the Known Exploited Vulnerabilities Catalog. These flaws, involving heap overflow and privilege escalation, threaten vCenter Server and Cloud Foundation environments, emphasizing the need for immediate patching. 1. [Phishing Campaign Targeting Telecom and Financial Sectors](https://sip.security.microsoft.com/intel-explorer/articles/29972b65): EclecticIQ reported a phishing campaign using Google Docs and Weebly to bypass detection, targeting telecom and financial sectors. Threat actors employed tailored lures, fake MFA prompts, and SIM-swapping tactics to steal sensitive data. 1. [Lumma Stealer Distributed via Telegram](https://sip.security.microsoft.com/intel-explorer/articles/f250caee): McAfee researchers observed Lumma Stealer disguised as cracked software and distributed through Telegram channels. The malware targets users in India, the US, and Europe, stealing cryptocurrency and personal data via sophisticated injection techniques. 1. [Rise of ClickFix Social Engineering](https://sip.security.microsoft.com/intel-explorer/articles/67d03ba9): Proofpoint researchers identified ClickFix, a social engineering tactic that tricks users into executing malicious PowerShell commands, leading to malware infections such as AsyncRAT and DarkGate. Used by groups like TA571 and ClearFake, the method targets Ukrainian entities and employs malvertising, GitHub notifications, and CAPTCHA phishing lures. | Ransomware Malware Tool Vulnerability Threat Patching Industrial Prediction Cloud | APT 10 | ★★ |
|
2024-11-19 21:54:53 | Spot the Difference: Earth Kasha\'s New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella (lien direct) | #### Targeted Geolocations - Japan - India - Taiwan #### Targeted Industries - Government Agencies & Services - Information Technology - Transportation Systems - Aviation - Education ## Snapshot Trend Micro has released a report detailing the activities of Earth Kasha, a cyberespionage group known for leveraging the LODEINFO malware, primarily targeting entities in Japan. While some researchers suggest a connection to APT10, Trend Micro considers Earth Kasha a distinct entity within the "APT10 Umbrella," a term denoting groups linked to APT10\'s operational methods. This distinction arises from shared tactics and malware but insufficient direct evidence to conflate the two groups entirely. APT10 is tracked by Microsoft as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745?tab=description&). ## Description Since early 2023, Earth Kasha has expanded its operations beyond Japan to include high-profile targets in Taiwan and India, focusing on government agencies and advanced technology industries. Their recent campaigns exhibit a strategic evolution, using vulnerabilities in public-facing enterprise applications, such as FortiOS/FortiProxy and Array AG, to gain initial access. Post-exploitation activities emphasize persistence, lateral movement, and credential theft, deploying backdoors like LODEINFO, NOOPDOOR, and the Cobalt Strike framework. The LODEINFO malware, central to Earth Kasha\'s campaigns, has undergone continuous development, with new versions observed in recent attacks. This malware is used alongside tools like MirrorStealer, which extracts credentials from browsers and email clients, and NOOPDOOR, a sophisticated backdoor with advanced evasion techniques. These tools enable extensive data theft and infiltration of victim networks. Comparative analysis highlights overlaps between Earth Kasha and other APT10-associated campaigns, particularly in tactics like exploiting SSL-VPN vulnerabilities and abusing legitimate tools for credential harvesting. However, toolsets differ, suggesting operational independence while potentially sharing resources or operators.Trend Micro\'s medium-confidence attribution of Earth Kasha underscores its ties to the broader APT10 network but stops short of confirming direct control. The group\'s distinct operational focus and adaptive methods indicate a specialized role within this cyber threat ecosystem. These findings highlight the complexity of attribution in modern cyber warfare and the evolving capabilities of threat actors like Earth Kasha. ## Microsoft Analysis and Additional OSINT Context The threat actor Microsoft tracks as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745?tab=description&) is a long-running, targeted activity group which has had success in compromising targets from as early as 2009. This activity group has targeted various government entities and industry sectors such as engineering, critical manufacturing, communications infrastructure, and defense. Most of its activity has been spread across a wide geographic area; however, localized targeting using specific malware families has been observed, which suggests possible subgroups are contained within the wider Purple Typhoon group. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so tha | Malware Tool Vulnerability Threat Prediction | APT 10 | ★★ |
