What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
RiskIQ.webp 2024-10-11 21:41:42 Earth Simnavaz (alias Apt34) prélève des cyberattaques avancées contre les régions des EAU et du Golfe
Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions (lien direct)		 #### Géolocations ciblées - Émirats arabes unis ## Instantané Les chercheurs de Trend Micro ont identifié une campagne de cyber-espionnage par Earth Simnavaz, également connu sous le nom d'APT34 et suivi par Microsoft comme [Hazel Sandstorm] (https: //security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d), ciblant les entités gouvernementales enLes EAU et la région du Golfe. ## Description Le groupe utilise des tactiques sophistiquées pour maintenir la persistance et exfiltrer des données sensibles, en utilisant une porte dérobée qui exploite les serveurs d'échange Microsoft pour le vol d'identification et le tirage de vulnérabilités comme le CVE-2024-30088 pour l'escalade des privilèges.Ils utilisent un mélange d'outils .NET personnalisés, de scripts PowerShell et de logiciels malveillants basés sur IIS, tels que la porte dérobée de Karkoff, pour mélanger l'activité malveillante avec le trafic réseau normal et l'évasion de la détection. La méthode d'infiltration initiale consiste à télécharger un shell Web sur un serveur Web vulnérable, permettant l'exécution du code PowerShell et des transferts de fichiers pour se développer.Les acteurs de la menace télécharge ensuite l'outil de gestion à distance NGROK pour faciliter le mouvement latéral et atteindre le contrôleur de domaine.Le groupe enregistre une DLL de filtre de mot de passe pour capturer les modifications de mot de passe et exfiltrant les informations d'identification cryptées via des serveurs d'échange gouvernementaux légitimes à l'aide d'un outil identifié comme Stealhook.Ils utilisent également une tâche planifiée exécutant un script nommé "U.PS1" pour persévérance et sont connus pour remplacer ce script par un script non fonctionnel pour entraver les efforts d'enquête. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antivirus) dans Microsoft Defender Antivirus ou leÉquivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'escroquerie et des sitesqui contiennent des exploits et hébergent des logiciels malveillants. ## Détections / requêtes de chasse ### Microsoft Defender pour le point de terminaison Les alertes avec les titres suivants dans le centre de sécurité peuvent indiquer une activité de menace sur votre réseau: - Activité de l'acteur de sable noisette détectée ## références [Earth Simnavaz (alias APT34) LEVIES CYBERATTADES AVANCÉES AVANT LES ÉMORS ET GULFERégions] (https://www.trendmicro.com/en_us/research/24/j/arth-simnavaz-cyberattacks-uae-gulf-regions.html).Trendmicro (consulté en 2024-10-11) [Hazel Sandstorm] (https://security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d).Microsoft (consulté en 2024-10-11) ## Copyright **&copie;Microsoft 2024 **.Tousdroits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite.
