What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-10-11 21:41:42 | Earth Simnavaz (alias Apt34) prélève des cyberattaques avancées contre les régions des EAU et du Golfe Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions (lien direct) |
#### Géolocations ciblées
- Émirats arabes unis
## Instantané
Les chercheurs de Trend Micro ont identifié une campagne de cyber-espionnage par Earth Simnavaz, également connu sous le nom d'APT34 et suivi par Microsoft comme [Hazel Sandstorm] (https: //security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d), ciblant les entités gouvernementales enLes EAU et la région du Golfe.
## Description
Le groupe utilise des tactiques sophistiquées pour maintenir la persistance et exfiltrer des données sensibles, en utilisant une porte dérobée qui exploite les serveurs d'échange Microsoft pour le vol d'identification et le tirage de vulnérabilités comme le CVE-2024-30088 pour l'escalade des privilèges.Ils utilisent un mélange d'outils .NET personnalisés, de scripts PowerShell et de logiciels malveillants basés sur IIS, tels que la porte dérobée de Karkoff, pour mélanger l'activité malveillante avec le trafic réseau normal et l'évasion de la détection.
La méthode d'infiltration initiale consiste à télécharger un shell Web sur un serveur Web vulnérable, permettant l'exécution du code PowerShell et des transferts de fichiers pour se développer.Les acteurs de la menace télécharge ensuite l'outil de gestion à distance NGROK pour faciliter le mouvement latéral et atteindre le contrôleur de domaine.Le groupe enregistre une DLL de filtre de mot de passe pour capturer les modifications de mot de passe et exfiltrant les informations d'identification cryptées via des serveurs d'échange gouvernementaux légitimes à l'aide d'un outil identifié comme Stealhook.Ils utilisent également une tâche planifiée exécutant un script nommé "U.PS1" pour persévérance et sont connus pour remplacer ce script par un script non fonctionnel pour entraver les efforts d'enquête.
## Recommandations
Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.
- durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau.
- Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antivirus) dans Microsoft Defender Antivirus ou leÉquivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues.
- Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'escroquerie et des sitesqui contiennent des exploits et hébergent des logiciels malveillants.
## Détections / requêtes de chasse
### Microsoft Defender pour le point de terminaison
Les alertes avec les titres suivants dans le centre de sécurité peuvent indiquer une activité de menace sur votre réseau:
- Activité de l'acteur de sable noisette détectée
## références
[Earth Simnavaz (alias APT34) LEVIES CYBERATTADES AVANCÉES AVANT LES ÉMORS ET GULFERégions] (https://www.trendmicro.com/en_us/research/24/j/arth-simnavaz-cyberattacks-uae-gulf-regions.html).Trendmicro (consulté en 2024-10-11)
[Hazel Sandstorm] (https://security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d).Microsoft (consulté en 2024-10-11)
## Copyright
**&copie;Microsoft 2024 **.Tousdroits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite.
#### Targeted Geolocations - United Arab Emirates ## Snapshot Researchers at Trend Micro have identif |
Malware Tool Vulnerability Threat Prediction | APT 34 | ★★★ |
|
2024-09-19 21:39:29 | UNC1860 and the Temple of Oats: Iran\'s Hidden Hand in Middle Eastern Networks (lien direct) | #### Targeted Geolocations - Middle East ## Snapshot Mandiant released a report detailing the activities of UNC1860, a threat actor Mandiant assesses is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). ## Description This group is known for its sophisticated toolkit and passive backdoors, which allow it to gain persistent access to high-priority networks, such as government and telecommunications organizations in the Middle East. Mandiant assesses that UNC1860\'s tradecraft is similar to other Iran-based groups like Shrouded Snooper, Scarred Manticore, and the group Microsoft tracks as [Storm-0861](https://security.microsoft.com/intel-profiles/e75c30dac03473d46bf83d32cefa79cdbd4f16ee8fd4eb62cf714d7ba9c8de00), but Mandiant could not confirm their involvement in recent high-profile cyberattacks. UNC1860 leverages specialized tools like GUI-operated malware controllers (TEMPLEPLAY and VIROGREEN), which Mandiant assesses were used to provide initial access to victim networks to external teams, possibly other MOIS-affiliated groups. Additionally, UNC1860 uses a variety of passive backdoors to maintain a foothold in networks, including a repurposed Windows kernel driver, reflecting its expertise in reverse engineering and detection evasion. The group has been observed exploiting vulnerable internet-facing servers, using web shells and droppers to deploy additional utilities and implants. These implants enhance operational security by avoiding traditional command-and-control (C2) infrastructure, making detection more difficult for defenders. Moreover, UNC1860 uses a diverse set of custom utilities designed to bypass common detection methods, relying on techniques like custom Base64 encoding and XOR encryption. Mandiant assesses this ability to evade detection, coupled with the group\'s proficiency in leveraging Windows kernel components, makes UNC1860 a formidable adversary in the cyber domain. ## Microsoft Analysis The actor that Microsoft tracks as [Storm-0861](https://security.microsoft.com/intel-profiles/e75c30dac03473d46bf83d32cefa79cdbd4f16ee8fd4eb62cf714d7ba9c8de00) is an Iran-based activity group known to target organizations in the Middle East. Like Mandiant, Microsoft has also observed possible collaboration between Storm-0861 and another MOIS-affiliated actor, [Storm-0842](https://security.microsoft.com/intel-profiles/0c1349b0f2bd0e545d4f741eeae18dd89888d3c0fbf99540b7cf623ff5bb2bf5). In December 2023, operators associated with Storm-0842 [deployed a destructive payload on hundreds of devices belonging to multiple organizations in Albania](https://security.microsoft.com/intel-explorer/articles/ccc23671). Storm-0842 likely leveraged access that Storm-0861 obtained in June 2023, making this incident the third intrusion since 2022 where Microsoft has observed these