|
2024-10-14 21:26:20 | Faits saillants hebdomadaires, 14 octobre 2024 Weekly OSINT Highlights, 14 October 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a complex landscape of cyber threats with a focus on APT groups, sophisticated malware, and exploitation of vulnerabilities. Many attacks are espionage-focused, with China-aligned groups like CeranaKeeper, Iran\'s Hazel Sandstorm, and Russia\'s Midnight Blizzard (SVR) leveraging spearphishing and vulnerability exploitation for intelligence gathering. Ransomware also remains a dominant attack type, with threat actors leveraging double extortion tactics to maximize pressure on victims. A surge in reporting on malware distribution was also observed, including Lua-based malware in the education sector and Pronsis Loader delivering Lumma Stealer. Additionally, multiple reports detail widespread campaigns leveraging phishing, malvertising, and cryptomining, with key targets being government institutions, financial services, and critical infrastructure. Attackers employ diverse techniques such as DNS tunneling, USB-based malware, and exploit known vulnerabilities like EternalBlue (CVE-2017-0144) and FortiOS (CVE-2024-23113). ## Description Last week\'s OSINT reporting highlights a complex landscape of cyber threats with a focus on APT groups, sophisticated malware, and exploitation of vulnerabilities. Many attacks are espionage-focused, with China-aligned groups like CeranaKeeper, Iran\'s Hazel Sandstorm, and Russia\'s Midnight Blizzard (SVR) leveraging spearphishing and vulnerability exploitation for intelligence gathering. Ransomware also remains a dominant attack type, with threat actors leveraging double extortion tactics to maximize pressure on victims. A surge in reporting on malware distribution was also observed, including Lua-based malware in the education sector and Pronsis Loader delivering Lumma Stealer. Additionally, multiple reports detail widespread campaigns leveraging phishing, malvertising, and cryptomining, with key targets being government institutions, financial services, and critical infrastructure. Attackers employ diverse techniques such as DNS tunneling, USB-based malware, and exploit known vulnerabilities like EternalBlue (CVE-2017-0144) and FortiOS (CVE-2024-23113). 1. [CeranaKeeper Targets Thai Government](https://sip.security.microsoft.com/intel-explorer/articles/b3aa72ef): ESET uncovered a new China-aligned APT, CeranaKeeper, targeting government institutions in Thailand, using unique tools for data exfiltration via cloud services. The group adapts its malware for stealth and has been mistakenly linked to Mustang Panda due to some shared methods. 2. [Largest DDoS Attack Mitigated](https://sip.security.microsoft.com/intel-explorer/articles/74f06d55): Cloudflare mitigated the largest publicly disclosed DDoS attack, peaking at 3.8 Tbps, which targeted financial services, internet, and telecom organizations globally. Akamai also identified a critical vulnerability in CUPS servers, potentially creating a new vector for DDoS amplification. 3. [Cuckoo Spear\'s Sophisticated Tools](https://sip.security.microsoft.com/intel-explorer/articles/d47fc595): Cybereason exposed the Cuckoo Spear campaign by APT10, using NOOPLDR and NOOPDOOR to conduct espionage against Japanese industries and governments. These advanced tools employ anti-detection techniques and facilitate network pivoting for exfiltration. 4. [Mamba 2FA Phishing Campaign](https://sip.security.microsoft.com/intel-explorer/articles/bfcb80ed): Sekoia identified a phishing campaign using Mamba 2FA, a PhaaS platform, to steal credentials and session cookies from Microsoft services. Attackers exploited MFA weaknesses and used Telegram bots for data exfiltration. 5. [Golden Jackal\'s Air-Gapped System Attacks](https://sip.security.microsoft.com/intel-explorer/articles/f0234a25): ESET researchers discovered Golden Jackal targeting European government organizations with tools designed to breach air-gapped systems. The group uses USB-based malware for espionage and data exfiltration. 6. [Awaken Likho Targets Russian Agencies](https://sip.security.microsoft.com/in | Ransomware Malware Tool Vulnerability Threat Patching Industrial Medical Cloud | APT 29 APT 10 GoldenJackal | ★★ |
|