#### Targeted Geolocations - United Arab Emirates ## Snapshot Researchers at Trend Micro have identif		 Malware Tool Vulnerability Threat Prediction APT 34 ★★★
RiskIQ.webp 2024-09-19 21:39:29 UNC1860 and the Temple of Oats: Iran\'s Hidden Hand in Middle Eastern Networks (lien direct) #### Targeted Geolocations - Middle East ## Snapshot Mandiant released a report detailing the activities of UNC1860, a threat actor Mandiant assesses is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). ## Description This group is known for its sophisticated toolkit and passive backdoors, which allow it to gain persistent access to high-priority networks, such as government and telecommunications organizations in the Middle East. Mandiant assesses that UNC1860\'s tradecraft is similar to other Iran-based groups like Shrouded Snooper, Scarred Manticore, and the group Microsoft tracks as [Storm-0861](https://security.microsoft.com/intel-profiles/e75c30dac03473d46bf83d32cefa79cdbd4f16ee8fd4eb62cf714d7ba9c8de00), but Mandiant could not confirm their involvement in recent high-profile cyberattacks. UNC1860 leverages specialized tools like GUI-operated malware controllers (TEMPLEPLAY and VIROGREEN), which Mandiant assesses were used to provide initial access to victim networks to external teams, possibly other MOIS-affiliated groups. Additionally, UNC1860 uses a variety of passive backdoors to maintain a foothold in networks, including a repurposed Windows kernel driver, reflecting its expertise in reverse engineering and detection evasion. The group has been observed exploiting vulnerable internet-facing servers, using web shells and droppers to deploy additional utilities and implants. These implants enhance operational security by avoiding traditional command-and-control (C2) infrastructure, making detection more difficult for defenders.  Moreover, UNC1860 uses a diverse set of custom utilities designed to bypass common detection methods, relying on techniques like custom Base64 encoding and XOR encryption. Mandiant assesses this ability to evade detection, coupled with the group\'s proficiency in leveraging Windows kernel components, makes UNC1860 a formidable adversary in the cyber domain. ## Microsoft Analysis The actor that Microsoft tracks as [Storm-0861](https://security.microsoft.com/intel-profiles/e75c30dac03473d46bf83d32cefa79cdbd4f16ee8fd4eb62cf714d7ba9c8de00) is an Iran-based activity group known to target organizations in the Middle East. Like Mandiant, Microsoft has also observed possible collaboration between Storm-0861 and another MOIS-affiliated actor, [Storm-0842](https://security.microsoft.com/intel-profiles/0c1349b0f2bd0e545d4f741eeae18dd89888d3c0fbf99540b7cf623ff5bb2bf5). In December 2023, operators associated with Storm-0842 [deployed a destructive payload on hundreds of devices belonging to multiple organizations in Albania](https://security.microsoft.com/intel-explorer/articles/ccc23671). Storm-0842 likely leveraged access that Storm-0861 obtained in June 2023, making this incident the third intrusion since 2022 where Microsoft has observed these groups each play a role in an environment where a destructive tool was ultimately used. To this end, activity observed in December 2023 further bolsters confidence in Microsoft\'s assessment that Storm-0861 and Storm-0842 collaborate to achieve shared objectives. While the specific nature of the relationship between these groups is unknown, the parallels between activity observed in Albania in December 2023, activity [observed](https://security.microsoft.com/intel-explorer/articles/cf205f30) at an Israeli organization in October 2023, and [activity in Albania in 2022](https://security.microsoft.com/intel-explorer/articles/5491ec4b) suggest Storm-0861\'s ability to gain access and collect information can be used to provide Storm-0842 with the access needed to achieve their objectives. This further implies that other organizations affected by Storm-0861 threat activity might be at risk of Storm-0842 follow-on operations later, if such action is deemed desirable by the group\'s sponsors. Additionally, the ability to leverage capabilities from multiple groups lowers the barrier to entry for both groups and effectively removes the need for either group Malware Tool Threat Cloud APT 34 ★★★