groups each play a role in an environment where a destructive tool was ultimately used. To this end, activity observed in December 2023 further bolsters confidence in Microsoft\'s assessment that Storm-0861 and Storm-0842 collaborate to achieve shared objectives. While the specific nature of the relationship between these groups is unknown, the parallels between activity observed in Albania in December 2023, activity [observed](https://security.microsoft.com/intel-explorer/articles/cf205f30) at an Israeli organization in October 2023, and [activity in Albania in 2022](https://security.microsoft.com/intel-explorer/articles/5491ec4b) suggest Storm-0861\'s ability to gain access and collect information can be used to provide Storm-0842 with the access needed to achieve their objectives. This further implies that other organizations affected by Storm-0861 threat activity might be at risk of Storm-0842 follow-on operations later, if such action is deemed desirable by the group\'s sponsors. Additionally, the ability to leverage capabilities from multiple groups lowers the barrier to entry for both groups and effectively removes the need for either group | Malware Tool Threat Cloud | APT 34 | ★★★ |
 |
2024-09-19 14:00:00 | UNC1860 et le temple de l'avoine: la main cachée d'Iran dans les réseaux du Moyen-Orient UNC1860 and the Temple of Oats: Iran\\'s Hidden Hand in Middle Eastern Networks (lien direct) |
Written by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik
Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860\'s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group\'s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we belie |
Malware Tool Vulnerability Threat Cloud Technical | APT 34 | ★★★ |
|
2024-09-16 11:20:34 | Faits saillants hebdomadaires, 16 septembre 2024 Weekly OSINT Highlights, 16 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlighted a broad array of cyber threats, with ransomware activity and espionage campaigns prominently featured. Russian and Chinese APT groups were particularly in the spotlight, with Aqua Blizzard targeting Ukrainian military personnel and Twill Typhoon affecting governments in Southeast Asia. RansomHub, a ransomware-as-a-service (RaaS) variant, and the newly emerged Repellent Scorpius also exploited known vulnerabilities and abused legitimate tools, employing double extortion tactics. Emerging malware, including infostealers like YASS and BLX Stealer, underscores the growing trend of targeting sensitive consumer data and cryptocurrency wallets, demonstrating the adaptability of threat actors in an evolving digital landscape. ## Description 1. [TIDRONE Targets Taiwanese Military](https://sip.security.microsoft.com/intel-explorer/articles/14a1a551): Trend Micro reports that the Chinese-speaking threat group, TIDRONE, has targeted Taiwanese military organizations, particularly drone manufacturers, since early 2024. Using advanced malware (CXCLNT and CLNTEND), the group infiltrates systems through ERP software or remote desktops, engaging in espionage. 2. [Predator Spyware Resurfaces with New Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/b0990b13): Insikt Group reports that Predator spyware, often used by government entities, has resurfaced in countries like the Democratic Republic of the Congo and Angola. With upgraded infrastructure to evade detection, Predator targets high-profile individuals such as politicians and activists through one-click and zero-click attack vectors. 3. [Ransomware Affiliates Exploit SonicWall](https://sip.security.microsoft.com/intel-explorer/articles/07f23184): Akira ransomware affiliates exploited a critical SonicWall SonicOS vulnerability (CVE-2024-40766) to gain network access. Targeting firewalls, they bypassed security via local accounts, leading to breaches in organizations with disabled multifactor authentication. 4. [RansomHub Ransomware Threatens Critical Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/650541a8): RansomHub ransomware-as-a-service has attacked over 210 victims across critical infrastructure sectors since early 2024, using double extortion tactics. The group gains entry via phishing, CVE exploits, and password spraying, and exfiltrates data using tools like PuTTY and Amazon S3. 5. [YASS Infostealer Targets Sensitive Data](https://sip.security.microsoft.com/intel-explorer/articles/d056e554): Intezer discovered "Yet Another Silly Stealer" (YASS), a variant of CryptBot, deployed through a multi-stage downloader called “MustardSandwich.” YASS targets cryptocurrency wallets, browser extensions, and authentication apps, using obfuscation and encrypted communications to evade detection. 6. [WhatsUp Gold RCE Attacks](https://sip.security.microsoft.com/intel-explorer/articles/b89cbab7): Exploiting vulnerabilities in WhatsUp Gold (CVE-2024-6670, CVE-2024-6671), attackers executed PowerShell scripts via NmPoller.exe to deploy RATs like Atera Agent and Splashtop. These attacks highlight the risk of delayed patching and underscore the importance of monitoring vulnerable processes. 7. [Repellent Scorpius Expands RaaS Operations](https://sip.security.microsoft.com/intel-explorer/articles/1f424190): Unit 42 reports on the emerging ransomware group Repellent Scorpius, known for using Cicada3301 ransomware in double extortion attacks. The group recruits affiliates via Russian cybercrime forums and uses stolen credentials to execute attacks on various sectors globally. 8. [APT34\'s Advanced Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/6289e51f): Check Point Research identified Iranian-linked APT34 targeting Iraqi government networks with sophisticated malware ("Veaty" and "Spearal"). Using DNS tunneling and backdoors, the group exploited email accounts for C2 communications, reflecting advanced espionage techniques. 9 | Ransomware Malware Tool Vulnerability Threat Patching Prediction Cloud | APT 34 | ★★ |
 |
2024-09-12 16:19:00 | Iranian Cyber Group OilRig cible le gouvernement irakien dans une attaque de logiciels malveillants sophistiqués Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack (lien direct) |
Les réseaux gouvernementaux irakiens ont émergé comme la cible d'une campagne de cyberattaque "élaborée" orchestrée par un acteur de menace parrainé par l'État de l'Iran appelé Oilrig.