2024-10-07 19:22:45 | CUCKOO SPEAR PARTIE 2: acteur de menace Arsenal CUCKOO SPEAR Part 2: Threat Actor Arsenal (lien direct) |
## Snapshot Cybereason Security Services Team uncovered sophisticated capabilities of the Cuckoo Spear tools, NOOPLDR and NOOPDOOR. ## Description NOOPLDR variants, including NOOPLDR-DLL and NOOPLDR-C#, establish persistence by registering as services and injecting shellcode into system processes. NOOPLDR-DLL uses code obfuscation, dynamic custom syscalls, and modified legitimate DLLs to evade detection, while NOOPLDR-C# employs heavy obfuscation, time stomping, and executes C# code from XML files using msbuild.exe. Both loaders retrieve and decrypt shellcode from the registry or a .dat file, using AES encryption with keys derived from the machine\'s unique identifiers. NOOPDOOR malware, associated with NOOPLDR, has client and server components designed for stealth and persistence. The client-side features API hashing, anti-debugging, a domain generation algorithm (DGA), and a custom TCP protocol for data exfiltration. The server-side is capable of modifying firewall rules and executing commands for network pivoting. The campaign has ties to the well-known APT10 group, showing clear links between multiple incidents while revealing new tools and strategies employed by the attackers. Cuckoo Spear mainly targeted Japanese companies in the manufacturing, political, and industrial sectors, with cyber espionage as its primary goal. ## Microsoft Analysis Researchers at Cybereason assess the threat actor to be APT10. Microsoft tracks APT10 as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745) Purple Typhoon (POTASSIUM), the activity group also known as APT 10, Stone Panda, Cloud Hopper, Red Apollo, or menuPass, has been reported to be responsible for global intrusion campaigns from 2006. These campaigns aimed to steal intellectual property and confidential business information from defense contractors and government agencies in the United States. The group was also observed launching attacks against a diverse set of other verticals, including communications, energy, space aviation. Notably, the group targeted managed service providers (MSPs) with presence in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, United Arab Emirates, and the United Kingdom. Compromising MSPs provided Purple Typhoon a launchpad for infiltrating organizations whose IT infrastructures and/or end-user systems are managed by these MSPs. Known to initially compromise targets via spear-phishing emails that deliver malicious payloads in the form of remote access trojans (RATs), the group steals administrator credentials to move laterally across target systems, maintain persistence, and exfiltrate high-value information. The malicious payloads typically utilized by Purple Typhoon include three main RATs called REDLEAVES, UPPERCUT and CHCHES. On December 17, 2018, the US government indicted two members of Purple Typhoon. On January 2, 2019, the Federal Bureau of Investigation shared indicators of compromise (IOCs) to aid in customer protection. Using these IOCs, which the security community further corroborated, along with Microsoft\'s own IOCs and telemetry, we have put in place enhanced detection mechanisms that can help guard against possible attacks coming from this group. ## Recommendations Apply these mitigations to reduce the impact of this threat. - Apply security updates to vulnerable VPN solutions. - Require multi-factor authentication (MFA) for local device access, RDP access, and remote connections through VPN. Use password-less solutions like [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator/). For further guidance, read about: - [Set up multi-factor authentication for Office 365](https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) - [Use two-step verification with consumer accounts](https://support.microsoft.com/en-us/help/ | Malware Tool Threat Industrial Cloud | APT 10 | ★★★ |
|