Mandiant.webp 2024-09-19 14:00:00 UNC1860 et le temple de l'avoine: la main cachée d'Iran dans les réseaux du Moyen-Orient
UNC1860 and the Temple of Oats: Iran\\'s Hidden Hand in Middle Eastern Networks (lien direct)		 Written by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik
Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860\'s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group\'s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we belie		 Malware Tool Vulnerability Threat Cloud Technical APT 34 ★★★
RiskIQ.webp 2024-09-16 11:20:34 Faits saillants hebdomadaires, 16 septembre 2024
Weekly OSINT Highlights, 16 September 2024 (lien direct)		 ## Snapshot Last week\'s OSINT reporting highlighted a broad array of cyber threats, with ransomware activity and espionage campaigns prominently featured. Russian and Chinese APT groups were particularly in the spotlight, with Aqua Blizzard targeting Ukrainian military personnel and Twill Typhoon affecting governments in Southeast Asia. RansomHub, a ransomware-as-a-service (RaaS) variant, and the newly emerged Repellent Scorpius also exploited known vulnerabilities and abused legitimate tools, employing double extortion tactics. Emerging malware, including infostealers like YASS and BLX Stealer, underscores the growing trend of targeting sensitive consumer data and cryptocurrency wallets, demonstrating the adaptability of threat actors in an evolving digital landscape. ## Description 1. [TIDRONE Targets Taiwanese Military](https://sip.security.microsoft.com/intel-explorer/articles/14a1a551): Trend Micro reports that the Chinese-speaking threat group, TIDRONE, has targeted Taiwanese military organizations, particularly drone manufacturers, since early 2024. Using advanced malware (CXCLNT and CLNTEND), the group infiltrates systems through ERP software or remote desktops, engaging in espionage. 2. [Predator Spyware Resurfaces with New Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/b0990b13): Insikt Group reports that Predator spyware, often used by government entities, has resurfaced in countries like the Democratic Republic of the Congo and Angola. With upgraded infrastructure to evade detection, Predator targets high-profile individuals such as politicians and activists through one-click and zero-click attack vectors. 3. [Ransomware Affiliates Exploit SonicWall](https://sip.security.microsoft.com/intel-explorer/articles/07f23184): Akira ransomware affiliates exploited a critical SonicWall SonicOS vulnerability (CVE-2024-40766) to gain network access. Targeting firewalls, they bypassed security via local accounts, leading to breaches in organizations with disabled multifactor authentication. 4. [RansomHub Ransomware Threatens Critical Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/650541a8): RansomHub ransomware-as-a-service has attacked over 210 victims across critical infrastructure sectors since early 2024, using double extortion tactics. The group gains entry via phishing, CVE exploits, and password spraying, and exfiltrates data using tools like PuTTY and Amazon S3. 5. [YASS Infostealer Targets Sensitive Data](https://sip.security.microsoft.com/intel-explorer/articles/d056e554): Intezer discovered "Yet Another Silly Stealer" (YASS), a variant of CryptBot, deployed through a multi-stage downloader called “MustardSandwich.” YASS targets cryptocurrency wallets, browser extensions, and authentication apps, using obfuscation and encrypted communications to evade detection. 6. [WhatsUp Gold RCE Attacks](https://sip.security.microsoft.com/intel-explorer/articles/b89cbab7): Exploiting vulnerabilities in WhatsUp Gold (CVE-2024-6670, CVE-2024-6671), attackers executed PowerShell scripts via NmPoller.exe to deploy RATs like Atera Agent and Splashtop. These attacks highlight the risk of delayed patching and underscore the importance of monitoring vulnerable processes. 7. [Repellent Scorpius Expands RaaS Operations](https://sip.security.microsoft.com/intel-explorer/articles/1f424190): Unit 42 reports on the emerging ransomware group Repellent Scorpius, known for using Cicada3301 ransomware in double extortion attacks. The group recruits affiliates via Russian cybercrime forums and uses stolen credentials to execute attacks on various sectors globally. 8. [APT34\'s Advanced Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/6289e51f): Check Point Research identified Iranian-linked APT34 targeting Iraqi government networks with sophisticated malware ("Veaty" and "Spearal"). Using DNS tunneling and backdoors, the group exploited email accounts for C2 communications, reflecting advanced espionage techniques. 9 Ransomware Malware Tool Vulnerability Threat Patching Prediction Cloud APT 34 ★★