Les attaques ont distingué des organisations irakiennes telles que le bureau du Premier ministre et le ministère des Affaires étrangères, a déclaré le point de contrôle de la société de cybersécurité dans une nouvelle analyse.
OilRig, également appelé APT34, crambus, Cobalt Gypsy, Greenbug,
Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig. The attacks singled out Iraqi organizations such as the Prime Minister\'s Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, |
Malware Threat | APT 34 | ★★★ |
|
2024-09-11 23:46:33 | Targeted Iranian Attacks Against Iraqi Government Infrastructure (lien direct) | #### Géolocations ciblées - Irak #### Industries ciblées - agences et services gouvernementaux ## Instantané La recherche sur le point de vérification a récemment identifié de nouvelles familles de logiciels malveillants nommées "Veaty" et "Spearal" dans une campagne ciblant les entités irakiennes, y compris les réseaux gouvernementaux. ## Description Les logiciels malveillants utilisés dans ces attaques utilisent des techniques sophistiquées telles que une porte dérobée des services d'information sur Internet passive (IIS), une tunneling DNS et une communication de commande et de contrôle (C2) via des comptes de messagerie compromis.Ce canal C2, qui utilise des comptes de messagerie infiltrés au sein des organisations ciblées, indique que les attaquants ont réussi à pénétrer les réseaux des victimes.La campagne présente des similitudes avec les attaques précédentes attribuées à l'APT34, un groupe de menaces affilié à l'Iranian MOIS connu pour ses opérations au Moyen-Orient que Microsoft suit comme [Hazel Sandstorm] (https: // Security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d). Le malware nouvellement découvert, "Spearal", est un .net-Backdoor basée qui communique via le tunneling DNS.Il code pour les données dans DNS Queries \\ 'sous-domaines à l'aide d'un schéma de base 32 personnalisé."Veaty", une autre porte dérobée basée sur .NET, utilise des comptes de messagerie compromis pour les communications C2 et utilise plusieurs tactiques pour échapper à la détection, telles que la désactivation de la vérification du certificat SSL / TLS.Le logiciel malveillant utilise des règles et des configurations spécifiques pour déplacer des e-mails liés aux commandes aux dossiers cachés, minimisant les chances d'être découvertes. Les vecteurs d'infection initiaux impliquent des fichiers déguisés en pièces jointes légitimes de documents, en utilisant des doubles extensions comme "avamer.pdf.exe" ou "protocole.pdf.exe" pour tromper les utilisateurs.Une fois exécutés, ces fichiers déploient les logiciels malveillants via des scripts PowerShell ou Pyinstaller, qui manipulent les entrées de registre et fichiers pour la persistance.De plus, la boîte à outils de la campagne \\ comprend une nouvelle variante de la porte dérobée IIS nommée "cachehttp.dll", qui a probablement évolué à partir de versions plus anciennes comme "Rgdoor", montrant les attaquants \\ 'adaptation continue et raffinement de leurs méthodes. Selon Checkpoint Research, les tactiques, techniques et procédures (TTP) employées dans cette campagne s'alignent étroitement avec celles des familles malveillantes APT34 connues telles que Karkoff et Saitama.Ces outils présentent des similitudes dans la structure et les fonctionnalités du code, y compris le DNS et les tunnels basés sur des e-mails pour les communications C2.L'utilisation coordonnée de ces outils avancés et des méthodes C2 uniques met en évidence les efforts ciblés et persistants des acteurs de la menace iranienne contre les infrastructures gouvernementales irakiennes. ## Analyse Microsoft Microsoft Threat Intelligence assesses that the malicious activity described in this report is attributed to [Hazel Sandstorm](https://security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d) based on the IOCs and the group\'s previously observed tactics, techniques et procédures (TTPS).Hazel Sandstorm est un nom composite utilisé pour décrire plusieurs sous-groupes d'activité évalués pour avoir des liens avec le ministère du renseignement et de la sécurité de l'Iran \\, la principale agence de renseignement civil en Iran.Microsoft suit ces sous-groupes comme [Storm-0133] (https://security.microsoft.com/intel-profiles/0299fedd0f9f7671535556aae448f01ef9c3a75648558c5a22ba6641c619939), Storm-0150, [Storm-0166] (HTTPS://15 FCDE209955569784F44E34D191E57D1F933C13D5E6B87C304 | Malware Tool Threat | APT 34 | ★★ |
|
2024-09-04 18:51:15 | Fake Palo Alto GlobalProtect used as lure to backdoor enterprises (lien direct) | ## Instantané Les chercheurs de Trend Micro ont identifié une campagne où les acteurs de la menace utilisent une fausse version de l'outil Palo Alto GlobalProtect, ciblant les organisations du Moyen-Orient. ## Description Le malware, déguisé en solution de sécurité légitime, peut exécuter des commandes PowerShell distantes, télécharger et exfiltrate des fichiers, crypter les communications et contourner des solutions de sable.La méthode de livraison des logiciels malveillants n'est pas claire, mais il est soupçonné d'avoir fait partie d'une attaque de phishing qui trompe les victimes de croire qu'elles installent un agent GlobalProtect légitime.L'attaque conduit la victime à exécuter un fichier nommé \\ 'setup.exe, \' qui déploie les fichiers malveillants \\ 'globalprotect.exe \' et de configuration.Le malware transmet ensuite les informations de profilage