2024-09-23 16:05:03 | Faits saillants hebdomadaires OSINT, 23 septembre 2024 Weekly OSINT Highlights, 23 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a landscape dominated by complex, multi-layered attacks targeting critical infrastructure, financial sectors, and cloud environments. Nation-state actors, like China\'s Flax Typhoon and Iran\'s UNC1860, leverage botnets, IoT exploits, and sophisticated backdoors to infiltrate government, military, and industrial targets. The emergence of groups such as Earth Baxia highlights the continued exploitation of vulnerabilities like CVE-2024-36401 and spear-phishing tactics in the Asia-Pacific region. Meanwhile, cybercriminals, including SCATTERED SPIDER (Octo Tempest) and those behind the Lumma Stealer campaigns, utilize social engineering, fake CAPTCHA pages, and WebDAV for malware distribution to evade detection and deploy ransomware and infostealers. Exploits underscore the increasing use of open-source vulnerabilities, with attackers targeting a diverse range of industries, including IT, telecommunications, and finance. These attacks highlight evolving tactics, advanced persistence mechanisms, and stealthy malware being used to target sensitive data globally. ## Description 1. [Raptor Train Botnet Operated by Flax Typhoon](https://sip.security.microsoft.com/intel-explorer/articles/9118dcb6): Black Lotus Labs uncovered the massive Raptor Train botnet, operated by Chinese nation-state group Flax Typhoon. This IoT botnet, consisting of compromised routers, cameras, and other devices, has targeted U.S. and Taiwanese entities across sectors like military and government, making it one of the largest Chinese state-sponsored botnets to date. 2. [Exploitation of GeoServer Vulnerability (CVE-2024-36401)](https://sip.security.microsoft.com/intel-explorer/articles/e7a82171): Threat actors are exploiting a remote code execution (RCE) vulnerability in GeoServer to deliver malware such as GOREVERSE, SideWalk, and CoinMiner. Campaigns have targeted IT, telecom, and government sectors across multiple countries, using sophisticated backdoors and botnets to compromise systems. 3. [WebDAV Used to Distribute Emmenthal Loader](https://sip.security.microsoft.com/intel-explorer/articles/6dec4139): Cybercriminals are using WebDAV servers to distribute the Emmenthal loader (aka PeakLight), which delivers infostealers via malicious .lnk files. This infrastructure is likely part of a larger cybercrime operation offering infrastructure as a service (IaaS), and its stealthy, memory-only execution technique poses a significant threat to global cybersecurity. 4. [Iran\'s UNC1860 Targets Middle Eastern Networks](https://sip.security.microsoft.com/intel-explorer/articles/e882507d): Mandiant assesses UNC1860 is likely linked to Iran\'s Ministry of Intelligence and Security (MOIS) and focuses on persistent access to government and telecom organizations in the Middle East. The group leverages sophisticated tools, such as TEMPLEPLAY and VIROGREEN, and exploits internet-facing servers to evade detection. 5. [Cuckoo Spear Campaign Tied to APT10](https://sip.security.microsoft.com/intel-explorer/articles/8f34c36c): Cybereason discovered the "Cuckoo Spear" campaign, attributed to APT10, targeting Japanese manufacturing and political sectors. The attackers used advanced tools like LODEINFO and NOOPLDR to maintain long-term espionage operations, employing tactics like DLL side-loading and phishing. 6. [PondRAT Campaign Linked to North Korean Group](https://sip.security.microsoft.com/intel-explorer/articles/906408c8): Unit 42 identified the PondRAT campaign, attributed to Gleaming Pisces (Citrine Sleet), which targets Linux and macOS systems through infected PyPI packages. The goal is to compromise the supply chain, particularly in the cryptocurrency sector, by delivering backdoor malware to developers\' machines. 7. [Phishing Campaign Distributes Lumma Stealer](https://sip.security.microsoft.com/intel-explorer/articles/3cb5d189): A phishing campaign abuses GitHub repositories by filing false security vulnerability reports to lure users into downloading the Lumma Stealer malware. The | Ransomware Malware Tool Vulnerability Threat Mobile Industrial Prediction Cloud Conference | APT 10 | ★★ |
|
2024-09-20 13:20:01 | CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective (lien direct) | #### Géolocations ciblées - Japon #### Industries ciblées - des groupes politiques et autres - Autres entités commerciales - Installations commerciales ## Instantané Des chercheurs de Cybearon ont découvert une campagne de menaces au niveau de l'État-nation nommée "Cuckoo Spear" qui a persisté sur les réseaux victimes pendant plusieurs années en utilisant des techniques sophistiquées. ## Description La campagne a des liens avec le groupe APT10 bien connu, montrant des liens clairs entre plusieurs incidents tout en révélant de nouveaux outils et stratégies utilisés par les attaquants.Cuckoo Spear a principalement ciblé les entreprises japonaises dans les secteurs de la fabrication, des politiques et industriels, avec le cyber-espionnage comme objectif principal. Les attaquants ont utilisé des logiciels malveillants furtifs, y compris une version mise à jour de Lodeinfo, un outil précédemment associé à l'APT10.Les chercheurs ont également identifié