RiskIQ.webp 2024-09-11 23:46:33 Targeted Iranian Attacks Against Iraqi Government Infrastructure (lien direct) #### Géolocations ciblées - Irak #### Industries ciblées - agences et services gouvernementaux ## Instantané La recherche sur le point de vérification a récemment identifié de nouvelles familles de logiciels malveillants nommées "Veaty" et "Spearal" dans une campagne ciblant les entités irakiennes, y compris les réseaux gouvernementaux. ## Description Les logiciels malveillants utilisés dans ces attaques utilisent des techniques sophistiquées telles que une porte dérobée des services d'information sur Internet passive (IIS), une tunneling DNS et une communication de commande et de contrôle (C2) via des comptes de messagerie compromis.Ce canal C2, qui utilise des comptes de messagerie infiltrés au sein des organisations ciblées, indique que les attaquants ont réussi à pénétrer les réseaux des victimes.La campagne présente des similitudes avec les attaques précédentes attribuées à l'APT34, un groupe de menaces affilié à l'Iranian MOIS connu pour ses opérations au Moyen-Orient que Microsoft suit comme [Hazel Sandstorm] (https: // Security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d). Le malware nouvellement découvert, "Spearal", est un .net-Backdoor basée qui communique via le tunneling DNS.Il code pour les données dans DNS Queries \\ 'sous-domaines à l'aide d'un schéma de base 32 personnalisé."Veaty", une autre porte dérobée basée sur .NET, utilise des comptes de messagerie compromis pour les communications C2 et utilise plusieurs tactiques pour échapper à la détection, telles que la désactivation de la vérification du certificat SSL / TLS.Le logiciel malveillant utilise des règles et des configurations spécifiques pour déplacer des e-mails liés aux commandes aux dossiers cachés, minimisant les chances d'être découvertes. Les vecteurs d'infection initiaux impliquent des fichiers déguisés en pièces jointes légitimes de documents, en utilisant des doubles extensions comme "avamer.pdf.exe" ou "protocole.pdf.exe" pour tromper les utilisateurs.Une fois exécutés, ces fichiers déploient les logiciels malveillants via des scripts PowerShell ou Pyinstaller, qui manipulent les entrées de registre et fichiers pour la persistance.De plus, la boîte à outils de la campagne \\ comprend une nouvelle variante de la porte dérobée IIS nommée "cachehttp.dll", qui a probablement évolué à partir de versions plus anciennes comme "Rgdoor", montrant les attaquants \\ 'adaptation continue et raffinement de leurs méthodes. Selon Checkpoint Research, les tactiques, techniques et procédures (TTP) employées dans cette campagne s'alignent étroitement avec celles des familles malveillantes APT34 connues telles que Karkoff et Saitama.Ces outils présentent des similitudes dans la structure et les fonctionnalités du code, y compris le DNS et les tunnels basés sur des e-mails pour les communications C2.L'utilisation coordonnée de ces outils avancés et des méthodes C2 uniques met en évidence les efforts ciblés et persistants des acteurs de la menace iranienne contre les infrastructures gouvernementales irakiennes. ## Analyse Microsoft Microsoft Threat Intelligence assesses that the malicious activity described in this report is attributed to [Hazel Sandstorm](https://security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d) based on the IOCs and the group\'s previously observed tactics, techniques et procédures (TTPS).Hazel Sandstorm est un nom composite utilisé pour décrire plusieurs sous-groupes d'activité évalués pour avoir des liens avec le ministère du renseignement et de la sécurité de l'Iran \\, la principale agence de renseignement civil en Iran.Microsoft suit ces sous-groupes comme [Storm-0133] (https://security.microsoft.com/intel-profiles/0299fedd0f9f7671535556aae448f01ef9c3a75648558c5a22ba6641c619939), Storm-0150, [Storm-0166] (HTTPS://15 FCDE209955569784F44E34D191E57D1F933C13D5E6B87C304 Malware Tool Threat APT 34 ★★