à un serveur de commande et de contrôle (C2), en utilisant la norme de chiffrement avancée (AES) pour l'évasion.De plus, le malware pivote vers une URL nouvellement enregistrée, "Sharjahconnect", conçue pour ressembler à un portail VPN légitime pour une entreprise basée aux Émirats arabes unis (EAU).Le logiciel malveillant communique avec les acteurs de la menace utilisant l'outil d'Open-source InteractSh pour le beconning, la communication avec des noms d'hôtes spécifiques pour signaler les progrès de l'infection et recueillir des informations sur les victimes.Trend Micro évalue que la campagne cible les entités du Moyen-Orient en raison de la concentration régionale spécifique du domaine et de l'origine de la soumission. ## Analyse Microsoft Microsoft évalue cette activité malveillante est attribuée à [Hazel Sandstorm] (https://security.microsoft.com/intel-profiles/6cea89977c2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e ministère de l'intelligence etSécurité (MOIS), la principale agence de renseignement civil en Iran.Les sous-groupes sont [Storm-0133] (https://security.microsoft.com/intel-pROFILES / 0299FEDD0F9F7671535556AAE448F01EF9C3A75648558CC5A22BA6641C619939), Storm-0150, [Storm-0166] (HTTTP 4d191e57d1f933c13d5e6b87c304985edfb13fb4033), [Storm-0755] (https://security.microsoft.com/intel-Profils / DFE14233E7FE59A1099C5B41AB0E4D8ED24AEBED38BC0615B15B9C71F98D5189) et [Storm-0861] (https://security.microsoft.com/intel-pleROFILES / E75C30DAC03473D46BF83D32CEFA79CDBD4F16EE8FD4EB62CF714D7BA9C8DE00).Les opérateurs de Hazel Sandstorm sont connus pour poursuivre des cibles dans les secteurs public et privé en Europe, au Moyen-Orient et en Amérique du Nord.Dans les opérations passées, Hazel Sandstorm a utilisé une combinaison d'outils de coutume et de produits de base dans leurs intrusions, probablement comme moyen de recueillir des renseignements pour soutenir les objectifs nationaux iraniens.Activité Microsoft suit dans le cadre du grand parapluie de Sandstorm Hazel chevauche des rapports publics sur l'APT34, le Cobalt Gypsy, Helix Kitten et Oilrig. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antivirus) dans Microsoft Defender Antivirus ou leÉquivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'escroquerie et des sitesqui contiennent des exp | Malware Tool Threat Prediction | APT 34 | ★★ |
|
2024-05-28 17:37:40 | Faits saillants hebdomadaires, 28 mai 2024 Weekly OSINT Highlights, 28 May 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a diverse array of sophisticated cyber threats targeting various sectors, including financial institutions, government entities, and academic organizations. The reports highlight a variety of attack types such as banking trojans, stealers, crypto mining malware, ransomware, and remote access trojans (RATs). Attack vectors include malspam campaigns, spear-phishing emails, search engine advertisements, and trojanized software packages. Threat actors range from financially motivated groups like UAC-0006 and Ikaruz Red Team to state-sponsored entities such as the Chinese-linked "Unfading Sea Haze" and the Iranian Void Manticore. These actors employ advanced techniques like fileless malware, DLL sideloading, and custom keyloggers to achieve persistence and data exfiltration. The targets of these attacks are geographically widespread, encompassing North and South America, the South China Sea region, the Philippines, and South Korea, underscoring the global reach and impact of these threats. ## Description 1. **[Metamorfo Banking Trojan Targets North and South America](https://security.microsoft.com/intel-explorer/articles/72f52370)**: Forcepoint reports that the Metamorfo (Casbaneiro) banking trojan spreads through malspam campaigns, using HTML attachments to initiate system metadata collection and steal user data. This malware targets banking users in North and South America by employing PowerShell commands and various persistence mechanisms. 2. **[Unfading Sea Haze Targets South China Sea Military and Government Entities](https://security.microsoft.com/intel-explorer/articles/c95e7fd5)**: Bitdefender Labs identified a Chinese-linked threat actor, "Unfading Sea Haze," using spear-phishing emails and fileless malware to target military and government entities in the South China Sea region. The campaign employs tools like SerialPktdoor and Gh0stRAT to exfiltrate data and maintain persistence. 3. **[Acrid, ScarletStealer, and Sys01 Stealers](https://security.microsoft.com/intel-explorer/articles/8ca39741)**: Kaspersky describes three stealers-Acrid, ScarletStealer, and Sys01-targeting various global regions. These stealers focus on stealing browser data, cryptocurrency wallets, and credentials, posing significant financial risks by exfiltrating sensitive user information. 4. **[REF4578 Crypto Mining Campaign](https://security.microsoft.com/intel-explorer/articles/c2420a77)**: Elastic Security Labs reports on REF4578, an intrusion set leveraging vulnerable drivers to disable EDRs for deploying Monero crypto miners. The campaign\'s GHOSTENGINE module ensures persistence and termination of security agents, targeting systems for crypto mining. 5. **[SmokeLoader Malware Campaign in Ukraine](https://security.microsoft.com/intel-explorer/articles/7bef5f52)**: CERT-UA observed the UAC-0006 threat actor distributing SmokeLoader malware via phishing emails in Ukraine. The campaign downloads additional malware like Taleshot and RMS, targeting remote banking systems and increasing fraud schemes. 