deux nouveaux composants de logiciels malveillants: NOOPLDR, une porte dérobée de persistance, et NOOPDOOR, qui a utilisé un algorithme de génération de domaine (DGA) pour les communications et le relais de réseau interne.Certaines victimes ont accueilli sans le savoir ces acteurs au sein de leurs systèmes jusqu'à deux à trois ans. L'accès initial aux réseaux cibles a été principalement réalisé grâce à des attaques de phishing, bien que la cyber-saison ait également observé que l'exploitation d'applications accessibles au public ait également été observée.Les attaquants ont utilisé des techniques avancées telles que le chargement latéral DLL et l'exploitation MSBuild pour maintenir la persistance. L'infrastructure derrière Cuckoo Spear a exploité les services DNS dynamiques et les domaines enregistrés pour gérerleur campagne.[Strike Cobalt] (https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc),Lodeinfo, NOOPLDR et NOOPDOOR ont tous joué des rôles dans le maintien de la persistance et l'activation du mouvement latéral à travers les environnements compromis, permettant aux attaquants de rester non détectés lors de l'exécution d'espionnage à long terme. ## Recommandations Appliquez ces atténuations pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Appliquer des mises à jour de sécurité aux solutions VPN vulnérables. - Exiger l'authentification multi-facteurs (MFA) pour l'accès des périphériques locaux, l'accès RDP et les connexions distantes via VPN.Utilisez des solutions sans mot de passe comme [Microsoft Authenticator] (https://www.microsoft.com/en-us/account/authenticator/).Pour plus de conseils, lisez sur: - [Configurer l'authentification multi-facteurs pour Office 365] (https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=O365-mondial) - [Utilisez une vérification en deux étapes avec les comptes de consommation] (https://support.microsoft.com/en-us/help/12408/microsoft-account-how-to-use-setwo-tep-verrification) - Utilisez le pare-feu Microsoft Defender et votre pare-feu réseau pour empêcher la communication des appels de procédure distante (RPC) et un bloc de messages (SMB) entre les points de terminaison dans la mesure du possible.Cela limite le mouvement latéral ainsi que d'autres activités d'attaque. - Allumez la protection livrée par le cloud et la soumission automatique des échantillons sur Microsoft Defender Antivirus.Ces capacités utilisent l'IA et l'apprentissage automatique pour identifier et arrêter rapidement les menaces nouvelles et inconnues. - Pratiquez le principe du moindre privile et maintenez l'hygiène des références.Évitez l'utilisation des comptes de service au niveau de l'administration à l'échelle du domaine.Restreindre les privilèges administr | Malware Tool Threat Industrial Commercial | APT 10 | ★★ |
 |
2024-06-26 00:00:00 | Attaquants dans le profil: Menupass et Alphv / Blackcat Attackers in Profile: menuPass and ALPHV/BlackCat (lien direct) |
Pour tester l'efficacité des services gérés comme notre offre de détection et de réponse à la micro-géré, Mitre Encenuity ™ a combiné les outils, les techniques et les pratiques de deux méchants acteurs mondiaux: Menupass et alphv / blackcat.Ce blog raconte pourquoi ils ont été choisis et ce qui en fait des menaces à compter.
To test the effectiveness of managed services like our Trend Micro managed detection and response offering, MITRE Engenuity™ combined the tools, techniques, and practices of two globally notorious bad actors: menuPass and ALPHV/BlackCat. This blog tells the story of why they were chosen and what makes them threats to be reckoned with. |
Tool Prediction | APT 10 | ★★★ |
 |
2023-05-30 22:00:00 | Rat Seroxen à vendre SeroXen RAT for sale (lien direct) |
This blog was jointly written with Alejandro Prada and Ofer Caspi.
Executive summary
SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.
Key takeaways:
SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.
Analysis
Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).
It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.
In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.
Figure 1. SeroXen features announced on its website.
This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.
In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.
After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.
The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th |
Malware Tool Threat | Uber APT 10 | ★★ |
 |
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
|
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 |
1
We have: 11 articles.
We have: 11 articles.
To see everything:
Our RSS (filtrered)