RiskIQ.webp 2024-09-04 18:51:15 Fake Palo Alto GlobalProtect used as lure to backdoor enterprises (lien direct) ## Instantané Les chercheurs de Trend Micro ont identifié une campagne où les acteurs de la menace utilisent une fausse version de l'outil Palo Alto GlobalProtect, ciblant les organisations du Moyen-Orient. ## Description Le malware, déguisé en solution de sécurité légitime, peut exécuter des commandes PowerShell distantes, télécharger et exfiltrate des fichiers, crypter les communications et contourner des solutions de sable.La méthode de livraison des logiciels malveillants n'est pas claire, mais il est soupçonné d'avoir fait partie d'une attaque de phishing qui trompe les victimes de croire qu'elles installent un agent GlobalProtect légitime.L'attaque conduit la victime à exécuter un fichier nommé \\ 'setup.exe, \' qui déploie les fichiers malveillants \\ 'globalprotect.exe \' et de configuration.Le malware transmet ensuite les informations de profilage à un serveur de commande et de contrôle (C2), en utilisant la norme de chiffrement avancée (AES) pour l'évasion.De plus, le malware pivote vers une URL nouvellement enregistrée, "Sharjahconnect", conçue pour ressembler à un portail VPN légitime pour une entreprise basée aux Émirats arabes unis (EAU).Le logiciel malveillant communique avec les acteurs de la menace utilisant l'outil d'Open-source InteractSh pour le beconning, la communication avec des noms d'hôtes spécifiques pour signaler les progrès de l'infection et recueillir des informations sur les victimes.Trend Micro évalue que la campagne cible les entités du Moyen-Orient en raison de la concentration régionale spécifique du domaine et de l'origine de la soumission. ## Analyse Microsoft Microsoft évalue cette activité malveillante est attribuée à [Hazel Sandstorm] (https://security.microsoft.com/intel-profiles/6cea89977c2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e ministère de l'intelligence etSécurité (MOIS), la principale agence de renseignement civil en Iran.Les sous-groupes sont [Storm-0133] (https://security.microsoft.com/intel-pROFILES / 0299FEDD0F9F7671535556AAE448F01EF9C3A75648558CC5A22BA6641C619939), Storm-0150, [Storm-0166] (HTTTP 4d191e57d1f933c13d5e6b87c304985edfb13fb4033), [Storm-0755] (https://security.microsoft.com/intel-Profils / DFE14233E7FE59A1099C5B41AB0E4D8ED24AEBED38BC0615B15B9C71F98D5189) et [Storm-0861] (https://security.microsoft.com/intel-pleROFILES / E75C30DAC03473D46BF83D32CEFA79CDBD4F16EE8FD4EB62CF714D7BA9C8DE00).Les opérateurs de Hazel Sandstorm sont connus pour poursuivre des cibles dans les secteurs public et privé en Europe, au Moyen-Orient et en Amérique du Nord.Dans les opérations passées, Hazel Sandstorm a utilisé une combinaison d'outils de coutume et de produits de base dans leurs intrusions, probablement comme moyen de recueillir des renseignements pour soutenir les objectifs nationaux iraniens.Activité Microsoft suit dans le cadre du grand parapluie de Sandstorm Hazel chevauche des rapports publics sur l'APT34, le Cobalt Gypsy, Helix Kitten et Oilrig. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antivirus) dans Microsoft Defender Antivirus ou leÉquivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'escroquerie et des sitesqui contiennent des exp Malware Tool Threat Prediction APT 34 ★★
RiskIQ.webp 2024-05-28 17:37:40 Faits saillants hebdomadaires, 28 mai 2024
Weekly OSINT Highlights, 28 May 2024 (lien direct)		 ## Snapshot Last week\'s OSINT reporting reveals a diverse array of sophisticated cyber threats targeting various sectors, including financial institutions, government entities, and academic organizations. The reports highlight a variety of attack types such as banking trojans, stealers, crypto mining malware, ransomware, and remote access trojans (RATs). Attack vectors include malspam campaigns, spear-phishing emails, search engine advertisements, and trojanized software packages. Threat actors range from financially motivated groups like UAC-0006 and Ikaruz Red Team to state-sponsored entities such as the Chinese-linked "Unfading Sea Haze" and the Iranian Void Manticore. These actors employ advanced techniques