6. **[Ikaruz Red Team Targets Philippines with Modified Ransomware](https://security.microsoft.com/intel-explorer/articles/624f5ce1)**: The hacktivist group Ikaruz Red Team uses leaked LockBit 3 ransomware builders to attack Philippine organizations, aligning with other hacktivist groups like Turk Hack Team. The group engages in politically motivated data leaks and destructive actions. 7. **[Grandoreiro Banking Trojan Campaign](https://security.microsoft.com/intel-explorer/articles/bc072613)**: IBM X-Force tracks the Grandoreiro banking trojan, which operates as Malware-as-a-Service (MaaS) and targets over 1500 global banks. The malware uses advanced evasion techniques and spreads through phishing emails, aiming to commit banking fraud worldwide. 8. **[Void Manticore\'s Destructive Wiping Attacks](https://security.microsoft.com/intel-explorer/articles/d5d5c07f)**: Check Point Research analyzes the Iranian threat actor Void Manticore, conducting destructive wip | Ransomware Malware Hack Tool Threat | APT 34 | ★★★ |
|
2024-05-22 15:21:21 | Bad Karma, No Justice: Void Manticore Destructive Activities in Israel (lien direct) | #### Géolocations ciblées - Israël ## Instantané Check Point Research a publié une analyse de l'acteur de menace iranien Void Manticore, l'acteur Microsoft suit en tant que Storm-0842.Affilié au ministère des Intelligences et de la Sécurité (MOIS), le vide Manticore effectue des attaques d'essuyage destructrices combinées à des opérations d'influence.L'acteur de menace exploite plusieurs personnages en ligne, les plus importants d'entre eux étant la justice de la patrie pour des attaques en Albanie et au Karma pour des attaques menées en Israël. ## Description Il y a des chevauchements clairs entre les cibles de vide manticore et de marminé marqué (aka Storm-0861), avec des indications de remise systématique des cibles entre ces deux groupes lorsqu'ils décident de mener des activités destructrices contre les victimes existantes de Manticore marqué.Les procédures de transfert documentées entre ces groupes suggèrent un niveau de planification cohérent et permettent à un accès vide de manticore à un ensemble plus large d'objectifs, facilité par leurs homologues \\ 'avancés.Les postes de collaboration ont annulé Manticore en tant qu'acteur exceptionnellement dangereux dans le paysage des menaces iraniennes. Void Manticore utilise cinq méthodes différentes pour mener des opérations perturbatrices contre ses victimes.Cela comprend plusieurs essuie-glaces personnalisés pour Windows et Linux, ainsi que la suppression manuelle de fichiers et de lecteurs partagés.Dans leurs dernières attaques, Void Manticore a utilisé un essuie-glace personnalisé appelé Bibi Wiper, faisant référence au surnom du Premier ministre d'Israël, Benjamin Netanyahu.L'essorage a été déployé dans plusieurs campagnes contre plusieurs entités en Israël et dispose de variantes pour Linux et Windows. ## Analyse Microsoft Microsoft Threat Intelligence Tracks void Manticore comme [Storm-0842] (https://security.microsoft.com/intel-profiles/0c1349b0f2bd0e545d4f741eeae18dd89888d3c0fbf99540b7cf623ff5bb2bf5) ministère du renseignement et de la sécurité (MOIS).Depuis 2022, Microsoft a observé plusieurs cas où Storm-0842 a déployé un outil destructeur dans un environnement précédemment compromis par [Storm-0861] (https://security.microsoft.com 8DE00), un autre groupe avec des liens avecLes Mois. Depuis 2022, Microsoft a observé que la majorité des opérations impliquant Storm-0842 ont affecté les organisations en [Albanie] (https://security.microsoft.com/intel-explorer/articles/5491ec4b) et en Israël.En particulier, Microsoft a observé des opérateurs associés à Storm-0842 de manière opportuniste [déploiez l'essuie-glace de Bibi en réponse à la guerre d'Israël-Hamas.] (Https://security.microsoft.com/intel-explorer/articles/cf205f30) ## Détections Microsoft Defender Antivirus détecte plusieurs variantes (Windows et Linux) de l'essuie-glace Bibi comme le malware suivant: - [DOS: WIN32 / WPRBLIGHTRE] (https://www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-description?name=dos:win32/wprblightre.b!dha& ;theratid=-2147072872)(Les fenêtres) - [dos: lINUX / WPRBLIGHTRE] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=dos:linux/wprblightre.a& ;threatid = -2147072991) (Linux) ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Lisez notre [Ransomware en tant que blog de service] (https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-udentSanding-the-cybercrim-gig-ecoony-and-Comment-protect-vous-soi / # défendant-against-ransomware) pour des conseils sur le développement d'une posture de sécurité holistique pour prévenir les ransomwares, y compris l'hygiène des informations d'identification et les recommandations de durcissement. - Allumez [Protection en cloud-étirement] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sigh | Ransomware Malware Tool Threat | APT 34 | ★★★ |
|
2023-12-14 18:00:00 | Le groupe de pétrole parrainé par l'État iranien déploie 3 nouveaux téléchargeurs de logiciels malveillants Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders (lien direct) |
L'acteur de menace parrainé par l'État iranien connu sous le nom de & nbsp; Oilrig & nbsp; a déployé trois logiciels malveillants de téléchargeur différents tout au long de 2022 pour maintenir un accès persistant aux organisations de victimes situées en Israël.
Les trois nouveaux téléchargeurs ont été nommés Odagent, OilCheck et Oilbooster par la Slovak Cybersecurity Company ESET.Les attaques ont également impliqué l'utilisation d'une version mise à jour d'un téléchargeur de pétrole connu
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader |
Malware Threat | APT 34 | ★★ |
 |
2023-12-14 16:30:00 | Les pirates liés à l'Iran développent de nouveaux téléchargeurs de logiciels malveillants pour infecter les victimes en Israël Iran-linked hackers develop new malware downloaders to infect victims in Israel (lien direct) |
Un groupe de cyber-espionnage lié au gouvernement iranien a développé plusieurs nouveaux téléchargeurs de logiciels malveillants au cours des deux dernières années et les a récemment utilisés pour cibler des organisations en Israël.Des chercheurs de la société Slovaquie ESET attribué Les téléchargeurs nouvellement découverts au groupe iranien de menace persistant avancé Oilrig, également connu sous le nom d'APT34.Selon les rapports précédents
A cyber-espionage group linked to the Iranian government developed several new malware downloaders over the past two years and has recently been using them to target organizations in Israel. Researchers at the Slovakia-based company ESET attributed the newly discovered downloaders to the Iranian advanced persistent threat group OilRig, also known as APT34. Previous reports said |
Malware Threat | APT 34 | ★★ |
 |
2023-11-02 14:46:00 | \\ 'Manticore marqué \\' déchaîne le cyber-espionnage iranien le plus avancé à ce jour \\'Scarred Manticore\\' Unleashes the Most Advanced Iranian Cyber Espionage Yet (lien direct) |
Le nouveau cadre de logiciel malveillant soutenu par le gouvernement représente une étape dans la cyber-sophistication de l'Iran \\.
The government-backed APT\'s new malware framework represents a step up in Iran\'s cyber sophistication. |
Malware | APT 34 | ★★★ |
 |
2023-11-01 08:20:47 | L'Iran \\ est marqué marqué cible du Moyen-Orient avec des logiciels malveillants de liontail Iran\\'s Scarred Manticore Targets Middle East with LIONTAIL Malware (lien direct) |
par deeba ahmed
Les chercheurs pensent que l'objectif principal derrière cette campagne est l'espionnage.
Ceci est un article de HackRead.com Lire le post original: L'Iran Manticore cicatriciel des Targets du Moyen-Orient avec des logiciels malveillants liontail
By Deeba Ahmed Researchers believe that the primary goal behind this campaign is espionage. This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware |
Malware | APT 34 APT 34 | ★★★ |
|
2023-10-31 19:45:32 | From Albania to the Middle East: The Scarred Manticore is Listening (lien direct) | #### Description
Check Point Research (RCR) surveille une campagne d'espionnage iranienne en cours par Scarred Manticore, un acteur affilié au ministère du renseignement et de la sécurité (MOIS).Les attaques reposent sur Liontail, un cadre de logiciel malveillant passif avancé installé sur les serveurs Windows.À des fins de furtivité, les implants liionnal utilisent les appels directs vers Windows HTTP Stack Driver Http.SYS pour charger les charges utiles des résidents de mémoire.
La campagne actuelle a culminé à la mi-2023, passant sous le radar pendant au moins un an.La campagne cible les organisations de haut niveau au Moyen-Orient en mettant l'accent sur les secteurs du gouvernement, des militaires et des télécommunications, en plus des fournisseurs de services informatiques, des organisations financières et des ONG.Scarred Manticore poursuit des objectifs de grande valeur depuis des années, utilisant une variété de déambulations basées sur l'IIS pour attaquer les serveurs Windows.Ceux-ci incluent une variété de shells Web personnalisés, de bornes de dos de DLL personnalisées et d'implants basés sur le pilote.Bien que la principale motivation derrière l'opération de Manticore \\ ne soit que l'espionnage, certains des outils décrits dans ce rapport ont été associés à l'attaque destructrice parrainée par MOIS contre l'infrastructure du gouvernement albanais (appelé Dev-0861).
#### URL de référence (s)
1. https://research.checkpoint.com/2023/from-albania-to-the-middle-East-the-scarred-Manticore-is-Listening/
#### Date de publication
31 octobre 2023
#### Auteurs)
Recherche de point de contrôle
#### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research |
Malware Tool | APT 34 APT 34 | ★★ |
 |
2023-10-31 16:30:00 | Manticore marqué cible le Moyen-Orient avec des logiciels malveillants avancés Scarred Manticore Targets Middle East With Advanced Malware (lien direct) |
Découvert par Check Point Research (RCR) et Sygnia, la campagne a culminé à la mi-2023
Discovered by Check Point Research (CPR) and Sygnia, the campaign peaked in mid-2023 |
Malware | APT 34 | ★★★ |
 |
2023-10-31 10:56:45 | Déstaurer la saga Manticore marquée: une épopée fascinante d'espionnage à enjeux élevés qui se déroule au cœur du Moyen-Orient Unraveling the Scarred Manticore Saga: A Riveting Epic of High-Stakes Espionage Unfolding in the Heart of the Middle East (lien direct) |
> Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]
>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] |
Malware Tool Threat | APT 34 | ★★ |
 |
2023-10-25 19:00:00 | Couverture des menaces de netskope: Menorah Netskope Threat Coverage: Menorah (lien direct) |
> Résumé En octobre 2023, Netskope a analysé un document de mots malveillant et le malware qu'il contenait, surnommé «Menorah».Le malware a été attribué à un groupe de menaces persistant avancé APT34 et aurait été distribué par phisse de lance.Le fichier de bureau malveillant utilise le code VBA dispersé et obscurci pour échapper à la détection.Le groupe avancé des menaces persistantes cible [& # 8230;]
>Summary In October 2023, Netskope analyzed a malicious Word document and the malware it contained, dubbed “Menorah.” The malware was attributed to an advanced persistent threat group APT34, and was reported to be distributed via spear-phishing. The malicious Office file uses dispersed and obfuscated VBA code to evade detection. The advanced persistent threat group targets […] |
Malware Threat | APT 34 | ★★ |
|
2023-10-02 17:19:00 | La campagne d'espionnage APT34 liée à l'Iran cible les Saoudiens Iran-Linked APT34 Spy Campaign Targets Saudis (lien direct) |
Le malware Menorah peut télécharger et télécharger des fichiers, ainsi que des commandes de shell.