like fileless malware, DLL sideloading, and custom keyloggers to achieve persistence and data exfiltration. The targets of these attacks are geographically widespread, encompassing North and South America, the South China Sea region, the Philippines, and South Korea, underscoring the global reach and impact of these threats. ## Description 1. **[Metamorfo Banking Trojan Targets North and South America](https://security.microsoft.com/intel-explorer/articles/72f52370)**: Forcepoint reports that the Metamorfo (Casbaneiro) banking trojan spreads through malspam campaigns, using HTML attachments to initiate system metadata collection and steal user data. This malware targets banking users in North and South America by employing PowerShell commands and various persistence mechanisms. 2. **[Unfading Sea Haze Targets South China Sea Military and Government Entities](https://security.microsoft.com/intel-explorer/articles/c95e7fd5)**: Bitdefender Labs identified a Chinese-linked threat actor, "Unfading Sea Haze," using spear-phishing emails and fileless malware to target military and government entities in the South China Sea region. The campaign employs tools like SerialPktdoor and Gh0stRAT to exfiltrate data and maintain persistence. 3. **[Acrid, ScarletStealer, and Sys01 Stealers](https://security.microsoft.com/intel-explorer/articles/8ca39741)**: Kaspersky describes three stealers-Acrid, ScarletStealer, and Sys01-targeting various global regions. These stealers focus on stealing browser data, cryptocurrency wallets, and credentials, posing significant financial risks by exfiltrating sensitive user information. 4. **[REF4578 Crypto Mining Campaign](https://security.microsoft.com/intel-explorer/articles/c2420a77)**: Elastic Security Labs reports on REF4578, an intrusion set leveraging vulnerable drivers to disable EDRs for deploying Monero crypto miners. The campaign\'s GHOSTENGINE module ensures persistence and termination of security agents, targeting systems for crypto mining. 5. **[SmokeLoader Malware Campaign in Ukraine](https://security.microsoft.com/intel-explorer/articles/7bef5f52)**: CERT-UA observed the UAC-0006 threat actor distributing SmokeLoader malware via phishing emails in Ukraine. The campaign downloads additional malware like Taleshot and RMS, targeting remote banking systems and increasing fraud schemes. 6. **[Ikaruz Red Team Targets Philippines with Modified Ransomware](https://security.microsoft.com/intel-explorer/articles/624f5ce1)**: The hacktivist group Ikaruz Red Team uses leaked LockBit 3 ransomware builders to attack Philippine organizations, aligning with other hacktivist groups like Turk Hack Team. The group engages in politically motivated data leaks and destructive actions. 7. **[Grandoreiro Banking Trojan Campaign](https://security.microsoft.com/intel-explorer/articles/bc072613)**: IBM X-Force tracks the Grandoreiro banking trojan, which operates as Malware-as-a-Service (MaaS) and targets over 1500 global banks. The malware uses advanced evasion techniques and spreads through phishing emails, aiming to commit banking fraud worldwide. 8. **[Void Manticore\'s Destructive Wiping Attacks](https://security.microsoft.com/intel-explorer/articles/d5d5c07f)**: Check Point Research analyzes the Iranian threat actor Void Manticore, conducting destructive wip Ransomware Malware Hack Tool Threat APT 34 ★★★
RiskIQ.webp 2024-05-22 15:21:21 Bad Karma, No Justice: Void Manticore Destructive Activities in Israel (lien direct) #### Géolocations ciblées - Israël ## Instantané Check Point Research a publié une analyse de l'acteur de menace iranien Void Manticore, l'acteur Microsoft suit en tant que Storm-0842.Affilié au ministère des Intelligences et de la Sécurité (MOIS), le vide Manticore effectue des attaques d'essuyage destructrices combinées à des opérations d'influence.L'acteur de menace exploite plusieurs personnages en ligne, les plus importants d'entre eux étant la justice de la patrie pour des attaques en Albanie et au Karma pour des attaques menées en Israël. ## Description Il y a des chevauchements clairs entre les cibles de vide manticore et de marminé marqué (aka Storm-0861), avec des indications de remise systématique des cibles entre ces deux groupes lorsqu'ils décident de mener des activités destructrices