The Menorah malware can upload and download files, as well as execute shell commands. |
Malware | APT 34 APT 34 | ★★★ |
|
2023-09-30 14:51:00 | Iranian APT Group OilRig Utilisation de nouveaux logiciels malveillants Menorah pour les opérations secrètes Iranian APT Group OilRig Using New Menorah Malware for Covert Operations (lien direct) |
Les cyber-acteurs sophistiqués soutenus par l'Iran connu sous le nom de OilRig ont été liés à une campagne de phistes de lance qui infecte les victimes d'une nouvelle souche de malware appelé Menorah.
"Le malware a été conçu pour le cyberespionnage, capable d'identifier la machine, de lire et de télécharger des fichiers à partir de la machine, et de télécharger un autre fichier ou un malware", Trend Micro Researchers Mohamed Fahmy et Mahmoud Zohdy
Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy |
Malware Prediction | APT 34 | ★★★ |
|
2023-09-29 18:15:00 | Les pirates iraniens présumés ciblent les victimes en Arabie saoudite avec de nouveaux logiciels malveillants d'espionnage Alleged Iranian hackers target victims in Saudi Arabia with new spying malware (lien direct) |
Les pirates iraniens présumés ont récemment lancé une nouvelle opération de cyber-espionnage, infectant leurs victimes avec le malware Menorah nouvellement découvert, selon un rapport publié vendredi.Le groupe de piratage APT34, également connu sous le nom de Oilrig, Cobalt Gypsy, IRN2 et Helix Kitten, serait basé en Iran.Il cible les pays du Moyen-Orient depuis
Suspected Iranian hackers recently launched a new cyber espionage operation, infecting their victims with the newly discovered Menorah malware, according to a report published Friday. The hacking group APT34, also known as OilRig, Cobalt Gypsy, IRN2 and Helix Kitten, is believed to be based in Iran. It has been targeting Middle Eastern countries since at |
Malware | APT 34 | ★★ |
 |
2023-09-29 00:00:00 | APT34 déploie une attaque de phishing avec de nouveaux logiciels malveillants APT34 Deploys Phishing Attack With New Malware (lien direct) |
Nous avons observé et suivi le groupe APT34 de la menace persistante avancée (APT) avec une nouvelle variante de logiciels malveillants accompagnant une attaque de phishing relativement similaire à la touche de secours de la couette.Après la campagne, le groupe a abusé d'un faux formulaire d'enregistrement de licence d'une agence gouvernementale africaine pour cibler une victime en Arabie saoudite.
We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia. |
Malware Threat | APT 34 APT 34 | ★★★ |
 |
2023-09-22 10:26:15 | ESET découvre que le groupe OilRig a déployé un nouveau malware sur des victimes israéliennes (lien direct) | ESET découvre que le groupe OilRig a déployé un nouveau malware sur des victimes israéliennes Vue d'ensemble de la chaîne de compromission spatiale d'OilRig • ESET Research a analysé deux campagnes menées par le groupe OilRig en 2021 (Outer Space) et 2022 (Juicy Mix). Ce groupe APT est aligné avec les intérêts de l'Iran. • Les opérateurs ont ciblé exclusivement des organisations israéliennes et compromettaient des sites Web israéliens légitimes afin de les utiliser comme centre de communications et de contrôle (C & C / C2). • Ils ont utilisé une nouvelle porte dérobée inédite dans chaque campagne : Solar in Outer Space, puis son successeur Mango in Juicy Mix. • Une grande variété d'outils a été déployée à la suite des compromissions. Ces outils ont été utilisés pour collecter des informations sensibles à partir des principaux navigateurs et du Gestionnaire de mots de passe de Windows. - Malwares | Malware Tool | APT 34 | ★★★ |
 |
2023-05-24 15:17:19 | NOUVEAUX RETOURS DE MALWOREAUX POWEREXCHANGE Microsoft Exchange Serveurs New PowerExchange malware backdoors Microsoft Exchange servers (lien direct) |
Un nouveau logiciel malveillant basé sur PowerShell surnommé PowereXchange a été utilisé dans les attaques liées aux pirates d'État iraniens de l'APT34 aux serveurs Microsoft Exchange sur site.[...]
A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. [...] |
Malware | APT 34 | ★★ |
|
2023-02-03 16:00:00 | New Credential-Stealing Campaign By APT34 Targets Middle East Firms (lien direct) | The malware had additional exfiltration techniques compared to previously studied variants | Malware | APT 34 | ★★ |
|
2023-02-02 00:00:00 | New APT34 Malware Targets The Middle East (lien direct) | We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers. | Malware | APT 34 | ★★ |
 |
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
|
2022-05-17 15:01:00 | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 15 APT 34 | |
|
2022-02-09 03:25:23 | Iranian Hackers Using New Marlin Backdoor in \'Out to Sea\' Espionage Campaign (lien direct) | An advanced persistent threat (APT) group with ties to Iran has refreshed its malware toolset to include a new backdoor dubbed Marlin as part of a long-running espionage campaign that started in April 2018. Slovak cybersecurity company ESET attributed the attacks - code named Out to Sea - to a threat actor called OilRig (aka APT34), while also conclusively connecting its activities to a second | Malware Threat | APT 34 | |
|
2021-04-13 15:49:00 | Anomali Cyber Watch: Android Malware, Government, Middle East and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
Ransomware Malware Vulnerability Threat Guideline | APT 34 | |
|
2021-04-08 06:37:05 | Researchers uncover a new Iranian malware used in recent cyberattacks (lien direct) | An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems.
Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology.
APT34 (aka OilRig) is |
Malware Threat | APT 34 | |
|
2021-03-02 15:00:00 | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More (lien direct) |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
Ransomware Malware Threat | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 | |
 |
2019-12-17 14:40:28 | Poison Frog Malware Samples Reveal OilRig\'s Sloppiness (lien direct) | An analysis of a new backdoor called “Poison Frog” revealed that the OilRig threat group was sloppy in its development of the malware. Kaspersky Lab came across Poison Frog while scanning its archives using its YARA rule to hunt for new and old malware samples employed by OilRig. It launched this investigatory effort shortly after […]… Read More | Malware Threat | APT 34 | |
|
2019-12-05 01:07:48 | ZeroCleare: New Iranian Data Wiper Malware Targeting Energy Sector (lien direct) | Cybersecurity researchers have uncovered a new, previously undiscovered destructive data-wiping malware that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East.
Dubbed ZeroCleare, the data wiper malware has been linked to not one but two Iranian state-sponsored hacking groups-APT34, also known as ITG13 and Oilrig, and Hive0081, |
Malware | APT 34 | |
|
2019-10-21 15:29:10 | Russian Hackers Use Iranian Threat Group\'s Tools, Servers as Cover (lien direct) | The Russian-backed Turla cyber-espionage group used stolen malware and hijacked infrastructure from the Iranian-sponsored OilRig to attack targets from dozens of countries according to a joint United Kingdom's National Cyber Security Centre (NCSC) and U.S. National Security Agency (NSA) advisory published today. [...] | Malware Threat | APT 34 | |
 |
2019-07-23 14:40:03 | Iranian Hackers Send Out Fake LinkedIn Invitations Laced With Malware (lien direct) | U.S. cybersecurity firm FireEye has warned of a malicious phishing campaign that it has attributed to the Iranian-linked APT34-whose activity has been reported elsewhere as OilRig and Greenbug. The campaign has been targeting LinkedIn users with plausible but bogus invitations to join a professional network and emailed attachments laced with malware that seeks to infect systems with a hidden backdoor … The ISBuzz Post: This Post Iranian Hackers Send Out Fake LinkedIn Invitations Laced With Malware | Malware | APT 34 | |
 |
2019-07-22 08:04:00 | New APT34 campaign uses LinkedIn to deliver fresh malware (lien direct) | The APT24 group continues its cyber espionage activity, its members were posing as a researcher from Cambridge to infect victims with three new malware. Experts at FireEye have uncovered a new espionage campaign carried out by APT34 APT group (OilRig, and HelixKitten. Greenbug) through LinkedIn. Members of the cyberespionage group were posing as a researcher from Cambridge […] | Malware | APT 24 APT 34 | |
 |
2019-07-19 17:46:01 | Iranian Hackers Use New Malware in Recent Attacks (lien direct) | The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports. | Malware | APT 34 | ★★★ |
|
2019-07-18 10:00:00 | Hard Pass: invitation déclinante APT34 \\ à rejoindre leur réseau professionnel Hard Pass: Declining APT34\\'s Invite to Join Their Professional Network (lien direct) |
arrière-plan
Avec des tensions géopolitiques croissantes au Moyen-Orient, nous nous attendons à ce que l'Iran augmente considérablement le volume et la portée de ses campagnes de cyber-espionnage.L'Iran a un besoin critique d'intelligence stratégique et est susceptible de combler cette lacune en effectuant un espionnage contre les décideurs et les organisations clés qui peuvent avoir des informations qui renforcent les objectifs économiques et de sécurité nationale de l'Iran.L'identification de nouveaux logiciels malveillants et la création d'une infrastructure supplémentaire pour permettre de telles campagnes met en évidence l'augmentation du tempo de ces opérations à l'appui des intérêts iraniens.
fi
Background With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran\'s economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests. Fi |
Malware | APT 34 APT 34 | ★★★★ |
|
2019-04-18 20:47:05 | Analyzing OilRig\'s malware that uses DNS Tunneling (lien direct) | Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals. Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals. OilRig is an Iran-linked APT group that has been […] | Malware | APT 34 | |
 |
2018-09-13 21:19:00 | OilRig APT Continues Its Ongoing Malware Evolution (lien direct) | The Iran-linked APT appears to be in a state of continuous tool development, analogous to the DevOps efforts seen in the legitimate software world. | Malware Tool | APT 34 | |
 |
2018-09-06 13:00:00 | Malware Analysis using Osquery Part 2 (lien direct) |
In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload.
In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables.
Registry Persistence
In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back.
https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707
Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system.
If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds.
Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query.
The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters.
|
Malware Threat | APT 34 | ★★★ |
1
We have: 42 articles.
We have: 42 articles.
To see everything:
Our RSS (filtrered)