contre les victimes existantes de Manticore marqué.Les procédures de transfert documentées entre ces groupes suggèrent un niveau de planification cohérent et permettent à un accès vide de manticore à un ensemble plus large d'objectifs, facilité par leurs homologues \\ 'avancés.Les postes de collaboration ont annulé Manticore en tant qu'acteur exceptionnellement dangereux dans le paysage des menaces iraniennes. Void Manticore utilise cinq méthodes différentes pour mener des opérations perturbatrices contre ses victimes.Cela comprend plusieurs essuie-glaces personnalisés pour Windows et Linux, ainsi que la suppression manuelle de fichiers et de lecteurs partagés.Dans leurs dernières attaques, Void Manticore a utilisé un essuie-glace personnalisé appelé Bibi Wiper, faisant référence au surnom du Premier ministre d'Israël, Benjamin Netanyahu.L'essorage a été déployé dans plusieurs campagnes contre plusieurs entités en Israël et dispose de variantes pour Linux et Windows.  ## Analyse Microsoft Microsoft Threat Intelligence Tracks void Manticore comme [Storm-0842] (https://security.microsoft.com/intel-profiles/0c1349b0f2bd0e545d4f741eeae18dd89888d3c0fbf99540b7cf623ff5bb2bf5) ministère du renseignement et de la sécurité (MOIS).Depuis 2022, Microsoft a observé plusieurs cas où Storm-0842 a déployé un outil destructeur dans un environnement précédemment compromis par [Storm-0861] (https://security.microsoft.com 8DE00), un autre groupe avec des liens avecLes Mois. Depuis 2022, Microsoft a observé que la majorité des opérations impliquant Storm-0842 ont affecté les organisations en [Albanie] (https://security.microsoft.com/intel-explorer/articles/5491ec4b) et en Israël.En particulier, Microsoft a observé des opérateurs associés à Storm-0842 de manière opportuniste [déploiez l'essuie-glace de Bibi en réponse à la guerre d'Israël-Hamas.] (Https://security.microsoft.com/intel-explorer/articles/cf205f30) ## Détections Microsoft Defender Antivirus détecte plusieurs variantes (Windows et Linux) de l'essuie-glace Bibi comme le malware suivant: - [DOS: WIN32 / WPRBLIGHTRE] (https://www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-description?name=dos:win32/wprblightre.b!dha& ;theratid=-2147072872)(Les fenêtres) - [dos: lINUX / WPRBLIGHTRE] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=dos:linux/wprblightre.a& ;threatid = -2147072991) (Linux) ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Lisez notre [Ransomware en tant que blog de service] (https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-udentSanding-the-cybercrim-gig-ecoony-and-Comment-protect-vous-soi / # défendant-against-ransomware) pour des conseils sur le développement d'une posture de sécurité holistique pour prévenir les ransomwares, y compris l'hygiène des informations d'identification et les recommandations de durcissement. - Allumez [Protection en cloud-étirement] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sigh Ransomware Malware Tool Threat APT 34 ★★★
RiskIQ.webp 2023-10-31 19:45:32 From Albania to the Middle East: The Scarred Manticore is Listening (lien direct) #### Description Check Point Research (RCR) surveille une campagne d'espionnage iranienne en cours par Scarred Manticore, un acteur affilié au ministère du renseignement et de la sécurité (MOIS).Les attaques reposent sur Liontail, un cadre de logiciel malveillant passif avancé installé sur les serveurs Windows.À des fins de furtivité, les implants liionnal utilisent les appels directs vers Windows HTTP Stack Driver Http.SYS pour charger les charges utiles des résidents de mémoire. La campagne actuelle a culminé à la mi-2023, passant sous le radar pendant au moins un an.La campagne cible les organisations de haut niveau au Moyen-Orient en mettant l'accent sur les secteurs du gouvernement, des militaires et des télécommunications, en plus des fournisseurs de services informatiques, des organisations financières et des ONG.Scarred Manticore poursuit des objectifs de grande valeur depuis des années, utilisant une variété de déambulations basées sur l'IIS pour attaquer les serveurs Windows.Ceux-ci incluent une variété de shells Web personnalisés, de bornes de dos de DLL personnalisées et d'implants basés sur le pilote.Bien que la principale motivation derrière l'opération de Manticore \\ ne soit que l'espionnage, certains des outils décrits dans ce rapport ont été associés à l'attaque destructrice parrainée par MOIS contre l'infrastructure du gouvernement albanais (appelé Dev-0861). #### URL de référence (s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-East-the-scarred-Manticore-is-Listening/ #### Date de publication 31 octobre 2023 #### Auteurs) Recherche de point de contrôle
#### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research 		Malware Tool APT 34 APT 34 ★★
Checkpoint.webp 2023-10-31 10:56:45 Déstaurer la saga Manticore marquée: une épopée fascinante d'espionnage à enjeux élevés qui se déroule au cœur du Moyen-Orient
Unraveling the Scarred Manticore Saga: A Riveting Epic of High-Stakes Espionage Unfolding in the Heart of the Middle East (lien direct)		 > Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]
>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] 		Malware Tool Threat APT 34 ★★
globalsecuritymag.webp 2023-09-22 10:26:15 ESET découvre que le groupe OilRig a déployé un nouveau malware sur des victimes israéliennes (lien direct) ESET découvre que le groupe OilRig a déployé un nouveau malware sur des victimes israéliennes Vue d'ensemble de la chaîne de compromission spatiale d'OilRig • ESET Research a analysé deux campagnes menées par le groupe OilRig en 2021 (Outer Space) et 2022 (Juicy Mix). Ce groupe APT est aligné avec les intérêts de l'Iran. • Les opérateurs ont ciblé exclusivement des organisations israéliennes et compromettaient des sites Web israéliens légitimes afin de les utiliser comme centre de communications et de contrôle (C & C / C2). • Ils ont utilisé une nouvelle porte dérobée inédite dans chaque campagne : Solar in Outer Space, puis son successeur Mango in Juicy Mix. • Une grande variété d'outils a été déployée à la suite des compromissions. Ces outils ont été utilisés pour collecter des informations sensibles à partir des principaux navigateurs et du Gestionnaire de mots de passe de Windows. - Malwares Malware Tool APT 34 ★★★
Anomali.webp 2022-09-13 15:00:00 Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | Ransomware Malware Tool Vulnerability Threat Guideline APT 27 APT 34
Anomali.webp 2022-05-17 15:01:00 Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d Ransomware Malware Tool Vulnerability Threat Conference APT 35 APT 15 APT 34
Anomali.webp 2021-03-17 18:03:00 Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google: This Spectre proof-of-concept shows how dangerous these attacks can be (published: March 15, 2021) Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls. Tags: CVE-2017-5753 Threat Assessment: DearCry Ransomware (published: March 12, 2021) A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers. Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | Ransomware Tool Vulnerability Threat Guideline Wannacry APT 41 APT 34
SecurityAffairs.webp 2019-06-06 11:00:05 Analyzing the APT34\'s Jason project (lien direct) Security expert Marco Ramilli has analyzed the recently leaked APT34 hacking tool tracked as Jason – Exchange Mail BF. Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked […] Tool APT 34
SecurityAffairs.webp 2019-06-04 13:55:05 OilRig\'s Jason email hacking tool leaked online (lien direct) A few hours ago, a new email hacking tool dubbed Jason and associated with the OilRig APT group was leaked through the same Telegram channel used to leak other tools. A new email hacking tool associated with the Iran-linked OilRig APT group was leaked through the same Telegram channel that in April leaked the source […] Tool APT 34
bleepingcomputer.webp 2019-06-03 12:56:01 New Email Hacking Tool from OilRig APT Group Leaked Online (lien direct) A tool for hijacking Microsoft Exchange email accounts allegedly used by the OilRig hacker group has been leaked online. The utility is called Jason and it is not detected by antivirus engines on VirusTotal. [...] Tool APT 34
Kaspersky.webp 2018-09-13 21:19:00 OilRig APT Continues Its Ongoing Malware Evolution (lien direct) The Iran-linked APT appears to be in a state of continuous tool development, analogous to the DevOps efforts seen in the legitimate software world. Malware Tool APT 34
Last update at: 2025-05-10 22:52:59
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter